Managing File Trusts
Manage the trust database to keep fapolicyd synchronized with trusted files.
File trusts are stored in the trust database. Trusts can either be generated based on information in the RPM database or can be manually defined by adding configuration entries in the file system. The contents of the trust database and how trusts work is discussed in more detail in About the Trust Database.
Refreshing the Trust Database
Refresh the trust database if files on the system have been added or updated outside of the DNF framework.
sudo fapolicyd-cli --updateAdding Files to the Trust File Database
You can add any files that aren't installed by using DNF to the file database manually.
You can use command line tools such as find to add several entries to the trust
file database at the same time. For example:
find /home/user/bin/ -type f -exec fapolicyd-cli --file add {} --trust-file trusted_user_bin \;To remove a file from the trust file database, either edit the text file directly to remove the entry, or run:
sudo fapolicyd-cli --file delete <path_to_file>After you make any changes to the trust file database you must refresh the trust database before fapolicyd registers those changes. See Refreshing the Trust Database.
All entries in the trust file database are stored as plain text files in
/etc/fapolicyd/trust.d/ and can be edited with a text editor, if
required. If you need to update file sizes or hash values, see Updating the Trust File Database.
Updating the Trust File Database
If you change the size or hash of any file in the file trust database, you must update the file trust database.
Checking for Trust Mismatches
Trust mismatches occur when the file size or SHA-256 hash value for a file on the file system no longer matches the information stored for the file in the trust database. Changing a file outside of using DNF can cause a trust mismatch. For example, if a file is installed or updated by using the rpm command directly or when a user or process has changed the file.
Although you can configure fapolicyd for file integrity checks based on size or on the SHA-256 hash, we don't recommend applying this option globally as it increases the likelihood of a system deadlock.
sudo fapolicyd-cli --check-trustdbThe output lists the files where a mismatch occurs and what the mismatch is. For example:
/etc/selinux/targeted/contexts/files/file_contexts miscompares: size sha256
/etc/selinux/targeted/policy/policy.33 miscompares: size sha256
/opt/rh/gcc-toolset-12/root/usr/bin/ld miscompares: size sha256
/usr/lib64/gconv/gconv-modules.cache miscompares: size sha256
...Note that mismatches are expected because the size or content of some files change from the values in the RPM database after certain commands or services are run. Nonetheless, checking for mismatches can help alert you to files that might be in the trust database but which have changed after they were added to the database.
List the Entries in the Trust Database
You can view all the information in the trust database by dumping the data that the database contains.
sudo fapolicyd-cli -DThe output displays the type of trust, the path to the file that's trusted, the size of the file in bytes and the SHA-256 hash of the file.
You can use command line tools such as
grep to limit the data returned in the dump output. For
example:
sudo fapolicyd-cli -D|grep '/usr/bin/dnf-3'Resetting the Trust Database
You can reset the trust database by stopping the fapolicyd service and deleting the database. This can help debug issues in fapolicyd.
Never remove the /var/lib/fapolicyd/
directory directly as this might prevent fapolicyd from
functioning correctly and cause system lockout.