Davin Shearer

Understood, but can't there be a way in all the allow rules to give just the normal and static access patterns using a list? For example: ``` %allowed_patterns=normal,static ... allow...

Would it be possible if IMA is enabled, that fapolicyd could "degrade" to sha256 if the security.ima attribute is missing for any given file?

I'm still having a devil of a time getting something to show up in the audit log. I went and updated the rule per your suggestion and now it appears...

Another data point. If I change the rule from deny_audit, to deny_log, I get an entry in /var/log/messages, but still no entry in /var/log/audit/audit.log. ``` [root@centos8-awc fapolicyd]# fapolicyd-cli --list ->...

Thanks Steve, I'll pull down the latest and give it another whirl later today and update this thread with my results.

No dice! The latest code deadlocks my system when started via `systemctl start fapolicyd`. So after rebooting, then running it in debug mode, here's what we see, when I try...

I can confirm that the system no longer deadlocks with this change. I'm still not able to get anything in the audit log. User terminal: ``` $ /usr/local/bin/xz --version -bash:...

``` # ldd /usr/sbin/fapolicyd | grep audit libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f17b7f38000) ```

In policy.c, in the make_policy_decision function, I added `msg(LOG_INFO, "XXX 0x%X", response.response);` right after `write(fd, &response, sizeof(struct fanotify_response));`. Here is what I'm seeing: Running `fapolicyd --debug`: ``` ... rule=15 dec=allow...

I just installed RHEL 8.3 beta and fapolicyd from the official repository. I copied xz from `/usr/bin` to `/usr/local/bin` so that it will fail rule 14, setting up the test....