How to configure fapolicyd in satellite 6?

Solution Verified - Updated

Environment

  • Red Hat Satellite 6
  • Red Hat Capsule 6
  • Red Hat Enterprise Linux 8

Issue

  • How to install and enable fapolicyd on an RHEL server in Red Hat Satellite 6?
  • What are the different types of policies that can be configured in fapolicyd in Red Hat Satellite 6?
  • How to integrate fapolicyd with other security tools and services in Red Hat Satellite 6 to enhance security posture what are some best practices to follow?
  • How to monitor and troubleshoot fapolicyd-related issues in Red Hat Satellite 6?
  • When fapolicyd is configured during a new installation of Red Hat Satellite 6, the installation process fails in db:migrate step as explained in this solution article.

Resolution

  • The use of fapolicyd is mandated by the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Linux systems. This tool enforces file access policies and is considered an important part of a security and hardening strategy.

  • However, Red Hat Satellite and Capsule 6 do not support hardening, despite the requirement to run fapolicyd under the DISA STIG guidelines. Please refer to our article for more information Does Red Hat Satellite 6 and Red Hat Satellite Capsule 6 support hardening?

  • While fapolicyd can be a valuable security feature for controlling file access policies, it's important to note that Red Hat Satellite 6 does not natively support fapolicyd integration. If you wish to implement fapolicyd in your Satellite environment, we recommend first testing it thoroughly on a development Satellite instance to ensure compatibility and performance with your specific setup.

  • fapolicyd is a Linux kernel module that enforces file access policies. It provides an additional layer of security by monitoring and controlling access to files and directories on a system.

  • Here are the step-by-step instructions for creating the custom rules under the /etc/fapolicyd/rules.d/ directory to allow the foreman and foreman-proxy services:

  • Open a terminal or SSH into the Red Hat Satellite server as a user with root privileges.

  • Create the 25-custom.rules file under /etc/fapolicyd/rules.d/ using your preferred text editor:

    • For example, you can run vi /etc/fapolicyd/rules.d/25-custom.rules to create and open the file in the vi text editor and copy the below content.
     allow perm=any all : ftype=text/x-ruby dir=/usr/share/gems/gems/
 allow perm=any all : ftype=text/x-ruby dir=/usr/share/foreman-proxy/
 allow perm=any all : ftype=text/x-ruby dir=/usr/share/foreman/
 allow perm=any all : ftype=text/x-ruby dir=/etc/foreman/
 allow perm=any all : ftype=text/x-java dir=/usr/share/foreman/
    • Save and exit the file.

  • Change the ownership of the 25-custom.rules file to root:fapolicyd:

     # chown root:fapolicyd /etc/fapolicyd/rules.d/25-custom.rules

  • Notify fapolicyd of the policy update and restart the service by running the following commands:

     Run "# fapolicyd-cli --update" to update fapolicyd with the new policy.
 Run "# systemctl restart fapolicyd" to restart the fapolicyd service and apply the updated policy.

  • Update SELinux contexts of the new files to match the context of the fapolicyd directory:

    # restorecon -RFv /etc/fapolicyd/rules.d/

  • After completing these steps, the foreman and foreman-proxy services should be allowed by fapolicyd based on the policies defined in the 25-custom.rules file.

Root Cause

  • fapolicyd service blocking the foreman and foreman-proxy services from starting properly. This may be due to fapolicyd's default policy settings restricting access to certain files or directories that are needed by the foreman and foreman-proxy services.

  • To resolve this issue, custom fapolicyd rules can be created to allow the required access for these services.

Diagnostic Steps

  • When troubleshooting issues with fapolicyd, the following diagnostic steps could be helpful:

    • Check the fapolicyd log file, located at /var/log/fapolicyd.log, for any error messages or warnings.

    • Verify that the fapolicyd service is running properly by checking its status using the command:

       # systemctl status fapolicyd

    • Restart the fapolicyd service after creating and applying the custom rules.

    • Verify that the application or service that was being blocked by fapolicyd is now able to function properly.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.