🟠 High   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: RHEL 10

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Approved internal executable is denied at launch, interrupting business-critical automation.

Environment & Reproduction

Common after enabling fapolicyd in enforcing mode without rule updates.

systemctl status fapolicyd
/usr/local/bin/internal-tool
journalctl -u fapolicyd -n 60 --no-pager

Root Cause Analysis

Policy trust database does not include file hash/path and execution is rejected by default ruleset.

Quick Triage

Confirm denial source and file metadata.

fapolicyd-cli --list
sha256sum /usr/local/bin/internal-tool
ls -lZ /usr/local/bin/internal-tool

Step-by-Step Diagnosis

Review active rules and trust DB entries.

grep -R . /etc/fapolicyd/rules.d
fapolicyd-cli --check-trustdb
rpm -qf /usr/local/bin/internal-tool || true
Illustrative mockup for rhel-10 β€” terminal_or_shell
Inspecting fapolicyd deny events β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Add trusted path/hash entry and rebuild policy database.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

echo '/usr/local/bin/internal-tool trust=1' | sudo tee -a /etc/fapolicyd/trust.d/internal.trust
sudo fapolicyd-cli --update
sudo systemctl restart fapolicyd
Illustrative mockup for rhel-10 β€” log_or_config
Whitelisting trusted binary path safely β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Package binary as RPM signed by trusted key and deploy through dnf.

rpm -K /tmp/internal-tool.rpm
sudo dnf install -y /tmp/internal-tool.rpm

Verification & Acceptance Criteria

Binary executes successfully and no new deny messages appear.

/usr/local/bin/internal-tool --version
journalctl -u fapolicyd -n 40 --no-pager

Rollback Plan

Remove temporary trust entry if added too broadly.

sudo rm -f /etc/fapolicyd/trust.d/internal.trust
sudo fapolicyd-cli --update
sudo systemctl restart fapolicyd

Prevention & Hardening

Use signed RPM distribution workflow and controlled trust policy updates.

systemctl enable --now fapolicyd
fapolicyd-cli --check-config

Related to SELinux execute denials, missing shared libs, and noexec mount options.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

RHEL fapolicyd documentation for trust databases, rule ordering, and secure software supply chain practices.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.