Red Hat 8 fapolicyd Adding Exceptions or Adding Trusted Applications
/I won’t re-iterate what fapolicyd is or get into a great debate about it. This post simply outlines a couple ways to add exceptions for when scripts are blocked by fapolicyd or when applications are blocked by fapolicyd.
Update 8/15/2022
This appears to have been updated by Red Hat and may no longer be entirely relevant in Red Hat 8.6.
What is fapolicyd?
The
fapolicyd
software framework controls the execution of applications based on a user-defined policy. This is one of the most efficient ways to prevent running untrusted and possibly malicious applications on the system. -RedHat Link
Add Exceptions
The following file is important when adding exceptions to specific directories or applications.
/etc/fapolicyd/fapolicyd.rules
Allow all scripts in a sub directory to execute
allow perm=any all : dir=/home/user/ : all trust=0
allow perm=any all : dir=/opt/ : all trust=0
allow perm=any all : dir=/usr/share/git-core/templates/hooks/ : all trust=0
Allow all a specific application to execute
allow perm=open exe=/bin/podman : all
allow perm=open exe=/bin/tkdiff : all
allow perm=open exe=/usr/bin/zdiff : all
After making the necessary changes be sure to restart the service
sudo systemctl restart fapolicyd.service
Podman Containers Blocked by fapolicyd
Update 8/15/2022
With RHEL 8.6 you will need to modify a different file, see link for details -> https://www.spxlabs.com/blog/2022/8/15/red-hat-86-fapolicy-preventing-podman-containers-from-running
For some strange reason containers get blocked by fapoliycd on RHEL 8.5. Developers have reported this error when trying to launch containers.
Error: unable to start container /user/bin/runc: error while loading shared libraries: libpthread.so.0: cannot open shared object file: Operation not permitted: OCI permission denied
To fix this I have added the following lines into my fapolicyd.rules file.
allow perm=open exe=/usr/lib/libpthread.so.0 : all
allow perm=open exe=/usr/lib64/libpthread.so.0 : all
Security Concerns
Allowing any and all scripts to run from /home/user directory almost defeats the purpose of fapolicyd. This is purely an example.
However, you may find this is necessary if your workstations are in a developer environment and many scripts or applications are being called. This may also be necessary for adminitrators who are creating scripts regularly to perform certain tasks. If this is the case, then narrowing down to a specific subdirectory would be best practice.
Example fapolicyd.rules file
Here is an example file from my workstation.
# This rule policy is designed to only block execution of untrusted files # while ensuring that only trusted libraries are used. This provides good # performance while ensuring that there is not much interference by # the daemon. %languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,application/x-elc,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap # CCE-82249-4 allow perm=any all : dir=/home/spx/ : all trust=0 allow perm=any all : dir=/var/ : all trust=0 allow perm=any all : dir=/opt/ : all trust=0 allow perm=any all : dir=/vmstorage/ : all trust=0 allow perm=any all : dir=/usr/share/git-core/templates/hooks/ : all trust=0 allow perm=open exe=/bin/podman : all allow perm=open exe=/usr/lib/libpthread.so.0 : all allow perm=open exe=/usr/lib64/libpthread.so.0 : all # Carve out an exception for dracut initramfs building allow perm=any uid=0 : dir=/var/tmp/ allow perm=any uid=0 trust=1 : all # Prevent execution by ld.so deny_audit perm=any pattern=ld_so : all # We have to carve out an exception for the system updaters # or things go very bad (deadlock). allow perm=open exe=/usr/bin/rpm : all allow perm=open exe=/usr/libexec/platform-python3.6 comm=dnf : all # Only allow known ELF libs - this is ahead of executable because typical # executable is linked with a dozen or more libraries. allow perm=open all : ftype=application/x-sharedlib trust=1 deny_audit perm=open all : ftype=application/x-sharedlib # Allow trusted programs to execute allow perm=execute all : trust=1 # Need to carve out an exception for ansible, which uses python allow perm=any uid=0 : dir=/tmp/ansible allow perm=any uid=0 : dir=/root/.ansible/tmp/ # Allow any program to open trusted language files allow perm=open all : ftype=%languages trust=1 deny_audit perm=any all : ftype=%languages # Allow all shell script execution and sourcing allow perm=any all : ftype=text/x-shellscript # Deny execution for anything untrusted deny_audit perm=execute all : all
Questions?
If you have any drop a comment but please know that I am far from an expert on FAP-Olicy