fapolicyd - File Access Policy Daemon


The latest source code was released on June 13, 2019



This is the project page and source code distribution location for the fapolicyd application whitelisting daemon. Application whitelisting is a system integrity technique whereby applications that are known by some reputation source are permitted to access the files they need. Applications that unknown by the reputation source are not permitted to access the things they ask for. Reputation sources could be rpm databases, signed SWID tags, or admin defined trusted files.

The initial policy is designed with a couple goals in mind:

  • No bypass of security by executing programs via ld.so.
  • Executable reputation source is rpm database. Unpackaged programs can't run.
  • ELF files/shared objects and Python files must come from system directories. This prevents LD_LIBRARY and PYTHON_LIBRARY redirection to an attacker controlled dir.
  • Other languages are not allowed and must be enabled.


Source code on Github