About Policy Rules

Policy rules control how fapolicyd handles files that aren't explicitly listed within the trust database. Policy rules can also be used to further restrict behavior on the system for files that are in the trust database. You can use policy rules to make fapolicyd more or less restrictive. You can define policy rules to create exceptions that allow or deny certain applications for specified scenarios. For example, you can create rules to explicitly allow an application for a particular user or group, but to deny the application for all other users.

The fapolicyd package ships with two policy rule sets:
  • The known-libs policy

    The known-libs policy is the default rule set and is designed to protect the system by only allowing known applications or libraries to run. The policy is slightly more permissive because it allows Elf binaries, python programs, and shell scripts to run for trusted applications and libraries.

  • The restrictive policy

    The restrictive policy provides mostly the same rules as the known-libs policy, but includes several more restrictive rules that prevent the running of any application or library that's not within the trust database. This policy blocks any possibility of running any executable file that isn't trusted.

The rules for these policies are shipped in /usr/share/fapolicyd/sample-rules/. The rules that apply to the known-libs policy are copied into /etc/fapolicyd/rules.d/ when the package is installed to make them active. The files that apply to each policy are described in /usr/share/fapolicyd/sample-rules/README-rules.

Fapolicyd processes rules based on their natural sort order, so rule files are named according to the following prefix convention:

  • 10-: Definitions of macros that can be used in other rules.
  • 20-: Rules to work around fapolicyd for system critical activity, such as when dracut builds kernel initramfs files or when DNF needs to run particular tools for updates.
  • 30-: Rules that identify access patterns that show how a program might be started. A default rule checks for programs that are started by the runtime linker (ld.so).
  • 40-: Rules for ELF binary files, such as rules to prevent malformed ELF files from running even if trusted, trust rules for ELF libraries and for trusted ELF binary executable files.
  • 50-: Rules that set out which users or groups are trusted to run particular programs or access particular files.
  • 60-: Rules for access to particular applications, where the application isn't in the trust database.
  • 70-: Rules related to different programming languages or scripting languages, such as Python, Perl, PHP, Ruby, or Lua.
  • 80-: Rules for trusted applications that might need advanced access controls.
  • 90-: General catch-all allow and deny rules.

Rules are compiled into a single file in /etc/fapolicyd/compiled.rules that fapolicyd reads at runtime.

Rule structure is described in detail in the fapolicyd.rules(5) manual page.