fapolicyd trust rpmdb does not include some installed files

Posted on

The documentation seems to indicate that files installed via RPM are added to the fapolicy trust db, provided the fapolicyd.conf file has an entry like "trust = rpmdb,file". However, I have run into several cases where some installed files are not trusted.

A simple example is to install emacs and open it (e.g. from command line "emacs --no-init"), which results in the following log entry showing that the installed file "/usr/share/emacs/site-lisp/site-start.el" is not trusted:

Jan 22 15:56:38 fapolicyd[18705]: 01/22/2025 15:56:38 [ DEBUG ]: rule=22 dec=deny_audit perm=open auid=1000 pid=39880 exe=/usr/bin/emacs-27.2 : path=/usr/share/emacs/site-lisp/site-start.el ftype=text/x-lisp trust=0

Why is this? Is there a way to list which files are trusted via the rpmdb? Is there a way to re-initialize the trust db to re-evaluate packages installed via dnf?

Note:
I am testing RHEL 9.5 for workstations with FIPS mode enabled.

Responses