Listing Policy Rules

This task shows you how to list the policy rules that fapolicyd is using.

To list the active fapolicyd policy rules, run the following command:

sudo fapolicyd-cli -l

The output of this command is similar to the following:

-> %languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive...
1. allow perm=any uid=0 : dir=/var/tmp/
2. allow perm=any uid=0 trust=1 : all
3. allow perm=open exe=/usr/bin/rpm : all
4. allow perm=open exe=/usr/bin/python3.9 comm=dnf : all
5. deny_audit perm=any pattern=ld_so : all
6. deny_audit perm=any all : ftype=application/x-bad-elf
7. allow perm=open all : ftype=application/x-sharedlib trust=1
8. deny_audit perm=open all : ftype=application/x-sharedlib
9. allow perm=execute all : trust=1
10. allow perm=open all : ftype=%languages trust=1
11. deny_audit perm=any all : ftype=%languages
12. allow perm=any all : ftype=text/x-shellscript
13. deny_audit perm=execute all : all
14. allow perm=open all : all

Note that the rules are numbered. When fapolicyd runs in debug mode, the output displays the rule number that's enforced for an event. You can use this information to decide whether you need to insert a new policy rule to change the existing policy and to decide where that rule might need to be in the policy hierarchy. See Debugging Interactively in Permissive Mode for information on debugging.

You can compare this list to the compiled rules to check whether you need to reload the rules into fapolicyd.

sudo cat /etc/fapolicyd/compiled.rules

See Checking and Loading Policy Rules.