sys-apps/fapolicyd is the "File Access Policy Daemon"; fapolicyd controls the execution of applications based on user-defined policy.
Execution rules can be defined based on:
- MIME type, or
eselect repository add https://github.com/Kangie/kangie-tools.git
Simply emerge sys-apps/fapolicyd
emerge --ask sys-apps/fapolicyd
When testing new policy use permissive mode to ensure that the system is not deadlocked.
/usr/sbin/fapolicyd --permissive --debug
In permissive + debug mode entries will be logged like (e.g.)
dec=deny which means "decision is to deny", but the program will still be allowed to run.
fapolicyd rules are stored at /etc/fapolicyd/rules.d/; sample rules are included with the package and installed to /usr/share/fapolicyd/sample-rules.
Rules are loaded at runtime and are processed based on their natural sort order. They may also be updated into a running fapolicyd instance using used with the fagenrules binary.
For ease of use, the sample rules shipped with fapolicyd are organised into the following groups:
|50||user/group access rules|
|60||application access rules|
|90||general open access to documents|
The sample rules should be examined in detail and rules customised to the system, threat environment, and use case should be implemented.
Once rules are in the rules.d directory, load them by running:
Once the system is running in permissive mode, enable the systemd service.
systemctl --enable fapolicyd --now
Currently stuck on
write(2, "rpmdb backend not supported, abo"..., 38rpmdb backend not supported, aborting!) = 38 write(2, "\n", 1 ) = 1 write(2, "Failed to load trust data from b"..., 42Failed to load trust data from backend (1)) = 42 write(2, "\n", 1
We probably need to teach it aboot portage.