Tools to assist with the configuration and maintenance of fapolicyd.

Overview

File Access Policy Analyzer

Tools to assist with the configuration and maintenance of fapolicyd.

Python bindings

We write python bindings using PyO3 and setuptools_rust.

We use pipenv for creating a sand-boxed development environment. To install pipenv into your home directory:

pip3 install --user pipenv

To build and install the bindings run the following from the top level directory of this repository:

pipenv install --dev
pipenv shell
python3 setup.py [develop | install]

There may be some additional build-time requirements. See the development wiki page for more details.

File Access Policy Analyzer User Interface

Run the fapolicy-analyzer UI:

python3 -m fapolicy-analyzer.ui

Requirements

  • Python 3.9
  • Rust 1.52
  • fapolicyd 1.0

fapolicyd configuration

To generate rules that can be analyzed we require the following syslog_format configuration

syslog_format = rule,dec,perm,uid,gid,pid,exe,:,path,ftype,trust

Developers

See the Wiki for more resources.

Comments
  • UI unresponsive after deployment rollback

    UI unresponsive after deployment rollback

    To reproduce

    1. Add trust changes
    2. Deploy
    3. Select "No" when asked to keep changes

    Noteworthy

    • Usually on the first or second deployment the UI becomes unresponsive.
    • Same behavior whether the timer expires or you manually click No.
    • Did not encounter issues If the deployment is accepted.
    • The rollback of configuration is indeed written to disk (ie. the original is restored).
    • The daemon is in active state after the app locks, so it appears to be properly started
    • Consistently reproducible on fc34 using rule-text-write branch's RPM
    • Did not observe issue on RHEL 8 using the same branch
    bug ui 
    opened by jw3 23
  • Include User Guide under Help menu

    Include User Guide under Help menu

    Adds a user guide entry under the help menu.

    • Generates the user guide from the online wiki documentation
    • Integrates the user guide build process into CI and the RPM build
    • Installs the user guide to /usr/share/help via RPM
    • Internationalization support is included for the documentation
    • Adds target to root Makefile that pulls and builds help locally
      • make help-docs
      • Useful for contributing translations

    Closes #645

    documentation feedback0 
    opened by dorschs57 14
  • RPM Build

    RPM Build

    Summary

    Build an RPM that includes the Rust bindings and the Python dist. The standard tools for building Python RPMs or Rust RPMs didn't play well with our layout. So what we have is a two stage process of building a bdist wheel and then using that wheel to build the RPM. The source RPM includes the wheel as the source file.

    This PR includes GitHub actions workflow to build the RPM. When pushing a tag the RPM will be published as a release, otherwise RPM is built and discarded. A future PR will add some automated testing immediately after the build stage.

    Wiki pages related to this PR

    • https://github.com/ctc-oss/fapolicy-analyzer/wiki/RPM-Packaging
    • https://github.com/ctc-oss/fapolicy-analyzer/wiki/Publishing-Releases

    How the RPM is packaged

    1. build a wheel
    2. use the wheel as the rpm source
    3. install the wheel in the rpm build
    4. capture the python site-install files

    Build the builder image

    From the root of the project

    docker build -t rpmbuilder -f scripts/rpm/Dockerfile .

    Build the rpm in the builder container

    docker run --rm -it -v /tmp:/output rpmbuilder

    RPMs will end up in /tmp on the host machine.

    Test the rpm in a container

    todo #115

    Installing the RPM

    dnf install -y fapolicy-analyzer-0.0.4-1.x86_64.rpm

    closes #114

    opened by jw3 11
  • Rollback on unconfirmed deployment

    Rollback on unconfirmed deployment

    Implement rollback in the case of a non-confirmation after deployment, which results in the system rolling back to the previous state.

    This is somewhat handy when dealing only in trust, but it becomes very useful when we progress to altering rules.

    closes #13

    opened by jw3 10
  • Active checks with dbus

    Active checks with dbus

    Eliminate the calls to systemctl for service status checks, using dbus instead. This removes one potential pinch point where deployed rules can limit the call to systemctl. A side-effect of this is that the monitoring function now works even in the case of fully locked down system (ie. only the deny+any+all+all rule).

    This also aligns both stages of deployment, deployment and rollback. Those stages used to be handled differently, where initial deployment only was a pipe write to refresh trust, while rollback deployment was a full daemon reload. Then the pipe write went away to align rule and trust writing, but there were some straggling issues that were left behind. These changes align the backends for both modes and resolve issues where fixes were present in one mode but not the other.

    Closes #565

    deployment 
    opened by jw3 9
  • Application Profiler does not report missing fapolicyd service

    Application Profiler does not report missing fapolicyd service

    In the case where the fapolicyd service is not found the only indication of failure is a stack trace.

