Provided by: fapolicyd_1.3.2+20231212+git973a86d1b4-1build2_amd64 
NAME
fapolicyd.conf - fapolicyd configuration file
DESCRIPTION
The file /etc/fapolicyd/fapolicyd.conf contains configuration information for the application
whitelisting daemon configuration. This file allows the admin to tune the performance and actions of the
fapolicyd during runtime. This file contains one configuration keyword per line, an equal sign, and then
followed by appropriate configuration information. All option names and values are case insensitive. The
keywords recognized are listed and described below. Each line should be limited to 160 characters or the
line will be skipped. You may add comments to the file by starting the line with a '#' character.
permissive
This option is either a 0 to mean send policy decisions to the kernel for enforcement. Or it can
be a 1 to mean always allow the access even if policy would block it. This should only be used for
policy testing and debug. The default value is 0.
nice_val
This option gives fapolicyd a scheduler boost. The number can be from 0 to 20. The default value
is 10.
q_size This option is used to control how big of an internal queue that fapolicyd will use. If requests
come in faster than fapolicyd can answer, the queue holds the pending requests. If the
do_stat_report is enabled, when fapolicyd shutsdown it will provide some statistics which includes
maximum queue depth used. This information can be used to help tune performance. The default value
is 800. Also note, this value means that fapolicyd gets a file descriptor for that entry. There is
an rlimit cap controlled by systemd's LimitNOFILE setting for the service. You may also need to
adjust it if the q_size exceeds it's value.
uid This can be a number or an account name which fapolicyd should switch to during startup. The
default value is 0 because it is guaranteed to exist. But it is recommended to use the fapolicyd
account if that exists.
gid This can be a number or an group name which fapolicyd should switch to during startup. The default
value is 0 because it is guaranteed to exist. But it is recommended to use the fapolicyd group if
that exists.
do_stat_report
This option controls whether (1) or not (0) fapolicyd should create a usage statistics report on
shutdown. The report is written to /var/log/fapolicyd-access.log. This report gives information
about number of allowed accesses and denials. Then for both the subject and object cache, it dumps
information about size, hits, misses, and evictions. The default value is 1 which means create the
report.
detailed_report
This option controls whether (1) or not (0) fapolicyd should add subject and object information to
the usage statistics report. This would be information about the exact process or file path in the
cache from most recently used to last recently used. This can be useful for forensics if an
incident had occurred. But if the file names are sensitive then you may want to turn this off. The
default value is 1 meaning add the details.
db_max_size
This option controls how many megabytes to allow the trust database to grow to. If you have lots
of packages installed, then you want to make it bigger. The default value is 50 megabytes.
subj_cache_size
This option controls how many entries the subject cache holds. You want the size to be big enough
that you are not getting too many evictions compared to hits. But you don't want to waste memory.
Whenever there is an eviction, fapolicyd has to regenerate information about the subject and this
slows performance. There are only 64k processes allowed at any time, so this would be the upper
limit. The default value is 1549.
obj_cache_size
This option controls how many entries the object cache holds. You want the size to be big enough
that you are not getting too many evictions compared to hits. But you don't want to waste memory.
Whenever there is an eviction, fapolicyd has to regenerate information about the object and this
slows performance. The default value is 8191.
watch_fs
This is a comma separated list of file systems that should be watched for access permission. No
attempt is made to validate the file systems names. They should exactly match the name presented
in the first column of /proc/mounts. If this is not configured, it will default to watching ext4,
xfs, and tmpfs.
trust This is a comma separated list of trust back-ends. If this is not configured, 'rpmdb,file' is
default. Fapolicyd supports file back-end that reads content of /etc/fapolicyd/fapolicyd.trust and
use it as a list of trusted files. The second option is rpmdb backend that generates list of
trusted files from rpmdb.
integrity
This option tells fapolicyd which integrity strategy it should use. It can be one of 4 values:
none This is the default and does no integrity checking.
size Selecting this option will compare the size of the file with what it was knows to be.
This is better than nothing and very fast since fapolicyd already collects size
information during normal processing. However, an attacker could replace the file and
as long as the size matches, it will not be detected.
ima Selecting this option will use a SHA256 hash that the IMA subsystem places in a file's
extended attributes in addition to the size check. This means that all file systems
holding executable code must support extended attributes.
sha256 Selecting this option will calculate a SHA256 hash by cryptographic means. A size
check will also be performed.
syslog_format
This option controls how the output from the access decision is formatted. The format is a comma
separated list of subject and object names from the rules. It does not allow the keyword "all". It
also allows for rule, dec, and perm. The format must include a semi-colon to delineate subject
from object keywords. The typical use is to place information about the access decision, then
subject information, a colon, and the object information. Also note that the more things being
logged, the more it will impact system performance. Also, the event written is limited to 512
bytes.
Example:
syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype,trust
rpm_sha256_only
The option set to 1 forces the daemon to work only with SHA256 hashes. This is useful on the
systems where the integrity is set to SHA256 or IMA and some rpms were originally built with e.g.
SHA1. The daemon will ignore these SHA1 entries therefore they can be added manually via CLI with
correct SHA256 to a trust file later. If set to 0 the daemon stores SHA1 in trustdb as well. This
is compatible with older behavior which works with the integrity set to NONE and SIZE. The NONE or
SIZE integrity setting considers the files installed via rpm as trusted and it does not care about
their hashes at all. On the other hand the integrity set to SHA256 or IMA will never consider a
file with SHA1 in trustdb as trusted. The default value is 0.
allow_filesystem_mark
When this option is set to 1, it allows fapolicyd to monitor file access events on the underlying
file system when they are bind mounted or are overlayed (e.g. the overlayfs). Normally they block
fapolicyd from seeing events on the underlying file systems. This may or may not be desirable. For
example, you might start seeing containers accessing things outside of the container but there is
no source of trust for the container. In that case you probably do not want to see access from the
container. Or maybe you do not use containers but want to control anything run by systemd-run when
dynamic users are allowed. In that case you probably want to turn it on. Not all kernel's support
this option. Therefore the default value is 0.
SEE ALSO
fapolicyd(8), fapolicyd-cli(8) and fapolicy.rules(5).
AUTHOR
Steve Grubb
Red Hat September 2022 FAPOLICYD.CONF:(5)