pilgrim:/etc/fapolicyd/rules.d# ls 90-deny-execute.rules pilgrim:/etc/fapolicyd/rules.d# cat 90-deny-execute.rules # Deny execution for anything untrusted
deny_audit perm=execute all : all pilgrim:/etc/fapolicyd# cat fapolicyd.conf # # This file controls the configuration of the file access policy daemon. # See the fapolicyd.conf man page for explanation. # permissive = 0 nice_val = 14 q_size = 640 uid = fapolicyd gid = fapolicyd do_stat_report = 1 detailed_report = 1 db_max_size = 50 subj_cache_size = 1549 obj_cache_size = 8191 watch_fs = ext2,ext3,ext4,tmpfs,xfs,vfat,iso9660,btrfs trust = rpmdb,file integrity = none syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype,trust rpm_sha256_only = 0 allow_filesystem_mark = 0 Looks like the shipped policy is to deny all execute and with permissive=0 this is enforced.
