Red Hat 8 fapolicyd Adding Exceptions or Adding Trusted Applications

I won’t re-iterate what fapolicyd is or get into a great debate about it. This post simply outlines a couple ways to add exceptions for when scripts are blocked by fapolicyd or when applications are blocked by fapolicyd.

Update 8/15/2022

This appears to have been updated by Red Hat and may no longer be entirely relevant in Red Hat 8.6.

What is fapolicyd?

The fapolicyd software framework controls the execution of applications based on a user-defined policy. This is one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system. -RedHat Link

Add Exceptions

The following file is important when adding exceptions to specific directories or applications.

/etc/fapolicyd/fapolicyd.rules



Allow all scripts in a sub directory to execute

allow perm=any all : dir=/home/user/ : all trust=0
allow perm=any all : dir=/opt/ : all trust=0
allow perm=any all : dir=/usr/share/git-core/templates/hooks/ : all trust=0

Allow all a specific application to execute

allow perm=open exe=/bin/podman : all
allow perm=open exe=/bin/tkdiff : all
allow perm=open exe=/usr/bin/zdiff : all

After making the necessary changes be sure to restart the service

sudo systemctl restart fapolicyd.service

Podman Containers Blocked by fapolicyd

Update 8/15/2022

With RHEL 8.6 you will need to modify a different file, see link for details -> https://www.spxlabs.com/blog/2022/8/15/red-hat-86-fapolicy-preventing-podman-containers-from-running

For some strange reason containers get blocked by fapoliycd on RHEL 8.5. Developers have reported this error when trying to launch containers.

Error: unable to start container /user/bin/runc: error while loading shared libraries: libpthread.so.0: cannot open shared object file: Operation not permitted: OCI permission denied

To fix this I have added the following lines into my fapolicyd.rules file.

allow perm=open exe=/usr/lib/libpthread.so.0 : all
allow perm=open exe=/usr/lib64/libpthread.so.0 : all

Security Concerns

Allowing any and all scripts to run from /home/user directory almost defeats the purpose of fapolicyd. This is purely an example.

However, you may find this is necessary if your workstations are in a developer environment and many scripts or applications are being called. This may also be necessary for adminitrators who are creating scripts regularly to perform certain tasks. If this is the case, then narrowing down to a specific subdirectory would be best practice.



Example fapolicyd.rules file

Here is an example file from my workstation.

# This rule policy is designed to only block execution of untrusted files
# while ensuring that only trusted libraries are used. This provides good
# performance while ensuring that there is not much interference by
# the daemon.

%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,application/x-elc,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap                 
# CCE-82249-4
allow perm=any all : dir=/home/spx/ : all trust=0
allow perm=any all : dir=/var/ : all trust=0
allow perm=any all : dir=/opt/ : all trust=0
allow perm=any all : dir=/vmstorage/ : all trust=0
allow perm=any all : dir=/usr/share/git-core/templates/hooks/ : all trust=0
allow perm=open exe=/bin/podman : all
allow perm=open exe=/usr/lib/libpthread.so.0 : all
allow perm=open exe=/usr/lib64/libpthread.so.0 : all

# Carve out an exception for dracut initramfs building
allow perm=any uid=0 : dir=/var/tmp/
allow perm=any uid=0 trust=1 : all

# Prevent execution by ld.so
deny_audit perm=any pattern=ld_so : all

# We have to carve out an exception for the system updaters
# or things go very bad (deadlock).
allow perm=open exe=/usr/bin/rpm : all
allow perm=open exe=/usr/libexec/platform-python3.6 comm=dnf : all

# Only allow known ELF libs - this is ahead of executable because typical
# executable is linked with a dozen or more libraries.
allow perm=open all : ftype=application/x-sharedlib trust=1
deny_audit perm=open all : ftype=application/x-sharedlib

# Allow trusted programs to execute
allow perm=execute all : trust=1

# Need to carve out an exception for ansible, which uses python
allow perm=any uid=0 : dir=/tmp/ansible
allow perm=any uid=0 : dir=/root/.ansible/tmp/

# Allow any program to open trusted language files
allow perm=open all : ftype=%languages trust=1
deny_audit perm=any all : ftype=%languages

# Allow all shell script execution and sourcing
allow perm=any all : ftype=text/x-shellscript

# Deny execution for anything untrusted
deny_audit perm=execute all : all

Questions?

If you have any drop a comment but please know that I am far from an expert on FAP-Olicy