Configuring fapolicyd to allow BigFix Client operations

When fapolicyd (File Access Policy Daemon) is enabled on Red Hat Enterprise Linux™ and operating in enforcing mode, fapolicyd blocks certain BigFix client operations. Below are the affected scenarios and the methods to whitelist the BES Client services.

Whitelisting the Besclient and QnA

The RPM inspector uses the BESClient - RPMHelper process to retrieve information from the RPM database.

To whitelist the besclient RPM-Helper, modify the 90-deny-execute.rules or, if present, modify any deny custom rule ( i.e 99-deny-all.rules) file located in the /etc/fapolicyd/rules.d/ folder. The following lines must precede the original rules:

allow perm=open auid=-1 exe=/opt/BESClient/bin/BESClient : all
allow perm=open auid=-1 exe=/opt/BESClient/bin/qna : all

Whitelisting the Nmap scanner

Asset Discovery uses the Nmap security scanner to scan networks for the Identification of network assets.

To whitelist the Nmap scanner installed with the Fixlet “Designate Nmap Scan Point - Red Hat Enterprise Linux | CentOS”, modify the 90-deny-execute.rules or if present, modify the deny custom rule ( i.e 99-deny-all.rules) file located in the /etc/fapolicyd/rules.d/ folder. The following line must precede the original rule:

allow perm=open auid=-1 exe=/var/opt/BESClient/BESScanner-NMAP/nmap : all

Whitelisting the Inventory scanner

BES Inventory and License site

Fixlet “Install or Upgrade Scanner (9.2.33)” fails with fapolicy enabled and enforcing "deny all permit by exception" policy
The installation of the scanner included in the “BES Inventory and License” requires some shared libraries to install the scanner.
To whitelist shared libraries used during the installation of the software scanner, modify the 41-shared-obj.rules file located in the /etc/fapolicyd/rules.d/ folder. The following lines must precede the original rules:
```
allow perm=open exe=/opt/tivoli/cit/bin/wscancfg trust=0 : all
```
Fixlet “Run Full Hardware Scan” fails with fapolicy enabled and enforcing "deny all permit by exception" policy
The scanner included in the “BES Inventory and License” uses some processes to perform the hardware scan.
To whitelist the processes used during the run of the Hardware scanner, modify the 41-shared-obj.rules file located in the /etc/fapolicyd/rules.d/ folder. The following lines must precede the original rules:
```
allow perm=open exe=/opt/tivoli/cit/bin/wscanhw trust=0 : all
allow perm=open exe=/opt/tivoli/cit/bin/cpuid trust=0 : all
allow perm=open exe=/opt/tivoli/cit/bin/diskscan trust=0 : all
```
Additionally, the following rule must be placed in 90-deny-execute.rules or if present, modify any deny custom rule ( i.e 99-deny-all.rules) file, preceding the original rules:
```
allow perm=execute exe=/opt/tivoli/cit/bin/wscanhw trust=0 : path=/opt/tivoli/cit/bin/cpuid ftype=application/x-executable trust=0
allow perm=execute exe=/opt/tivoli/cit/bin/wscanhw trust=0 : path=/opt/tivoli/cit/bin/diskscan ftype=application/x-executable trust=0
```

After saving the rules files execute the fagenrules --load command to update the active rules and restart the fapolicyd service.