Red Hat Summit10.6. Troubleshooting problems related to fapolicyd
The fapolicyd application framework provides tools for troubleshooting the most common problems and you can also add applications installed with the rpm command to the trust database.
- Installing applications by using RPM
If you install an application by using the
rpmcommand, you have to perform a manual refresh of thefapolicydRPM database:Install your <application>:
# rpm -i <application>.rpmRefresh the database:
# fapolicyd-cli --updateIf you skip this step, the system can freeze and must be restarted.
- Service status
If
fapolicyddoes not work correctly, check the service status:# systemctl status fapolicydfapolicyd-clichecks and listingsThe
--check-config,--check-watch_fs, and--check-trustdboptions help you find syntax errors, not-yet-watched file systems, and file mismatches, for example:# fapolicyd-cli --check-config Daemon config is OK # fapolicyd-cli --check-trustdb /etc/selinux/targeted/contexts/files/file_contexts miscompares: size sha256 /etc/selinux/targeted/policy/policy.31 miscompares: size sha256Use the
--listoption to check the current list of rules and their order:# fapolicyd-cli --list … 9. allow perm=execute all : trust=1 10. allow perm=open all : ftype=%languages trust=1 11. deny_audit perm=any all : ftype=%languages 12. allow perm=any all : ftype=text/x-shellscript 13. deny_audit perm=execute all : all …
- Debug mode
Debug mode provides detailed information about matched rules, database status, and more. To switch
fapolicydto debug mode:Stop the
fapolicydservice:# systemctl stop fapolicydUse debug mode to identify a corresponding rule:
# fapolicyd --debugBecause the output of the
fapolicyd --debugcommand is verbose, you can redirect the error output to a file:# fapolicyd --debug 2> fapolicy.outputAlternatively, to limit the output only to entries when
fapolicyddenies access, use the--debug-denyoption:# fapolicyd --debug-deny
- Removing the
fapolicyddatabase To solve problems related to the
fapolicyddatabase, try to remove the database file:# systemctl stop fapolicyd # fapolicyd-cli --delete-db주의Do not remove the
/var/lib/fapolicyd/directory. Thefapolicydframework automatically restores only the database file in this directory.- Dumping the
fapolicyddatabase The
fapolicydcontains entries from all enabled trust sources. You can check the entries after dumping the database:# fapolicyd-cli --dump-db- Application pipe
In rare cases, removing the
fapolicydpipe file can solve a lockup:# rm -f /var/run/fapolicyd/fapolicyd.fifo
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}