Frequently asked questions

If I boot a system using a newly generated policy, why are some rules unused?

Because the rules generated by secpolgenerate represent all the capabilities needed, if you run the system with the policy it generates, you should see no unused rules. Why isn't this always the case?

There shouldn't be many unused rules, but actions used during rule generation, such as preloading libsecpol-preload.so.1, can result in channel connections that would otherwise not occur.

Why are errors reported when nothing fails?

In some cases, secpolgenerate reports errors in /dev/secpolgenerate/errors that don't correspond to any failure on the system. These are an artifact of how procnto uses the setuid, setgid, prot_exec, and priority abilities. Some of these might be partially resolved by secpolgenerate, others might require procnto changes.

  • setuid: A process can change its effective user ID to its real user ID, saved set user ID, or any user ID granted by the setuid ability. However, if the change is made using the setuid() function, a check is made for the setuid ability even if the call will succeed without it. This behavior can lead to erroneous error reports and possibly the inclusion of a rule to allow setuid during rule generation. As of QNX Neutrino 7.0.1, this no longer occurs if setreuid() is used instead of setuid(). It's not possible to fix setuid() as the behavior is required to allow for proper POSIX behavior.
  • setgid: The setgid ability has an issue that is similar to setuid.
  • prot_exec: A process that lacks the prot_exec ability shows a failed ability check if it creates another thread. However, the failed check is harmless.