Can't trust files that violate open permission rules

[wjhunter3]

If there exist a rule against opening certain a certain file. i.e.:

 deny_audit perm=open all : ftype=%languages trust=0

then the file can't be added to the trust database with the command:

 fapolicyd-cli --file add </path/to/file>

because the file must be opened in order to create a hash value to store in the trust database.

Similarly, if the rule is allow_audit a FANOTIFY audit event is created when the file is added to the trust database for the same reasons.

Is there a way that a file can be added to the trust database, other than manually with an a priori hash value, or stopping fapolicyd during the add/update operation?

[stevegrubb]

It is possible to create the trust file on another system and then drop it in the trust.d directory. If we make any loopholes for fapolicyd-cli, it becomes a possible loophole that something else could use.

[wjhunter3]

Our application is in a closed system, so having a "mirror" system to modify the trust DB and copy to the target system is not possible/practical.

The "loophole" would be for an extremely specific scenario - only for fapolicyd-cli, or the fapolicyd daemon itself, to open files for the purpose of measurement.

[stevegrubb]

I was thinking you'd make that trust file as part of the deployment of the custom software. A second option would be to package the custom software so that it's installed by an rpm and then everything works. The last idea would be to add something as a rule like this:

allow perm=open exe=/usr/bin/fapolicyd-cli trust=1 : all

It would need to be near the top of the rules. So, put it in a file with a number in the 20's.