Debugging Interactively in Permissive Mode

By default, fapolicyd is configured in enforcing mode. To help with debugging, you can configure permissive mode. In permissive mode, events that fapolicyd might have blocked in enforcing mode can run, but are audited. You can run fapolicyd in permissive mode interactively and enable debugging to see more information about these events.

1. Stop the fapolicyd service.

   Use systemctl to stop the service:

   sudo systemctl stop fapolicyd

2. Run fapolicyd in permissive mode with debugging enabled.

   Run the following fapolicyd command with the --permissive and --debug options:

   sudo fapolicyd --permissive --debug

   The output of the command is similar to the following:

   datetime [ INFO ]: Can handle 524288 file descriptors
   date time [ INFO ]: Ruleset identity: 0a028cfb95e93569d565d732890384b69952d7841d10af060e3...
   date time [ DEBUG ]: Loading rule file:
   date time [ DEBUG ]: ## This file is automatically generated from /etc/fapolicyd/rules.d
   date time [ DEBUG ]: %languages=application/x-bytecode.ocaml,application/x-bytecode.python...
   date time [ DEBUG ]: allow perm=any uid=0 : dir=/var/tmp/
   date time [ DEBUG ]: allow perm=any uid=0 trust=1 : all
   date time [ DEBUG ]: allow perm=open exe=/usr/bin/rpm : all
   date time [ DEBUG ]: allow perm=open exe=/usr/bin/python3.12 comm=dnf : all
   date time [ DEBUG ]: deny_audit perm=any pattern=ld_so : all
   date time [ DEBUG ]: deny_audit perm=any all : ftype=application/x-bad-elf
   date time [ DEBUG ]: allow perm=open all : ftype=application/x-sharedlib trust=1
   date time [ DEBUG ]: deny_audit perm=open all : ftype=application/x-sharedlib
   date time [ DEBUG ]: allow perm=execute all : trust=1
   date time [ DEBUG ]: allow perm=open all : ftype=%languages trust=1
   date time [ DEBUG ]: deny_audit perm=any all : ftype=%languages
   date time [ DEBUG ]: allow perm=any all : ftype=text/x-shellscript
   date time [ DEBUG ]: deny_audit perm=execute all : all
   date time [ DEBUG ]: allow perm=open all : all
   date time [ DEBUG ]: Loaded 14 rules
   date time [ DEBUG ]: Changed to uid 985
   date time [ INFO ]: Initializing the trust database
   date time [ INFO ]: fapolicyd integrity is 0
   date time [ DEBUG ]: backend rpmdb registered
   date time [ DEBUG ]: backend file registered
   date time [ INFO ]: Loading rpmdb backend
   date time [ DEBUG ]: Loading file backend
   date time [ INFO ]: Checking if the trust database up to date
   date time [ INFO ]: Importing trust data from rpmdb backend
   date time [ INFO ]: Importing trust data from file backend
   date time [ INFO ]: Entries in trust DB: 37080
   date time [ INFO ]: Loaded trust info from all backends(without duplicates): 37080
   date time [ INFO ]: Trust database checks OK
   date time [ DEBUG ]: added / mount point
   date time [ DEBUG ]: added /dev/shm mount point

   When events that would have been denied in enforcing mode run, they're tagged in the command output with dec=deny_audit.

   Tip:

   Debug output can be verbose. Use the --debug-deny option instead of the standard --debug option to only output denial events. You don't need to run in debug mode to audit denial events, though. See Auditing Denial Events in Permissive Mode for more information. If you need to get more information about denial events, you can change rules to log to the system log. See Changing Default Policy Logging for more information.

3. Exit permissive mode.

   When you're finished monitoring the fapolicyd output, stop the running daemon by pressing Ctrl-C to send a SIGINT to interrupt the process.