1. 1. 1. RFE

1. Proposed title of this feature request

Make default fapolicy rule/etc/fapolicyd/rules.d/20-dracut.rules to be more restrictive.

2. Who is the customer behind the request?

See update after this one.

3. What is the nature and description of the request?

Customer description.
> The default FapolicyD rules set allows root to execute anything in /var/tmp
> /var/tmp is read-writable by everyone and privilege escalation might be possible through SUDO misconfiguration or other vulnerabilities

They would like the dracut rule to be tightened.

Currently /etc/fapolicyd/rules.d/20-dracut.rules:
~~~
allow perm=any uid=0 : dir=/var/tmp/
allow perm=any uid=0 trust=1 : all
~~~

Requesting /etc/fapolicyd/rules.d/20-dracut.rules:
~~~
allow perm=any uid=0 : dir=/var/tmp/ ftype=application/octet-stream
allow perm=any uid=0 trust=1 : all
~~~

4. Why does the customer need this?

Improve security.

5. How would the customer like to achieve this? (List the functional requirements here)

Customer has suggested solution (see above). Customer is open to other techniques.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

No

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?

RHEL8

9. Is the sales team involved in this request and do they have any additional input?

No

10. List any affected packages or components.

dracut. The rule /etc/fapolicyd/rules.d/20-dracut.rules was added to get dracut working when fapolicyd enabled.

11. Would the customer be able to assist in testing this functionality if implemented?

Yes