stevegrubb
commented
2 years ago Turns out we need the pid file for a couple of reasons. So, we won't be switching over. Also, fapolicyd does support updating the trust database via SIGHUP, but it still needs to update the configuration and rules. This is tracked in the TODO file, so we do not need to keep this issue open. Thanks for the report.
fapolicy should not need to fork and write a PID file with systemd, see https://www.freedesktop.org/software/systemd/man/daemon.html.
Also, allowing configuration changes to be applied by reloading, not restarting, might avoid a (theoretical) situation where someone is able to execute or even update a binary when fapolicyd is not running.
Thanks.