13.6. Troubleshooting problems related to fapolicyd
The following section provides tips for basic troubleshooting of the fapolicyd
application framework and guidance for adding applications using the rpm
command.
Installing applications using rpm
If you install an application using the
rpm
command, you have to perform a manual refresh of thefapolicyd
RPM database:Install your application:
# rpm -i application.rpm
Refresh the database:
# fapolicyd-cli --update
If you skip this step, the system can freeze and must be restarted.
Service status
If
fapolicyd
does not work correctly, check the service status:# systemctl status fapolicyd
fapolicyd-cli
checks and listings
The
--check-config
,--check-watch_fs
, and--check-trustdb
options help you find syntax errors, not-yet-watched file systems, and file mismatches, for example:# fapolicyd-cli --check-config Daemon config is OK # fapolicyd-cli --check-trustdb /etc/selinux/targeted/contexts/files/file_contexts miscompares: size sha256 /etc/selinux/targeted/policy/policy.31 miscompares: size sha256
Use the
--list
option to check the current list of rules and their order:# fapolicyd-cli --list ... 9. allow perm=execute all : trust=1 10. allow perm=open all : ftype=%languages trust=1 11. deny_audit perm=any all : ftype=%languages 12. allow perm=any all : ftype=text/x-shellscript 13. deny_audit perm=execute all : all ...
Debug mode
Debug mode provides detailed information about matched rules, database status, and more. To switch
fapolicyd
to debug mode:Stop the
fapolicyd
service:# systemctl stop fapolicyd
Use debug mode to identify a corresponding rule:
# fapolicyd --debug
Because the output of the
fapolicyd --debug
command is verbose, you can redirect the error output to a file:# fapolicyd --debug 2> fapolicy.output
Alternatively, to limit the output only to entries when
fapolicyd
denies access, use the--debug-deny
option:# fapolicyd --debug-deny
Removing the fapolicyd
database
To solve problems related to the
fapolicyd
database, try to remove the database file:# systemctl stop fapolicyd # fapolicyd-cli --delete-db
AvertissementDo not remove the
/var/lib/fapolicyd/
directory. Thefapolicyd
framework automatically restores only the database file in this directory.
Dumping the fapolicyd
database
The
fapolicyd
contains entries from all enabled trust sources. You can check the entries after dumping the database:# fapolicyd-cli --dump-db
Application pipe
In rare cases, removing the
fapolicyd
pipe file can solve a lockup:# rm -f /var/run/fapolicyd/fapolicyd.fifo
Ressources supplémentaires
-
fapolicyd-cli(1)
man page.