Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-628

RFE: send rule number to fanotify so it gets audited

XMLWordPrintable

    • fapolicyd-1.3.2-1.el8
    • Major
    • sst_security_special_projects
    • 24
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Enhancement
    • Hide
      .`fapolicyd` now provides rule numbers for troubleshooting

      With this enhancement, new kernel and Audit components allow the `fapolicyd` service to send the number of the rule that causes a denial to the `fanotify` API. As a result, you can troubleshoot problems related to `fapolicyd` more precisely.
      Show
      .`fapolicyd` now provides rule numbers for troubleshooting With this enhancement, new kernel and Audit components allow the `fapolicyd` service to send the number of the rule that causes a denial to the `fanotify` API. As a result, you can troubleshoot problems related to `fapolicyd` more precisely.
    • Done

      Description of problem:

      Currently fapolicyd is silent, causing support members a hard life: when some issue is due to fapolicyd, it's hard to find what is going on, because no log is seen at all, so nobody thinks about fapolicyd being the potential culprit.
      This makes us lose a lot of time investigating issues.

      Additionally, running fapolicyd in "debug-deny" mode requires to hack the fapolicyd.service unit, as shown below:

      Original (in /usr/lib/systemd/system):
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      Type=forking
      ExecStart=/usr/sbin/fapolicyd
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      Hacked to see denies (in /etc/systemd/system):
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      Type=simple
      ExecStart=/usr/sbin/fapolicyd --debug-deny
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      The fapolicyd options should be read from /etc/sysconfig/fapolicyd or similar file and not require the daemon to be put in the foreground.

      Version-Release number of selected component (if applicable):

      fapolicyd-0.8.10-3.el8_1.1.x86_64

      Acceptance Criteria:

      • the audit messages contain the rule number which caused the actual decision

            dapospis@redhat.com Dalibor Pospíšil
            rhn-support-rmetrich Renaud Metrich
            Radovan Sroka Radovan Sroka
            Dalibor Pospíšil Dalibor Pospíšil
            Parth Shah Parth Shah
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: