1 About the File Access Policy Daemon
The File Access Policy Daemon, fapolicyd, is a service that can be used to help protect a system by limiting which applications have permission to run. The service can be used to complement other security related services, including SELinux. Unlike SELinux, which isn't concerned with how files and applications are installed onto the system and whether they're trusted, fapolicyd implements policy decisions based on whether applications are trusted and how they were installed onto the system.
Fapolicyd uses the fanotify
kernel API to monitor file system events. When a
file is accessed, fapolicyd decides whether the event can continue by checking the file
against a trust database and evaluating a set of policy rules. If the file isn't in the trust
database and a policy rule denies the action, the event is blocked and an EACCESS 'Permission
denied' error is returned to the user.
Fapolicyd automatically adds files that are installed by DNF to the trust database, by using
a DNF plugin. This approach helps to make fapolicyd more efficient when evaluating files that
have been installed legitimately onto the system. Files can be evaluated based on their
SHA-256 hash so that they can't be modified after they're added to the trust database. You can
optionally add files to the trust database for files that aren't installed by DNF. You must
reload the database after files are added manually or when files are installed by using the
rpm
command outside of the DNF framework.
A cache is used by Fapolicyd to help improve performance and to reduce the amount of time spent processing rules and performing database lookups for frequent events.
Fapolicyd rules define logging options that can be used to audit events. The default policy
uses the audit log which can be viewed by using the ausearch
command. You
can change policy rules to log to the system log or to both the audit log and the system log
to help with debugging.
For more information about the Fapolicyd see https://github.com/linux-application-whitelisting/fapolicyd.