0

RHEL's fapolicyd docs show how to whitelist a specific application, but is there a way to whitelist an entire directory structure of files consisting of php, js, css and pdf types?

Using fapolicyd in debug mode:

# fapolicyd --debug-deny 2> fapolicy.output &

My denial output looks like:

rule=11 dec=deny_audit perm=open auid=1000 pid=3005001 exe=/usr/libexec/openssh/sftp-server : path=/data/www/nbsprod/public_html/fax.php ftype=text/x-php trust=0

This occurs when one of our developers attempts to upload an existing file to the www directory.

If I set fapolicyd to permissive, the file is uploaded no problems.

a coder
  • 7,530
  • 20
  • 84
  • 131

1 Answers1

0

Not sure if this is considered best practice but I fixed this by

Add new rule:

# fapolicyd-cli --file add /data/www/nbsprod/public_html/ --trust-file nbsprod_pub_html

Update rules with fapolicyd-cli

# fapolicyd-cli --update

Verify that fapolicyd is set to run in enforcing mode (not permissive)

# vi /etc/fapolicyd/fapolicyd.conf

...
permissive = 0
...

Restart fapolicyd

# fapolicyd-cli --update

End user now able to upload scripts to the www directory specified above with fapolicyd running in deny mode.

a coder
  • 7,530
  • 20
  • 84
  • 131