Closed scaarup closed 1 year ago
By any chance, is allow_filesystem_mark set to 1?
"allow_filesystem_mark" is not set in the config and not mentioned in "man fapolicyd.conf".
Hmm. The first thing it does after printing "shutting down" is iterate over the list of watches and flush them. After that, it should not be consulted for access decisions. It also prints a warning if it cannot remove a watch. There was a bug fixed in 1.1.4 where you can get 2 instances of fapolicyd running. I don't know if that might be the case, but I don't have much else that might cause the problem since watches are released before any statistics are printed.
Okay thank you. But even if I were to have started two daemons at the same time, it wouln't cause a complete lockdown, right?
Having 2 active daemons can lockup the system. It uses it's own pid to automatically grant access to it's own requests. But these would be foreign to the other daemon. It's going to be racy and prone to ending badly if one stops while an access request is pending. I have no idea if this is the problem you run into, but it's the only thing we've recently fixed that is somehow related to what you are reporting.
Having 2 active daemons can lockup the system. It uses it's own pid to automatically grant access to it's own requests. But these would be foreign to the other daemon. It's going to be racy and prone to ending badly if one stops while an access request is pending. I have no idea if this is the problem you run into, but it's the only thing we've recently fixed that is somehow related to what you are reporting.
I was actually able to reproduce the issue. Started an additional daemon in the foreground and system got locked up. I will report this to Red Hat, so they can get this updated. Thank you very much.
That would be bz 2103352. HTH...
Hi.
I was testing a new rule with fapolicyd, so I was running the daemon in the foreground like: /sbin/fapolicyd --log-denies. The rule seemed to work, so I used ctrl+c to stop the process. After that no one could run anything on the server - and not open a new shell or anything:
The ruleset was and is:
After a hard reboot, the same rules were loaded again and everything is working fine. This makes me suspect that it was the ctrl+c stopping of the daemon, which made it not properly clean up.... ?
Installed on a Red Hat Enterprise Linux 8.7 version 1.1.3-8.el8_7.1.
Thank you.