Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 10. Blocking and allowing applications by using fapolicyd

Setting and enforcing a policy that either allows or denies application execution based on a rule set efficiently prevents the execution of unknown and potentially malicious software.

10.1. The fapolicyd framework structure
Copier lien

The fapolicyd software framework controls the execution of applications based on a user-defined policy. This is one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system.

10.1.1. Components and trust
Copier lien

The fapolicyd framework provides the following components:

  • fapolicyd service
  • fapolicyd command-line utilities
  • fapolicyd RPM plugin
  • fapolicyd rule language
  • fagenrules script

The administrator can define allow and deny execution rules for any application with the option to audit based on a path, hash, MIME type, or trust.

The fapolicyd framework introduces the concept of trust. An application is trusted when the system package manager correctly installs it and therefore registered in the system RPM database. The fapolicyd daemon uses the RPM database as a list of trusted binaries and scripts.

The fapolicyd RPM plugin registers any system update that is handled by either the DNF or RPM package manager. The plugin notifies the fapolicyd daemon about changes in this database. Other ways of adding applications require the creation of custom rules and restarting the fapolicyd service.

For more information, see the fapolicyd-related man pages listed by using the man -k fapolicyd command on your system.

10.1.2. Configuration files and directories
Copier lien

The fapolicyd service configuration is located in the /etc/fapolicyd/ directory with the following structure:

  • The /etc/fapolicyd/fapolicyd.trust file contains a list of trusted files. You can also use multiple trust files in the /etc/fapolicyd/trust.d/ directory.
  • The /etc/fapolicyd/rules.d/ directory contains files with allow and deny execution rules. The fagenrules script merges these component rules files to the /etc/fapolicyd/compiled.rules file.
  • The fapolicyd.conf file contains the daemon’s configuration options. This file is useful primarily for performance-tuning purposes.

10.1.3. Rules
Copier lien

Rules in /etc/fapolicyd/rules.d/ are organized in several files, each representing a different policy goal. The numbers at the beginning of the corresponding file names determine the order in /etc/fapolicyd/compiled.rules:

10
Language rules.
20
Dracut-related Rules.
21
Rules for updaters.
30
Patterns.
40
ELF rules.
41
Shared objects rules.
42
Trusted ELF rules.
70
Trusted language rules.
72
Shell rules.
90
Deny execute rules.
95
Allow open rules.

For more information and examples, see the documentation installed with the fapolicyd package in the /usr/share/doc/fapolicyd/ directory, the /usr/share/fapolicyd/sample-rules/README-rules file, and the fapolicyd.rules(5) and fagenrules(8) man pages on your system.

10.1.4. Integrity checking
Copier lien

You can use one of the following ways for fapolicyd integrity checking:

  • File-size checking
  • Comparing SHA-256 hashes
  • Integrity Measurement Architecture (IMA) subsystem

By default, fapolicyd does no integrity checking. Integrity checking based on the file size is fast, but an attacker can replace the content of the file and preserve its byte size. Computing and checking SHA-256 checksums is more secure, but it affects the performance of the system. The integrity = ima option in fapolicyd.conf requires support for files' extended attributes (also known as xattr) on all file systems containing executable files.

10.2. Deploying fapolicyd
Copier lien

When deploying the fapolicyd application allowlisting framework, you can either try your configuration in permissive mode first or directly enable the service in the default configuration.

Procedure

  1. Install the fapolicyd package: 

    # dnf install fapolicyd
    Copy to Clipboard Toggle word wrap

  2. Set the Audit subsystem for recording fapolicyd events: 

    # auditctl -w /etc/fapolicyd/ -p wa -k fapolicyd_changes
# service try-restart auditd
    Copy to Clipboard Toggle word wrap

  3. Optional: To try your configuration first, change mode to permissive.

    1. Open the /etc/fapolicyd/fapolicyd.conf file in a text editor of your choice, for example: 

      # vi /etc/fapolicyd/fapolicyd.conf
      Copy to Clipboard Toggle word wrap

    2. Change the value of the permissive option from 0 to 1, save the file, and exit the editor: 

      permissive = 1
      Copy to Clipboard Toggle word wrap

      Alternatively, you can debug your configuration by using the fapolicyd --debug-deny --permissive command before you start the service. See the Troubleshooting problems related to fapolicyd section for more information.

