Reviewing for unnecessary rules

Although secpolgenerate generates policy rules based on what was needed when the system was run, these are not necessarily appropriate. QNX recommends that you review the security policy specifically to locate processes with abilities that they don't need.

The secpolgenerate utility gives an ability to a type under the following circumstances:

Although removing an ability that secpolgenerate has identified as necessary will likely cause whatever used it to fail, in some cases the failure can be fixed without restoring the ability. For example, you might remove the need for an ability by making changes to behavior using command-line options, a configuration file, or interaction with other programs.

Look for types that have the ability iofunc/read, which allows a process to read a file that POSIX permissions normally prohibit. If most or all process are run with non-root user IDs (which QNX recommends), they might acquire the iofunc/read ability because of errors in the file permissions configuration. In this case, their attempt to open a file should fail but was allowed by granting them a privileged ability instead. To fix this, you can remove this ability for the type, run the system, and determine whether the program indicates what failed.