File Access Policy Analyzer

Tools to assist with the configuration and management of fapolicyd

Features

1. Edit rules with validation and syntax highlighting
2. Diff trust between fapolicyd trust db and disk
3. Analyze fapolicyd logs and fix trust discrepancies
4. Profile application disk access in fapolicy permissive mode

See the User Guide for details.

Installation

You can install the Policy Analyzer in one of the following ways

From Fedora Packages

This installation method is currently available for Fedora EPEL 8, EPEL 9, and Fedora 37 or later, including Rawhide.

dnf install fapolicy-analyzer

From GitHub releases

You can install the Policy Analyzer through the installers available in the latest release.
Choose an RPM from the latest Fedora stable, Rawhide, and EPEL builds.

From Fedora Copr

The Copr repository contains the latest development builds and release builds prior to publishing to the Fedora repositories.

Follow this method to install a prerelease package.

Add Copr repository

Install the ctc-oss repo with

dnf install dnf-plugins-core
dnf copr enable ctc-oss/fapolicy-analyzer

Copr Release builds

Releases packages of the Policy Analyzer are generally available from Copr a week before being available from Fedora.

The Policy Analyzer can be installed from the ctc-oss repository with the normal process

dnf install fapolicy-analyzer

Copr pre-release builds

Pre-release packages of the Policy Analyzer for all targets are created using the latest commit to master.

Use the dev tag + the commit number from the master branch, for example

dnf install fapolicy-analyzer-1.0.0~dev308

will install the prerelease 1.0.0 version at the 308th commit on the master branch.

From a containerized build environment

Follow this method only if you have cloned the GitHub repository and have Podman installed

• make fc-rpm to build a Rawhide RPM
• make el-rpm to build a RHEL 8 RPM

After a successful build the container will copy the RPMs into the host /tmp directory.

From a local development environment

Follow this method only if you have installed all required build tools

make run

This requires Pip + Pipenv + Python 3.6 or greater, and Rust 1.62.1 or greater.

Python and Rust dependencies will be installed during the build process.

fapolicyd

Compatible with v1.0+

The label tracks support for specific capability.

fapolicyd.conf

Analyzing from syslog requires the following syslog_format entry:

syslog_format = rule,dec,perm,uid,gid,pid,exe,:,path,ftype,trust

Getting Help

• See the Known Issues
• Start a Discussion
• Create a new Issue

License

GPL v3