The File Access Policy Daemon, fapolicyd, is a service that can be used to help protect a system by limiting which applications have permission to run. The service can be used to complement other security related services, including SELinux. Unlike SELinux, which isn't concerned with how files and applications are installed onto the system and whether they're trusted, fapolicyd implements policy decisions based on whether applications are trusted and how they were installed onto the system.

Fapolicyd uses the fanotify kernel API to monitor file system events. When a file is accessed, fapolicyd decides whether the event can continue by checking the file against a trust database and evaluating a set of policy rules. If the file isn't in the trust database and a policy rule denies the action, the event is blocked and an EACCESS 'Permission denied' error is returned to the user.

Fapolicyd automatically adds files that are installed by DNF to the trust database, by using a DNF plugin. This approach helps to make fapolicyd more efficient when evaluating files that have been installed legitimately onto the system. Files can be evaluated based on their SHA-256 hash so that they can't be modified after they're added to the trust database. You can optionally add files to the trust database for files that aren't installed by DNF. You must reload the database after files are added manually or when files are installed by using the rpm command outside of the DNF framework.

A cache is used by Fapolicyd to help improve performance and to reduce the amount of time spent processing rules and performing database lookups for frequent events.

Fapolicyd rules define logging options that can be used to audit events. The default policy uses the audit log which can be viewed by using the ausearch command. You can change policy rules to log to the system log or to both the audit log and the system log to help with debugging.

For more information about the Fapolicyd see https://github.com/linux-application-whitelisting/fapolicyd.