Unconfined root

[skoperst]

Any process with root privileges can stop fapolicyd, run trusted python code, or shell script pipe+exec. No rule fapolicyd can be of any real value.

The fact there are those specific workarounds only shows some projects don't give a shit about fapolicyd, while other will have to fapolicyd-cli file add their stuff praying fapolicyd won't change their API tomorrow.

[skoperst]

The background for this commit is my app which is a root daemon is crashing in RHEL8 servers with fapolicyd enabled. The app using .so plugins which are downloaded dynamically, and while selinux allows both unconfined context and accepts pull requests for adding your app into their reference design, here I have to do:

system("fapolicyd-cli file add..") And pray god nobody changed API.

[stevegrubb]

I don't know what you are trying to accomplish with a patch like this. You can't be serious. If you want to talk about solutions, open an issue and let's talk like adults to find a path forward.