Fapolicyd uses a trust database to efficiently lookup files that are trusted by the system. If a file isn't in the trust database, fapolicyd falls back to processing policy rules to decide whether an event is allowed or not.

The trust database is partitioned into information that fapolicyd gathers about installed RPM packages and information added manually by using configuration files.

The trust database is automatically populated with information about files that are installed onto the system, by copying information from the RPM database. When fapolicyd is started or an update is run, the trust database is updated for all files listed in the RPM database. The trust database is also updated automatically when new packages are installed or packages are updated by using DNF. The tracking of package data is handled by the fapolicyd-dnf-plugin, which notifies the fapolicyd daemon about DNF updates or installations.

If you install packages directly by using the rpm command, then the fapolicyd RPM database isn't updated and you might experience system freezes. In this case, it can be useful to refresh the trust database. See Refreshing the Trust Database for more information.

Administrators can also add files to the trust database manually when files are installed or added to the system outside of the usual DNF and RPM packaging mechanisms, such as compiling binaries from source, or when using the Python pip utility, Ruby's gem utility, Node.js's npm utility, or Perl's CPAN tooling.

The trust database distinguishes between these two types of trust: files that are trusted because they belong to the RPM database, and files that are trusted because they have been added manually to the trust database. For example, entries that are trusted from the RPM database are of the type rpmdb:

rpmdb /usr/bin/dnf-3 2092 0a53d05260ba7ed4573...7ec64816e3ad49a2078c84836aeb7833e

Files that are added manually to the trust database are of the type filedb, for example:

filedb /home/user/demo.bin 140468 e38cd120c925...46c9cd1aa83e44e697f0f3393d98b305

The database also stores the path to the file, the size of the file in bytes and a SHA-256 hash for the file. The file size and SHA-256 hash can be used to perform further integrity checks on files to make the system much more restrictive and robust against malicious activity. Although enabling integrity checking can protect against somebody working around fapolicyd by changing a file at a particular location, we don't recommend configuring fapolicyd for integrity checking because it increases the risk of system deadlock. Integrity checks are disabled in fapolicyd by default. See Checking for Trust Mismatches and List the Entries in the Trust Database for more information.

Note that processing of trusted files in the trust database is cached and is much quicker than the processing of individual policy rules. Therefore, if you need fapolicyd to trust particular applications or files that are made available to the system outside of DNF, it's more efficient to add them to the trust file database than to define rules for them. Only add policy rules for individual files if you need custom rules around user or group permissions.