Building fapolicyd is reasonably straightforward on Fedora and RedHat-based Linux distributions. This document will guide in installing the build-time dependencies, configure and compile the code, and finally build the RPMs for distribution on compatible non-production systems.
- gcc
- autoconf
- automake
- libtool
- make
- libudev-devel
- kernel-headers
- systemd-devel
- libgcrypt-devel ( <= fapolicyd-1.1.3)
- openssl ( >= fapolicyd-1.1.4)
- rpm-devel (optional)
- file
- file-devel
- libcap-ng-devel
- libseccomp-devel
- lmdb-devel
- uthash-devel
- python3-devel
- kernel >= 4.20 (Must support FANOTIFY_OPEN_EXEC_PERM. See [1] below.)
sudo subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms
sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpmsudo dnf install -y gcc autoconf automake libtool make libudev-devel kernel-headers systemd-devel libgcrypt-devel rpm-devel file file-devel libcap-ng-devel libseccomp-devel lmdb-devel uthash-devel python3-develTo build from the repo after cloning and installing dependencies:
cd fapolicyd
./autogen.sh
./configure --with-audit --disable-shared
make
make distThis will create a tarball. You can use the new tarball with the spec file and create your own rpm. If you want to experiment without installing, just run make with no arguments. It should run fine from where it was built as long as you put the configuration files in /etc/fapolicyd (fapolicyd.rules, fapolicyd.trust, fapolicyd.conf).
Note that the shipped policy expects that auditing is enabled. This is done by passing --with-audit to ./configure.
The use of rpm as a trust source is now optional. You can run ./configure passing --without-rpm and it will not link against librpm. In this mode, it purely uses the file database in fapolicyd.trust. If rpm is used, then the file trust database can be used in addition to rpmdb.
❗ These unofficial RPMs should only be used for testing and experimentation purposes and not for production systems. ❗
To build the RPMs, first install the RPM development tools:
sudo dnf install -y rpmdevtoolsThen in the root of the repository where fapolicyd was built, use rpmbuild
to build the RPMs:
rpmbuild -ta fapolicyd-*.tar.gzBy default, the RPMs will appear in ~/rpmbuild/RPMS/$(arch).
If you chose to do it yourself, you need to do a couple prep steps:
1) sed -i "s/%python2_path%/`readlink -f /bin/python2 | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
2) sed -i "s/%python2_path%/`readlink -f /bin/python3 | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
3) interpret=`readelf -e /usr/bin/bash \
| grep Requesting \
| sed 's/.$//' \
| rev | cut -d" " -f1 \
| rev`
4) sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules
This corrects the placeholders to match your current system. Then follow the rules listed above for compiling except run make install instead of make dist.
If you are not using rpm's spec file and are doing it yourself, there are a few more steps. You need to create the necessary directories in the right spot:
mkdir -p /etc/fapolicyd/{rules.d,trust.d}
mkdir -p /var/lib/fapolicyd/
mkdir --mode=0755 -p /usr/share/fapolicyd/
mkdir -p /usr/lib/tmpfiles.d/
mkdir --mode=0755 -p /run/fapolicyd/
cd init
cp fapolicyd.bash_completion /etc/bash_completion.d/
cp fapolicyd.conf /etc/fapolicyd/
cp fapolicyd-magic.mgc /usr/share/fapolicyd/
cp fapolicyd.service /usr/lib/systemd/system/
cp fapolicyd-tmpfiles.conf /usr/lib/tmpfiles.d/fapolicyd.conf
cp fapolicyd.trust /etc/fapolicyd/trust.d/
useradd -r -M -d /var/lib/fapolicyd -s /sbin/nologin -c "Application Whitelisting Daemon" fapolicyd
chown root:fapolicyd /etc/fapolicyd/
chown root:fapolicyd /etc/fapolicyd/rules.d/
chown root:fapolicyd /etc/fapolicyd/trust.d/
chown root:fapolicyd /var/lib/fapolicyd/
chown root:fapolicyd /usr/share/fapolicyd/