Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-628

RFE: send rule number to fanotify so it gets audited

XMLWordPrintable

    • fapolicyd-1.3.2-1.el8
    • None
    • Important
    • rhel-sst-security-special-projects
    • 24
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Enhancement
    • Hide
      .`fapolicyd` now provides rule numbers for troubleshooting

      With this enhancement, new kernel and Audit components allow the `fapolicyd` service to send the number of the rule that causes a denial to the `fanotify` API. As a result, you can troubleshoot problems related to `fapolicyd` more precisely.
      Show
      .`fapolicyd` now provides rule numbers for troubleshooting With this enhancement, new kernel and Audit components allow the `fapolicyd` service to send the number of the rule that causes a denial to the `fanotify` API. As a result, you can troubleshoot problems related to `fapolicyd` more precisely.
    • Done
    • None

      Description of problem:

      Currently fapolicyd is silent, causing support members a hard life: when some issue is due to fapolicyd, it's hard to find what is going on, because no log is seen at all, so nobody thinks about fapolicyd being the potential culprit.
      This makes us lose a lot of time investigating issues.

      Additionally, running fapolicyd in "debug-deny" mode requires to hack the fapolicyd.service unit, as shown below:

      Original (in /usr/lib/systemd/system):
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      Type=forking
      ExecStart=/usr/sbin/fapolicyd
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      Hacked to see denies (in /etc/systemd/system):
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      Type=simple
      ExecStart=/usr/sbin/fapolicyd --debug-deny
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      The fapolicyd options should be read from /etc/sysconfig/fapolicyd or similar file and not require the daemon to be put in the foreground.

      Version-Release number of selected component (if applicable):

      fapolicyd-0.8.10-3.el8_1.1.x86_64

      Acceptance Criteria:

      • the audit messages contain the rule number which caused the actual decision

              dapospis@redhat.com Dalibor Pospíšil
              rhn-support-rmetrich Renaud Métrich
              Radovan Sroka Radovan Sroka
              Dalibor Pospíšil Dalibor Pospíšil
              Parth Shah Parth Shah (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: