From Gentoo Wiki
Jump to:navigation Jump to:search

sys-apps/fapolicyd is the "File Access Policy Daemon"; fapolicyd controls the execution of applications based on user-defined policy.

Execution rules can be defined based on:

  • path
  • hash
  • MIME type, or
  • trust


eselect repository add

Simply emerge sys-apps/fapolicyd

root #emerge --ask sys-apps/fapolicyd


When testing new policy use permissive mode to ensure that the system is not deadlocked.

root #/usr/sbin/fapolicyd --permissive --debug

In permissive + debug mode entries will be logged like (e.g.) dec=deny which means "decision is to deny", but the program will still be allowed to run.


fapolicyd rules are stored at /etc/fapolicyd/rules.d/; sample rules are included with the package and installed to /usr/share/fapolicyd/sample-rules.

Rules are loaded at runtime and are processed based on their natural sort order. They may also be updated into a running fapolicyd instance using used with the fagenrules binary.

For ease of use, the sample rules shipped with fapolicyd are organised into the following groups:

prefix group
10 macros
20 loop holes
30 patterns
40 ELF rules
50 user/group access rules
60 application access rules
70 language rules
80 trusted execute
90 general open access to documents

The sample rules should be examined in detail and rules customised to the system, threat environment, and use case should be implemented.

Once rules are in the rules.d directory, load them by running:

root #fagenrules --load


Once the system is running in permissive mode, enable the systemd service.

root #systemctl --enable fapolicyd --now

"Fun" notes

Currently stuck on

write(2, "rpmdb backend not supported, abo"..., 38rpmdb backend not supported, aborting!) = 38
write(2, "\n", 1
)                       = 1
write(2, "Failed to load trust data from b"..., 42Failed to load trust data from backend (1)) = 42
write(2, "\n", 1

We probably need to teach it aboot portage.

See Also