Rechercher
SupportConsoleDéveloppeursCommencer un essaiContact

13.4. Adding custom allow and deny rules for fapolicyd

download PDF

The default set of rules in the fapolicyd package does not affect system functions. For custom scenarios, such as storing binaries and scripts in a non-standard directory or adding applications without the dnf or rpm installers, you must either mark additional files as trusted or add new custom rules.

For basic scenarios, prefer Marking files as trusted using an additional source of trust. In more advanced scenarios such as allowing to execute a custom binary only for specific user and group identifiers, add new custom rules to the /etc/fapolicyd/rules.d/ directory.

The following steps demonstrate adding a new rule to allow a custom binary.

Conditions préalables

  • The fapolicyd framework is deployed on your system.

Procédure

  1. Copy your custom binary to the required directory, for example: 

    $ cp /bin/ls /tmp
$ /tmp/ls
bash: /tmp/ls: Operation not permitted

  2. Stop the fapolicyd service: 

    # systemctl stop fapolicyd

  3. Use debug mode to identify a corresponding rule. Because the output of the fapolicyd --debug command is verbose and you can stop it only by pressing Ctrl+C or killing the corresponding process, redirect the error output to a file. In this case, you can limit the output only to access denials by using the --debug-deny option instead of --debug: 

    # fapolicyd --debug-deny 2> fapolicy.output &
[1] 51341

    Alternatively, you can run fapolicyd debug mode in another terminal.

  4. Repeat the command that fapolicyd denied: 

    $ /tmp/ls
bash: /tmp/ls: Operation not permitted

  5. Stop debug mode by resuming it in the foreground and pressing Ctrl+C: 

    # fg
fapolicyd --debug 2> fapolicy.output
^C
...

    Alternatively, kill the process of fapolicyd debug mode: 

    # kill 51341

  6. Find a rule that denies the execution of your application: 

    # cat fapolicy.output | grep 'deny_audit'
...
rule=13 dec=deny_audit perm=execute auid=0 pid=6855 exe=/usr/bin/bash : path=/tmp/ls ftype=application/x-executable trust=0

  7. Locate the file that contains a rule that prevented the execution of your custom binary. In this case, the deny_audit perm=execute rule belongs to the 90-deny-execute.rules file: 

    # ls /etc/fapolicyd/rules.d/
10-languages.rules  40-bad-elf.rules	   72-shell.rules
20-dracut.rules     41-shared-obj.rules    90-deny-execute.rules
21-updaters.rules   42-trusted-elf.rules   95-allow-open.rules
30-patterns.rules   70-trusted-lang.rules


# cat /etc/fapolicyd/rules.d/90-deny-execute.rules
# Deny execution for anything untrusted

deny_audit perm=execute all : all

  8. Add a new allow rule to the file that lexically precedes the rule file that contains the rule that denied the execution of your custom binary in the /etc/fapolicyd/rules.d/ directory: 

    # touch /etc/fapolicyd/rules.d/80-myapps.rules
# vi /etc/fapolicyd/rules.d/80-myapps.rules

    Insert the following rule to the 80-myapps.rules file: 

    allow perm=execute exe=/usr/bin/bash trust=1 : path=/tmp/ls ftype=application/x-executable trust=0

    Alternatively, you can allow executions of all binaries in the /tmp directory by adding the following rule to the rule file in /etc/fapolicyd/rules.d/: 

    allow perm=execute exe=/usr/bin/bash trust=1 : dir=/tmp/ trust=0

  9. To prevent changes in the content of your custom binary, define the required rule using an SHA-256 checksum: 

    $ sha256sum /tmp/ls
780b75c90b2d41ea41679fcb358c892b1251b68d1927c80fbc0d9d148b25e836  ls

    Change the rule to the following definition: 

    allow perm=execute exe=/usr/bin/bash trust=1 : sha256hash=780b75c90b2d41ea41679fcb358c892b1251b68d1927c80fbc0d9d148b25e836

  10. Check that the list of compiled differs from the rule set in /etc/fapolicyd/rules.d/, and update the list, which is stored in the /etc/fapolicyd/compiled.rules file: 

    # fagenrules --check
/usr/sbin/fagenrules: Rules have changed and should be updated
# fagenrules --load

  11. Check that your custom rule is in the list of fapolicyd rules before the rule that prevented the execution: 

    # fapolicyd-cli --list
...
13. allow perm=execute exe=/usr/bin/bash trust=1 : path=/tmp/ls ftype=application/x-executable trust=0
14. deny_audit perm=execute all : all
...

  12. Start the fapolicyd service: 

    # systemctl start fapolicyd

Vérification

  1. Check that your custom binary can be now executed, for example: 

    $ /tmp/ls
ls

Ressources supplémentaires

  • fapolicyd.rules(5) and fapolicyd-cli(1) man pages.
  • The documentation installed with the fapolicyd package in the /usr/share/fapolicyd/sample-rules/README-rules file.
Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.