    The close button becomes unresponsive, the dialog must be closed out with the X

    ui Profiler resilience 
    opened by jw3 8
  • Policykit issue when launching fapolicy-analyzer a second time

    Policykit issue when launching fapolicy-analyzer a second time

    From fc34 vm

    1. Run fapolicy-analyzer
    2. Close and run again
    [[email protected] ~]$ fapolicy-analyzer 
    Error executing command as another user: No authentication agent found.
    Terminating pkttyagent.
    
    bug 
    opened by jw3 8
  • Fix profiler path validation

    Fix profiler path validation

    Support for validating relative executable paths by using the existing PATH from the users environment. This also supports evaluating a custom PATH provided through the profiler GUI.

    This fixes the issue from #655 where users are forced to use absolute paths to avoid a validation error reporting that the file cannot be found.

    Closes #655

    bug Profiler 
    opened by tparchambault 7
  • Update Event Analysis Tool partial access file color

    Update Event Analysis Tool partial access file color

    Update the Subject and Object list views of the Policy Event Analysis tool to use the color scheme shown in significance-of-color. Specifically the Subjects need update to show pink (or lighter red) if they have only Partial (P) access, and the Objects should be pink if they can only be accessed for a limited set of modes.

    ui 
    opened by dorschs57 7
  • Help manual needs to be included under Help menu

    Help manual needs to be included under Help menu

    We need an offline copy of the user manual.

    1. Maintain the docs as the GitHub Wiki
    2. During RPM CI builds we clone the Wiki and build the User Guide section Markdown into HTML
    3. Bundle the HTML as the doc
    4. Have a placeholder HTML for non-RPM (like dev env) that just has a link to the Wiki
    enhancement rules ui feedback0 
    opened by jw3 6
  • Fa632-validate_profiler_arguments

    Fa632-validate_profiler_arguments

    Added a static class function to check the validity of arguments. This function can be called in the UI layer prior to the creation of the Profiling Session object.

    opened by tparchambault 6
  • Clean up stdout from backend

    Clean up stdout from backend

    Several places with stdout

    On deployment

    waiting on daemon to be Inactive...
    daemon is now Inactive
    waiting on daemon to be Active...
    daemon is now Active
    
    backend 
    opened by jw3 0
  • Change gtk builder file extensions

    Change gtk builder file extensions

    UI files should be named X.ui rather than X.glade.

    The exception would be if we were using the glade format, but we are using the modern GtkBuilder format.

    ui 
    opened by jw3 0
  • Consider that this is not a Python module

    Consider that this is not a Python module

    We are an application, we are not a Python library.

    Things may be simplified if we were to RPM install under /usr/share/fapolicy-analyzer rather than under the Python site-lib.

    HT: While perusing some modern gnome apps, came across Wike, which does this.

    Python rpm 
    opened by jw3 0
  • Handle missing trust.d

    Handle missing trust.d

    Trust.d could be missing due to

    1. Older fapolicyd version
    2. Removed

    This does not need to be a failure case, it simply results in no trust being sourced from trust.d

    bug backend trust 
    opened by jw3 0
  • Address feedback from Fedora review

    Address feedback from Fedora review

    The bz issue is #2153687

    The initial review shows several [!] findings that need addressed. Going to track them all together here.

    • [x] [?]: Package contains desktop file if it is a GUI application.
      • #616
    • [x] [!]: Sources are verified with gpgverify first in %prep if upstream publishes signatures.
    • [x] [!]: Package meets the Packaging Guidelines::Python -- Please, use macros instead of python3 interpreter.
    • [x] Suggested: use "tar -xzf" instead of "tar xzf"
    • [x] Suggested: use "%autosetup -p0" instead of "%autosetup -p1"
    • [x] Rpmlint: E: explicit-lib-dependency dbus-libs
    • [x] Rpmlint: W: no-manual-page-for-binary fapolicy-analyzer
      • #200
    • [ ] Rpmlint: W: invalid-url Source1: vendor-rs.tar.gz
    • [ ] Rpmlint: W: invalid-url Source0: fapolicy-analyzer.tar.gz
    • [x] Rpmlint: W: incoherent-version-in-changelog 0.6.1-1 ['0.6.2-1.fc38', '0.6.2-1']
    • [ ] Rpmlint: W: files-duplicate /usr/lib64/python3.11/site-packages/fapolicy_analyzer/util/init.py /usr/lib64/python3.11/site-packages/fapolicy_analyzer/css/init.py:/usr/lib64/python3.11/site-packages/fapolicy_analyzer/glade/init.py:/usr/lib64/python3.11/site-packages/fapolicy_analyzer/resources/init.py
    • [ ] Rpmlint: W: files-duplicate /usr/lib64/python3.11/site-packages/fapolicy_analyzer/resources/sourceview/styles/init.py /usr/lib64/python3.11/site-packages/fapolicy_analyzer/resources/sourceview/language-specs/init.py
    • [ ] Rpmlint: W: file-not-in-%lang /usr/lib64/python3.11/site-packages/fapolicy_analyzer/locale/es/LC_MESSAGES/fapolicy_analyzer.mo
    rpm feedback1 build 
    opened by jw3 5
Releases(v0.6.3)
Owner
Concurrent Technologies Corporation (CTC)
Concurrent Technologies Corporation (CTC)
A tool to manage configuration files, build scripts etc. across multiple projects.

