Support for Ubuntu and Debian distributions

[sreevatsa1997]

I was not able to find comprehensive steps for setting up this software in Ubuntu version of >= 18.04. Can someone help in suggesting installation steps of the same for the Ubuntu of the above mentioned versions. Or does this software do not support debian based installation ??

[stevegrubb]

The 1.3 release added support for debian packages. It has been improved more since that release. So, it's intended to work.

There is a deb directory with a couple helper scripts. I suppose the documentation could be improved. But I don't have a debian or ubuntu system, so I can't tell if there's anything wrong with the scripts. Let me know if something doesn't work and I'll update the documentation.

Once it's built and installed, it should work similar to the main readme file just based on the debian package database instead.

[sreevatsa1997]

As the part of setup in Ubuntu machine, I am following the below steps for configuration:

1. Downloading the archive file available in the github repo page.
2. Moving INSTALL (available in fapolicy archived folder) into INSTALL.tmp as mentioned in duild_deb.sh READ document
3. Executing ./autogen.sh
4. Executing ./configure --with-audit --disable-shared

At this step of configuration, I am getting the following error : "FAN_OPEN_EXEC_PERM is not defined in linux/fanotify.h. It is required for the kernel to support it." But as mentioned in the support document that fapolicyd supports kernel build of >= 4.20 and mine is of 5.4.0-150-generic.

Unable to understand the underlying issue here.

[stevegrubb]

The issue is that it's looking in /usr/include/linux/fanotify.h and looking for the definition of FAN_OPEN_EXEC_PERM. This is the fanotify option that let's fapolicyd request to be involved in deciding execute permissions. If that is not found, fapolicyd cannot insert itself into the permission decision.

I am not familiar with Debian/Ubuntu but I'm sure it has something like the following of Fedora. On a Fedora system, we have a file /boot/config-6.6.9-100.fc38.x86_64 which has all of the configuration options that kernel-6.6.9-100 was built with. One of them is CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y. I wonder if this is "n" on your kernel? If that is the case, I suppose we should update documentation to say that the kernel must have this enabled.

[sreevatsa1997]

Thanks for the Update. I have checked my Kernel config and I observed the following parameters are by default enabled with out any manual configuration. CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y CONFIG_FANOTIFY=y Not sure, Why the following error {"FAN_OPEN_EXEC_PERM" is not defined in linux/fanotify.h} is in place of above parameters are enabled.

It is much appreciated if you can update the READ documentation available in a comprehensive manner as it was made for Fedora and RHEL distributions.

[stevegrubb]

Have you looked in /usr/include/linux/fanotify.h to see if FAN_OPEN_EXEC_PERM is defined? I suppose there is a chance the headers don't match the kernel.

While the github release is out there for people to use. I make the official releases available here: https://people.redhat.com/sgrubb/fapolicyd/index.html It is ready to just run configure without any other setup steps. This is the exact file used for RHEL/Fedora.

As for documentation, I can make simple edits based on feedback. I do not have an Ubuntu/Debian system to experiment with. The code and documentation was contributed by others.

[stevegrubb]

Is there anything else I can help with? This bug report needs to be closed if there isn't any further discussion.

[stevegrubb]

Please feel free to re-open if there is new information.