RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1927843 - Removing entry in /etc/fapolicyd/fapolicyd.trust has no effect
Summary: Removing entry in /etc/fapolicyd/fapolicyd.trust has no effect
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: fapolicyd
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Radovan Sroka
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-11 16:31 UTC by Ravindra Patil
Modified: 2021-11-04 10:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-04 10:06:06 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Ravindra Patil 2021-02-11 16:31:00 UTC 
Description of problem:

When file is deleted from fapolicyd.trust file, the operation is still permitted. 



Version-Release number of selected component (if applicable):
fapolicyd-1.0-3.el8.x86_64

How reproducible:

1. Add the rule 

2. Check operation if it works

3. Delete the rule

4. Check operation if it works, this should fail, but this works. 

Steps to Reproduce:

1. When copied binary to /tmp, it failed without rule. 

$ /tmp/pwd
-bash: /tmp/pwd: Operation not permitted

2. Then added rule to allow this file

# fapolicyd-cli --file add /tmp/pwd

Then it was allowed to be executed

# su - ravindra
$ /tmp/pwd
/home/ravindra

3. However, even after removing the rule, the command execution was allowed. 

# fapolicyd-cli --file delete /tmp/pwd

The rule was removed from the trust file. 

# cat /etc/fapolicyd/fapolicyd.trust 
# This file contains a list of trusted files
#
#  FULL PATH        SIZE                             SHA256
# /home/user/my-ls 157984 61a9960bf7d255a85811f4afcac51067b8f2e4c75e21cf4f2af95319d4ed1b87
/tmp/ls 143368 b97ce5f98f000af846d298a103daca75eddd5a2681a728d83a3dc0392e649707
/tmp/scp 105416 3a436895da8a2f20fe9688fd25ed8068cf86ef3902481f9d5fa93816022a9952

But still the execution was permitted. Restart of the service did not help. 

# su - ravindra

$ /tmp/pwd
/home/ravindra

This should have failed, as the respective rule has been removed from the file or deleted through fapolicyd-cli command. 

Actual results:

Operation is permitted even after deleting the rule. 

# fapolicyd-cli --file delete /tmp/pwd

Expected results:

Operation should not be permitted

$ /tmp/pwd
-bash: /tmp/pwd: Operation not permitted

Additional info:

Red Hat documentation link 

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_blocking-and-allowing-applications-using-fapolicyd_security-hardening#introduction-to-fapolicyd_assembly_blocking-and-allowing-applications-using-fapolicyd
Note You need to log in before you can comment on or make changes to this bug.