A tool to manage configuration files, build scripts etc. across multiple projects.

8 Dec 14, 2022
Flexible Python configuration system. The last one you will ever need.

OmegaConf Description Project Code quality Docs and support OmegaConf is a hierarchical configuration system, with support for merging configurations

Omry Yadan 1.4k Jan 02, 2023
Pydantic-ish YAML configuration management.

Pydantic-ish YAML configuration management.

Dribia Data Research 18 Oct 27, 2022
Inject your config variables into methods, so they are as close to usage as possible

Inject your config variables into methods, so they are as close to usage as possible

GDWR 7 Dec 14, 2022
Python YAML Environment (ymlenv) by Problem Fighter Library

In the name of God, the Most Gracious, the Most Merciful. PF-PY-YMLEnv Documentation Install and update using pip: pip install -U PF-PY-YMLEnv Please

Problem Fighter 2 Jan 20, 2022
Pyleri is an easy-to-use parser created for SiriDB

Python Left-Right Parser Pyleri is an easy-to-use parser created for SiriDB. We first used lrparsing and wrote jsleri for auto-completion and suggesti

Cesbit 106 Dec 06, 2022
Simple dataclasses configuration management for Python with hocon/json/yaml/properties/env-vars/dict support.

Simple dataclasses configuration management for Python with hocon/json/yaml/properties/env-vars/dict support, based on awesome and lightweight pyhocon parsing library.

Teo Stocco 62 Dec 23, 2022
A helper for organizing Django project settings by relying on well established programming patterns.

django-configurations django-configurations eases Django project configuration by relying on the composability of Python classes. It extends the notio

Jazzband 955 Jan 05, 2023
environs is a Python library for parsing environment variables.

environs: simplified environment variable parsing environs is a Python library for parsing environment variables. It allows you to store configuration

Steven Loria 920 Jan 04, 2023
A slightly opinionated template for iPython configuration for interactive development

A slightly opinionated template for iPython configuration for interactive development. Auto-reload and no imports for packages and modules in the project.

Seva Zhidkov 24 Feb 16, 2022
A small example project for efficiently configuring a Python application with YAMLs and the CLI

Hydra Example Project for Python A small example project for efficiently configuring a Python application with YAMLs and the CLI. Why should I care? A

Florian Wilhelm 4 Dec 31, 2022
Python Marlin Configurator to make valid configuration files to be used to compile Marlin with.

marlin-configurator Concept originally imagined by The-EG using PowerShell Build Script for Marlin Configurations The purpose of this project is to pa

DevPeeps 2 Oct 09, 2021
Configuration for Python planets

Configuration for Python planets

Python 127 Dec 16, 2022
Organize Django settings into multiple files and directories. Easily override and modify settings. Use wildcards and optional settings files.

Organize Django settings into multiple files and directories. Easily override and modify settings. Use wildcards in settings file paths and mark setti

Nikita Sobolev 942 Jan 05, 2023
Scooch Configures Object Oriented Class Hierarchies for python

Scooch Scooch Configures Object Oriented Class Hierarchies for python. A good place to start with Scooch is at the documentation found here. Scooch is

Pandora Media, Inc. 6 Dec 20, 2022
Yamale (ya·ma·lē) - A schema and validator for YAML.

Yamale (ya·ma·lē) ⚠️ Ensure that your schema definitions come from internal or trusted sources. Yamale does not protect against intentionally maliciou

23andMe 534 Dec 21, 2022
Event Coding for the HV Protocol MEG datasets

Scripts for QA and trigger preprocessing of NIMH HV Protocol Install pip install git+https://github.com/nih-megcore/hv_proc Usage hv_process.py will

2 Nov 14, 2022
ConfZ is a configuration management library for Python based on pydantic.

ConfZ – Pydantic Config Management ConfZ is a configuration management library for Python based on pydantic. It easily allows you to load your configu

Zühlke 164 Dec 27, 2022
Apt2sbom python package generates SPDX or YAML files

Welcome to apt2sbom This package contains a library and a CLI tool to convert a Ubuntu software package inventory to a software bill of materials. You

Eliot Lear 15 Nov 13, 2022
Read configuration settings from python configuration files.

Maison Read configuration settings from python configuration files. Motivation When developing a python application, e.g a command-line tool, it can b

9 Jan 04, 2023