| FAPOLICYD(8) | System Administration Utilities | FAPOLICYD(8) |
NAME¶
fapolicyd - File Access Policy Daemon
SYNOPSIS¶
fapolicyd [--debug|--debug-deny] [--permissive] [--no-details] [--mounts=PATH] [--version]
DESCRIPTION¶
fapolicyd is a userspace daemon that determines access rights to files based on a trust database and file or process attributes. It can be used to either blacklist or whitelist file access and execution.
Configuring fapolicyd is done with the files in the /etc/fapolicyd/ directory. There are three files: compiled.rules , fapolicyd.conf , and fapolicyd.trust. The first one contains the access policy, the second determines the daemon's configuration, and the last allows admin defined trusted files.
The default rules will generate audit events whenever there is a denial. NOTE: you must have at least 1 audit rule loaded for the audit system to create the full FANOTIFY event. It doesn't matter which rule is loaded. To see if you have any denials, you can run the following command:
or instead of -i, you can add --format text to get an easier to read audit event.
OPTIONS¶
- --debug
- Run the daemon in the foreground and write event information to stderr so policy decisions can be observed.
- --debug-deny
- Run the daemon in the foreground and write only deny decisions to stderr.
- --permissive
- Allow file access even when policy would deny it. This is useful when validating rules before enforcing them.
- --mounts=PATH
- In debug mode only, read mount information from the regular file at PATH instead of /proc/mounts. The file must use the same format as /proc/mounts. This is useful when reproducing mount-related issues with a captured or filtered mount list.
- --no-details
- Suppress process and file names in the shutdown usage report while keeping the aggregate statistics.
- --version
- Display version information and exit.
SIGNALS¶
- SIGTERM
- causes fapolicyd to discontinue processing events, write it's performance report, and exit.
- SIGHUP
- causes fapolicyd to reload the trust database.
- SIGUSR1
- causes fapolicyd to dump the requested report to /run/fapolicyd/fapolicyd.state or /run/fapolicyd/fapolicyd.metrics. See fapolicyd.state(5) and fapolicyd.metrics(5). When reset_strategy=manual is configured, a SIGUSR1 report that carries reset intent (only possible programmatically) also resets runtime metric counters after the report is written. Plain SIGUSR1 reports do not reset counters. SIGUSR1 can also carry timing start and stop intents. Those intents are honored only for privileged senders when timing_collection=manual is active; stopped timing runs are written to /run/fapolicyd/fapolicyd.timing.
NOTES¶
Whatever you do, DO NOT TRY TO ATTACH WITH PTRACE. Ptrace attachment sends a SIGSTOP which cannot be blocked. Since your whole system depends on fapolicyd approving access to glibc and various critical libraries, that will not happen until SIGCONT is sent. The system can deadlock if the continue signal is not sent.
To get audit events, you must have auditing enabled and at least one systemcall rule loaded. Otherwise you will not get any events.
If the rpmdb is set as a trust source, you should minimize the number of 32 bit packages on the system. In such cases, there may be a 32 bit and 64 file with the same pathname. Obviously only one can exist on the disk. So, this will always cause database miscompares and cause a delay in the daemon being operational.
The compiled.rules file is the resulting merge of component rules in /etc/fapolicyd/rules.d/ See the fagenrules man page for more information.
If you are running in the debug mode and wish to compare rule numbers reported in the output with which rule is actually triggering, you can see the rules with the corresponding number by running the following command:
fapolicyd-cli --list
FILES¶
/etc/fapolicyd/fapolicyd.conf - daemon configuration
/etc/fapolicyd/compiled.rules - access control rules
/etc/fapolicyd/fapolicyd.trust - admin defined trusted files
/var/log/fapolicyd-access.log - information about what was being accessed.
/run/fapolicyd/fapolicyd.state - daemon state report. See fapolicyd.state(5).
/run/fapolicyd/fapolicyd.metrics - runtime metrics report. See fapolicyd.metrics(5).
/run/fapolicyd/fapolicyd.timing - manual decision timing report. See fapolicyd.timing(5).
SEE ALSO¶
fapolicyd-cli(8), fapolicyd.rules(5), fapolicyd.state(5), fapolicyd.metrics(5), fapolicyd.timing(5), fapolicyd.trust(5), fapolicyd-filter.conf(5), fagenrules(8), and fapolicyd.conf(5)
AUTHOR¶
Steve Grubb
| March 2026 | Red Hat |