3 Managing File Trusts

File trusts are stored in the trust database. Trusts can either be generated based on information in the RPM database or can be manually defined by adding configuration entries on the file system. The contents of the trust database and how trusts work is discussed in more detail in About the Trust Database.

Refreshing the Trust Database

Refresh the trust database if files on the system have been added or updated outside of the DNF framework.

To refresh the fapolicyd trust database manually, run:
sudo fapolicyd-cli --update

Adding Files to the Trust File Database

You can add any files that aren't installed by using DNF to the file database manually.

To add a file to the trust file database, run:

sudo fapolicyd-cli --file add <path_to_file> --trust-file trust_entry

If the file isn't already in a trust database, the command adds the file to the trust file configuration by creating an entry at /etc/fapolicyd/trust.d/<trust_entry>.

For example, to add /home/user/demo.bin to /etc/fapolicyd/trust.d/demo, run:

sudo fapolicyd-cli --file add /home/user/demo.bin --trust-file demo

Tip:

You can use command line tools such as find to add many entries to the trust file database at the same time. For example:
find /home/user/bin/ -type f -exec fapolicyd-cli --file add {} --trust-file trusted_user_bin \;

All entries in the trust file database are stored as plain text files in /etc/fapolicyd/trust.d/ and can be edited with a text editor, if required. If you need to update file sizes or hash values, see Updating the Trust File Database.

To remove a file from the trust file database, either edit the text file directly to remove the entry, or run:

sudo fapolicyd-cli --file delete <path_to_file>

Important:

After you make any changes to the trust file database you must refresh the trust databases for fapolicyd to note any changes. See Refreshing the Trust Database.

Updating the Trust File Database

To update the trust file database for changes to file sizes or hashes on all files in the file trust database, run:

fapolicyd-cli -f update

If you specify the path to the file, only the values for that file are updated in the database.

After you make any changes to the trust file database you must refresh the trust databases for fapolicyd to note any changes. See Refreshing the Trust Database.

Checking for Trust Mismatches

Trust mismatches occur when the file size or SHA-256 hash value for a file on the file system no longer matches the information stored for the file in the trust database. Changing a file outside of using DNF can cause a trust mismatch. For example, if a file is installed or updated by using the rpm command directly or when a user or process has changed the file.

Note:

While you can configure fapolicyd for file integrity checks based on size or on the SHA-256 hash, we don't recommend applying this option globally as it increases the likelihood of system deadlock.

To check for trust mismatches on a system, run:

sudo fapolicyd-cli --check-trustdb

Output typically describes the files that mismatch and what the mismatch is. For example:

/etc/selinux/targeted/contexts/files/file_contexts miscompares: size sha256
/etc/selinux/targeted/policy/policy.33 miscompares: size sha256
/opt/rh/gcc-toolset-12/root/usr/bin/ld miscompares: size sha256
/usr/lib64/gconv/gconv-modules.cache miscompares: size sha256
...

Note that mismatches are expected because the size or content of some files change from the values in the RPM database after certain commands or services are run. Nonetheless, checking for mismatches can help alert you to files that might be in the trust database but which have changed after they were added to the database.

Viewing the Content in the Trust Database

You can view all the information in the trust database by dumping the data. To dump the data in the trust database, run:

sudo fapolicyd-cli -D

Output is listed to display the type of trust, the path to the file that's trusted, the size of the file in bytes and the SHA-256 hash for the file.

Tip:

You can use command line tools such as grep to limit the data returned in the dump output. For example:
sudo fapolicyd-cli -D|grep '/usr/bin/dnf-3'

Resetting the Trust Database

You can reset the trust database by stopping fapolicyd by deleting the database when debugging issues in fapolicyd.

To reset the trust database, run:
sudo systemctl stop fapolicyd
sudo fapolicyd-cli --delete-db

The trust database are removed entirely and then created and updated when you next start the fapolicyd service.

Don't ever remove the /var/lib/fapolicyd/ directory directly as this could prevent fapolicyd from functioning correctly and can cause system lockout.