Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments
  • Help with fapolicyd

    Posted on

    I got a ticket from one of my users indicating that our IA team had levied a new compliance rule against them: fapolicyd needed to be activated and enforcing. After which, they could no longer use the AWS CLI. Specifically, executing the

    aws
    silently executed with a 255 exit-code. Even with the addition of the command's
    --debug
    flag, still no output.

    My initial digging around, it seemed like doing something like

    fapolicyd-cli --file add /usr/local/bin/aws --trust-file aws-utils
    would solve my problem. Executing that (and reloading/regenerating the rules database) did result in the AWS CLI starting to work.

    However, in looking at the fapolicyd exceptions it created, it created not just a generic "allow this path to run" type of rule, but a rule that included an allowed file-size and checksum for the excepted path. I quickly realized that, if I ever upgraded the AWS CLI utilities, the updated binaries wouldn't work due to change in the binaries' size and/or checksum. So, I started digging around for ways to do a more-generic allow.

    What I came up with was a

    /etc/fapolicyd/rules.d/80-aws.rules
    file with contents like:

    allow perm=any all : dir=/usr/local/aws-cli/v2/ type=application/x-sharedlib trust 1
    allow perm=any all : dir=/usr/local/aws-cli/v2/ type=application/x-executable trust 1
    

    From my read of the man pages, the above should have created an "allow" condition that applies to all action-types for all users, so long as the referenced object is under the

    /usr/local/aws-cli/v2/
    directory-tree and is either an executable or a shared library. However, I'm still getting errors like:

    Error loading Python lib '/usr/local/aws-cli/v2/2.11.6/dist/libpython3.11.so.1.0': dlopen: /usr/local/aws-cli/v2/2.11.6/dist/libpython3.11.so.1.0: cannot open shared object file: Operation not permitted
    

    Any ideas on what permission I've overlooked?

    by

    points

    Responses

    Red Hat LinkedIn YouTube Facebook X, formerly Twitter

    Quick Links

    Help

    Site Info

    Related Sites

    © 2026 Red Hat