The generated security policy

Updated: April 19, 2023

The generated security policy contains a set of rules that describes the abilities that processes used and where they attached themselves in the path space, as observed by secpolgenerate.

The policy that secpolgenerate generates contains rules that cover everything that has been done on the system. Although you can attempt to exercise the system enough to create a fairly complete policy, the policy is expected to evolve over time and you can address any gaps in security later.

The security policy is a text file that contains rules in the security policy language and is located in /dev/secpolgenerate/policy. For description of the security policy language it uses, see “Security policy language”.

You compile the security policy text file on your host machine using secpolcompile. Use one of the following methods to copy the file to your host:

You can use sftp to copy the policy, but not scp because it copies only the length that stat() returns. Because secpolgenerate generates policy content as the file is being read, it does not provide a meaningful file size.