Help with fapolicyd
I got a ticket from one of my users indicating that our IA team had levied a new compliance rule against them: fapolicyd needed to be activated and enforcing. After which, they could no longer use the AWS CLI. Specifically, executing the
aws--debugMy initial digging around, it seemed like doing something like
fapolicyd-cli --file add /usr/local/bin/aws --trust-file aws-utilsHowever, in looking at the fapolicyd exceptions it created, it created not just a generic "allow this path to run" type of rule, but a rule that included an allowed file-size and checksum for the excepted path. I quickly realized that, if I ever upgraded the AWS CLI utilities, the updated binaries wouldn't work due to change in the binaries' size and/or checksum. So, I started digging around for ways to do a more-generic allow.
What I came up with was a
/etc/fapolicyd/rules.d/80-aws.rulesallow perm=any all : dir=/usr/local/aws-cli/v2/ type=application/x-sharedlib trust 1 allow perm=any all : dir=/usr/local/aws-cli/v2/ type=application/x-executable trust 1
From my read of the man pages, the above should have created an "allow" condition that applies to all action-types for all users, so long as the referenced object is under the
/usr/local/aws-cli/v2/Error loading Python lib '/usr/local/aws-cli/v2/2.11.6/dist/libpython3.11.so.1.0': dlopen: /usr/local/aws-cli/v2/2.11.6/dist/libpython3.11.so.1.0: cannot open shared object file: Operation not permitted
Any ideas on what permission I've overlooked?
Responses