Closed skosachiov closed 1 week ago
Example
#!/usr/bin/python
print("hello")
Rules
13. allow_syslog perm=any all : ftype=text/x-python path=/opt/*/scr/*
14. deny_syslog perm=any all : ftype=text/x-python path=/opt/*/fs/*
Run
[user@pc](mailto:user@astra-uefi):~$ /opt/user1/fs/hello.py
bash: /opt/user1/fs/hello.py: /usr/bin/python: bad interpreter: Operation not permitted
[user@pc](mailto:user@astra-uefi):~$ /opt/user1/scr/hello.py
hello
Log
Jun 28 15:13:53 pc fapolicyd[16883]: rule=14 dec=deny_syslog perm=execute auid=1003 pid=16892 exe=/usr/bin/bash : path=/opt/*/fs/* ftype=text/x-python trust=0
Jun 28 15:14:12 pc fapolicyd[16883]: rule=13 dec=allow_syslog perm=execute auid=1003 pid=16893 exe=/usr/bin/bash : path=/opt/*/scr/* ftype=text/x-python trust=0
You can use wildcards for untrusted files e.g. /media//smb/scripts/, however this may result in poor performance and negative security implications.