Control: tags -1 + moreinfo unreproducible Control: severity -1 important
HiOn Wed, 14 Jun 2023 07:22:32 +0100 "Bill Hay,,," <wish-pilgrim-w...@dumain.com> wrote:
pilgrim:/etc/fapolicyd/rules.d# ls 90-deny-execute.rulespilgrim:/etc/fapolicyd/rules.d# cat 90-deny-execute.rules # Deny execution for anything untrusteddeny_audit perm=execute all : all pilgrim:/etc/fapolicyd# cat fapolicyd.conf # # This file controls the configuration of the file access policy daemon. # See the fapolicyd.conf man page for explanation. # permissive = 0 nice_val = 14 q_size = 640 uid = fapolicyd gid = fapolicyd do_stat_report = 1 detailed_report = 1 db_max_size = 50 subj_cache_size = 1549 obj_cache_size = 8191 watch_fs = ext2,ext3,ext4,tmpfs,xfs,vfat,iso9660,btrfs trust = rpmdb,file integrity = none syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype,trust rpm_sha256_only = 0 allow_filesystem_mark = 0Looks like the shipped policy is to deny all execute and with permissive=0 this is enforced.
I failed to reproduce the issue after installing the package (version 1.3.2+20231212+git973a86d1b4-1) in a VM.
# grep ^trust /etc/fapolicyd/fapolicyd.conf trust = debdbEither this has been fixed in the mean time or you simply have a outdated fapolicyd.conf.
Would be great if you can rerun your test with a current version. Regards Michael
OpenPGP_signature.asc
Description: OpenPGP digital signature
