System monitoring using secpolgenerate

In addition to development tasks, you can use secpolgenerate in a secure, deployed system to detect errors.

Ideally, secpolgenerate starts like any other service with its own type. When it is used for monitoring instead of policy generation, it runs after the security policy is pushed to procnto instead of before (that is, after secpolpush runs). For example, start it using the following command:

on -T secpolgen_t -u 40 secpolgenerate

When secpolgenerate runs this way (on starts secpolgenerate without -t or -u), it does not attempt to modify the existing policy but instead simply monitors system activity and reports any errors in /dev/secpolgenerate/errors.

Although this technique requires security policy rules for secpolgen_t, secpolgenerate can't provide them because it can't monitor its own usage until it starts, and after it has started it is too late to monitor its usage. However, the following set of rules is likely to work:

type secpolgen_t;
allow secpolgen_t self:ability {
    pathspace
    mem_phys
    prot_exec
    interrupt:2147418112
    io
    trace
    map_fixed
    public_channel
};
allow_attach secpolgen_t /dev/secpolgenerate/...;
allow_attach secpolgen_t /dev/name/local/_tracelog;
    

This set of rules will also likely provide sufficient abilities to allow a future version of secpolgenerate to start and to monitor itself. If it requires further abilities, the /dev/secpolgenerate/errors should indicate what they are.