  4. Enable and start the fapolicyd service: 

    # systemctl enable --now fapolicyd
    Copy to Clipboard Toggle word wrap

  5. If you enabled permissive mode through /etc/fapolicyd/fapolicyd.conf:

    1. Use your applications.

    2. Check Audit logs for fanotify denials, for example: 

      # ausearch -ts recent -m fanotify
      Copy to Clipboard Toggle word wrap

    3. When debugged, disable permissive mode by changing the corresponding value back to permissive = 0, and restart the service: 

      # systemctl restart fapolicyd
      Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the fapolicyd service is running correctly: 

    # systemctl status fapolicyd
● fapolicyd.service - File Access Policy Daemon
     Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; enabled; preset: disabled)
     Active: active (running) since Tue 2024-10-08 05:53:50 EDT; 11s ago
…
Oct 08 05:53:51 machine1.example.com fapolicyd[4974]: Loading trust data from rpmdb backend
Oct 08 05:53:51 machine1.example.com fapolicyd[4974]: Loading trust data from file backend
Oct 08 05:53:51 machine1.example.com fapolicyd[4974]: Starting to listen for events
    Copy to Clipboard Toggle word wrap

  2. Log in as a user without root privileges, and check that fapolicyd is working, for example: 

    $ cp /bin/ls /tmp
$ /tmp/ls
bash: /tmp/ls: Operation not permitted
    Copy to Clipboard Toggle word wrap

The fapolicyd framework trusts files contained in the RPM database. You can mark additional files as trusted by modifying sources of trust.

You can modify the /etc/fapolicyd/fapolicyd.trust plain text file or files in the /etc/fapolicyd/trust.d directory, either directly using a text editor or through fapolicyd-cli commands. See the fapolicyd.trust(13) and fapolicyd-cli(8) man pages on your system for more details.

Note

For performance reasons, mark files as trusted using fapolicyd.trust or trust.d/ rather than write custom fapolicyd rules.

Prerequisites

  • The fapolicyd framework is deployed on your system.

Procedure

  1. Copy your custom binary to the required directory, for example: 

    $ cp /bin/ls /tmp
$ /tmp/ls
bash: /tmp/ls: Operation not permitted
    Copy to Clipboard Toggle word wrap

  2. Mark your custom binary as trusted, and store the corresponding entry to the myapp file in /etc/fapolicyd/trust.d/: 

    # fapolicyd-cli --file add /tmp/ls --trust-file myapp
    Copy to Clipboard Toggle word wrap
    • If you skip the --trust-file option, then the previous command adds the corresponding line to /etc/fapolicyd/fapolicyd.trust.

    • To mark all existing files in a directory as trusted, provide the directory path as an argument of the --file option, for example: 

      # fapolicyd-cli --file add /tmp/my_bin_dir/ --trust-file myapp
      Copy to Clipboard Toggle word wrap

  3. Update the fapolicyd database: 

    # fapolicyd-cli --update
    Copy to Clipboard Toggle word wrap
    Note

    Changing the content of a trusted file or directory changes its checksum, and therefore,fapolicyd no longer considers it trusted.

    To restore trust in the new content, refresh the file trust database by using the fapolicyd-cli --file update command. If you do not provide any argument, the entire database refreshes. Alternatively, you can specify a path to a specific file or directory. Then, update the database by using fapolicyd-cli --update.

Verification

  1. Check that you can execute your custom binary, for example: 

    $ /tmp/ls
ls
    Copy to Clipboard Toggle word wrap

10.4. Adding custom allow and deny rules for fapolicyd
Copier lien

The default set of fapolicyd rules does not affect system functions. For custom scenarios, such as storing binaries and scripts in a non-standard directory or adding applications without the DNF or RPM installers, you must either mark additional files as trusted or add new custom rules.

For basic scenarios, see Marking files as trusted using an additional source of trust. In more advanced scenarios such as allowing to execute a custom binary only for specific user and group identifiers, add new custom rules to the /etc/fapolicyd/rules.d/ directory.

The following steps demonstrate adding a new rule to allow a custom binary.

For more information and examples, see the documentation installed with the fapolicyd package in the /usr/share/doc/fapolicyd/ directory, the /usr/share/fapolicyd/sample-rules/README-rules file, and the fapolicyd.rules(5) and fagenrules(8) man pages on your system.

Prerequisites

  • The fapolicyd framework is deployed on your system.

