User:Kangie/fapolicyd
sys-apps/fapolicyd is the "File Access Policy Daemon"; fapolicyd controls the execution of applications based on user-defined policy.
Execution rules can be defined based on:
- path
- hash
- MIME type, or
- trust
Installation
eselect repository add https://github.com/Kangie/kangie-tools.git
Simply emerge sys-apps/fapolicyd
root #
emerge --ask sys-apps/fapolicyd
Testing
When testing new policy use permissive mode to ensure that the system is not deadlocked.
root #
/usr/sbin/fapolicyd --permissive --debug
In permissive + debug mode entries will be logged like (e.g.) dec=deny which means "decision is to deny"
, but the program will still be allowed to run.
Configuration
fapolicyd rules are stored at /etc/fapolicyd/rules.d/; sample rules are included with the package and installed to /usr/share/fapolicyd/sample-rules.
Rules are loaded at runtime and are processed based on their natural sort order. They may also be updated into a running fapolicyd instance using used with the fagenrules binary.
For ease of use, the sample rules shipped with fapolicyd are organised into the following groups:
prefix | group |
---|---|
10 | macros |
20 | loop holes |
30 | patterns |
40 | ELF rules |
50 | user/group access rules |
60 | application access rules |
70 | language rules |
80 | trusted execute |
90 | general open access to documents |
The sample rules should be examined in detail and rules customised to the system, threat environment, and use case should be implemented.
Once rules are in the rules.d directory, load them by running:
root #
fagenrules --load
Usage
Once the system is running in permissive mode, enable the systemd service.
root #
systemctl --enable fapolicyd --now
"Fun" notes
Currently stuck on
write(2, "rpmdb backend not supported, abo"..., 38rpmdb backend not supported, aborting!) = 38 write(2, "\n", 1 ) = 1 write(2, "Failed to load trust data from b"..., 42Failed to load trust data from backend (1)) = 42 write(2, "\n", 1
We probably need to teach it aboot portage.