Procedure

  1. Copy your custom binary to the required directory, for example: 

    $ cp /bin/ls /tmp
$ /tmp/ls
bash: /tmp/ls: Operation not permitted
    Copy to Clipboard Toggle word wrap

  2. Stop the fapolicyd service: 

    # systemctl stop fapolicyd
    Copy to Clipboard Toggle word wrap

  3. Use debug mode to identify a corresponding rule. Because the output of the fapolicyd --debug command is verbose and you can stop it only by pressing Ctrl+C or killing the corresponding process, redirect the error output to a file. In this case, you can limit the output only to access denials by using the --debug-deny option instead of --debug: 

    # fapolicyd --debug-deny 2> fapolicy.output &
[1] 51341
    Copy to Clipboard Toggle word wrap

    Alternatively, you can run fapolicyd debug mode in another terminal.

  4. Repeat the command that fapolicyd denied: 

    $ /tmp/ls
bash: /tmp/ls: Operation not permitted
    Copy to Clipboard Toggle word wrap

  5. Stop debug mode by resuming it in the foreground and pressing Ctrl+C: 

    # fg
fapolicyd --debug 2> fapolicy.output
^C
…
    Copy to Clipboard Toggle word wrap

    Alternatively, kill the process of fapolicyd debug mode: 

    # kill 51341
    Copy to Clipboard Toggle word wrap

  6. Find a rule that denies the execution of your application: 

    # cat fapolicy.output | grep 'deny_audit'
…
rule=13 dec=deny_audit perm=execute auid=0 pid=6855 exe=/usr/bin/bash : path=/tmp/ls ftype=application/x-executable trust=0
    Copy to Clipboard Toggle word wrap

  7. Locate the file that contains a rule that denies the execution of your custom binary. In this case, the deny_audit perm=execute rule belongs to the 90-deny-execute.rules file: 

    # ls /etc/fapolicyd/rules.d/
10-languages.rules  40-bad-elf.rules	   72-shell.rules
20-dracut.rules     41-shared-obj.rules    90-deny-execute.rules
21-updaters.rules   42-trusted-elf.rules   95-allow-open.rules
30-patterns.rules   70-trusted-lang.rules


# cat /etc/fapolicyd/rules.d/90-deny-execute.rules
# Deny execution for anything untrusted

deny_audit perm=execute all : all
    Copy to Clipboard Toggle word wrap

  8. Add a new allow rule to a file that lexically precedes the rule file that contains the rule that denied the execution of your custom binary in the /etc/fapolicyd/rules.d/ directory.

    1. Create the rule file and open it in a text editor of your choice, for example: 

      # touch /etc/fapolicyd/rules.d/80-myapps.rules
# vi /etc/fapolicyd/rules.d/80-myapps.rules
      Copy to Clipboard Toggle word wrap

    2. Insert the following rule to the 80-myapps.rules file: 

      allow perm=execute exe=/usr/bin/bash trust=1 : path=/tmp/ls ftype=application/x-executable trust=0
      Copy to Clipboard Toggle word wrap

      Alternatively, you can allow executions of all binaries in the /tmp directory by adding the following rule to the rule file in /etc/fapolicyd/rules.d/: 

      allow perm=execute exe=/usr/bin/bash trust=1 : dir=/tmp/ trust=0
      Copy to Clipboard Toggle word wrap
      Important

      To make a rule effective recursively on all directories under the specified directory, add a trailing slash to the value of the dir= parameter in the rule (/tmp/ in the previous example).

  9. Prevent changes in the content of your custom binary

    1. Define the required rule using an SHA-256 checksum: 

      $ sha256sum /tmp/ls
780b75c90b2d41ea41679fcb358c892b1251b68d1927c80fbc0d9d148b25e836  ls
      Copy to Clipboard Toggle word wrap

    2. Change the rule to the following definition: 

      allow perm=execute exe=/usr/bin/bash trust=1 : sha256hash=780b75c90b2d41ea41679fcb358c892b1251b68d1927c80fbc0d9d148b25e836
      Copy to Clipboard Toggle word wrap

  10. Check that the list of compiled rules differs from the rule set in /etc/fapolicyd/rules.d/: 

    # fagenrules --check
/usr/sbin/fagenrules: Rules have changed and should be updated
    Copy to Clipboard Toggle word wrap

  11. Update the list, which is stored in the /etc/fapolicyd/compiled.rules file: 

    # fagenrules --load
    Copy to Clipboard Toggle word wrap

  12. Check that your custom rule is in the list of fapolicyd rules before the rule that denied the execution: 

    # fapolicyd-cli --list
...
13. allow perm=execute exe=/usr/bin/bash trust=1 : path=/tmp/ls ftype=application/x-executable trust=0
14. deny_audit perm=execute all : all
…
    Copy to Clipboard Toggle word wrap

  13. Start the fapolicyd service: 

    # systemctl start fapolicyd
    Copy to Clipboard Toggle word wrap

Verification

  1. Check that your custom binary can be now executed, for example: 

    $ /tmp/ls
ls
    Copy to Clipboard Toggle word wrap

10.5. Enabling fapolicyd integrity checks
Copier lien

By default, fapolicyd does not perform integrity checking. You can configure fapolicyd to perform integrity checks by comparing either file sizes or SHA-256 hashes. You can also set integrity checks by using the Integrity Measurement Architecture (IMA) subsystem.

Prerequisites

  • The fapolicyd framework is deployed on your system.

Procedure

  1. Open the /etc/fapolicyd/fapolicyd.conf file in a text editor of your choice, for example: 

    # vi /etc/fapolicyd/fapolicyd.conf
    Copy to Clipboard Toggle word wrap

  2. Change the value of the integrity option from none to sha256, save the file, and exit the editor: 

    integrity = sha256
    Copy to Clipboard Toggle word wrap

  3. Restart the fapolicyd service: 

    # systemctl restart fapolicyd
    Copy to Clipboard Toggle word wrap

Verification

  1. Back up the file used for the verification: 

    # cp /bin/more /bin/more.bak
    Copy to Clipboard Toggle word wrap

  2. Change the content of the /bin/more binary: 

    # cat /bin/less > /bin/more
    Copy to Clipboard Toggle word wrap

  3. Attempt to use the changed binary as a regular user and verify fapolicyd denies the operation: 

    # su example.user
$ /bin/more /etc/redhat-release
bash: /bin/more: Operation not permitted
    Copy to Clipboard Toggle word wrap

  4. Revert the changes: 

    # mv -f /bin/more.bak /bin/more
    Copy to Clipboard Toggle word wrap

You can automate the installation and configuration of the fapolicyd service by using the fapolicyd RHEL system role.

With this role, you can remotely configure the service to allow users to execute only trusted applications, for example, the ones which are listed in the RPM database and in an allow list. Additionally, the service can perform integrity checks before it executes an allowed application.

Prerequisites

Procedure

  1. Create a playbook file, for example, ~/playbook.yml, with the following content: 

    ---
- name: Configuring fapolicyd
  hosts: managed-node-01.example.com
  tasks:
    - name: Allow only executables installed from RPM database and specific files
      ansible.builtin.include_role:
        name: redhat.rhel_system_roles.fapolicyd
      vars:
        fapolicyd_setup_permissive: false
        fapolicyd_setup_integrity: sha256
        fapolicyd_setup_trust: rpmdb,file
        fapolicyd_add_trusted_file:
          - <path_to_allowed_command>
          - <path_to_allowed_service>
    Copy to Clipboard Toggle word wrap

    The settings specified in the example playbook include the following:

    fapolicyd_setup_permissive: <true|false>
    Enables or disables sending policy decisions to the kernel for enforcement. Set this variable for debugging and testing purposes to false.
    fapolicyd_setup_integrity: <type_type>

    Defines the integrity checking method. You can set one of the following values:

    • none (default): Disables integrity checking.
    • size: The service compares only the file sizes of allowed applications.
    • ima: The service checks the SHA-256 hash that the kernel’s Integrity Measurement Architecture (IMA) stored in a file’s extended attribute. Additionally, the service performs a size check. Note that the role does not configure the IMA kernel subsystem. To use this option, you must manually configure the IMA subsystem.
    • sha256: The service compares the SHA-256 hash of allowed applications.
    fapolicyd_setup_trust: <trust_backends>
    Defines the list of trust backends. If you include the file backend, specify the allowed executable files in the fapolicyd_add_trusted_file list.

    For details about all variables used in the playbook, see the /usr/share/ansible/roles/rhel-system-roles.fapolicyd.README.md file on the control node.

  2. Validate the playbook syntax: 

    $ ansible-playbook ~/playbook.yml --syntax-check
    Copy to Clipboard Toggle word wrap

    Note that this command only validates the syntax and does not protect against a wrong but valid configuration.

  3. Run the playbook: 

    $ ansible-playbook ~/playbook.yml
    Copy to Clipboard Toggle word wrap

Verification

  • Execute a binary application that is not on the allow list as a user: 

    $ ansible managed-node-01.example.com -m command -a 'su -c "/bin/not_authorized_application " <user_name>'
bash: line 1: /bin/not_authorized_application: Operation not permitted non-zero return code
    Copy to Clipboard Toggle word wrap
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat