Security policy maintenance

Updated: April 19, 2023

Maintenance tasks for your security policy can include determining whether any generated rules should be edited or removed, manually editing policies for efficiency and simplicity, and reviewing the contents of /dev/secpolgenerate/unused.

The secpolgenerate utility is not designed to generate a security policy that you can use “as is.” Rather, it is intended to provide input into a policy that you modify based on the actual needs of the system. For example, in some cases, the rules for programs like dumper need to change to allow it to function.

It is also possible to use the automatically generated policy only as a guide for producing policies that are equivalent to but better than ones that secpolgenerate produces. For example, you can use attributes in the security policy language to group related sets of capabilities and assign them to types.

In other cases, you can rewrite rules to improve them. For example, the following rule is a candidate for simplification:

allow_attach devc_pty_t {
    /dev/ttyp0
    /dev/ptyp0
    /dev/ttyp1
    /dev/ptyp1
    /dev/ttyp2
    /dev/ptyp2
    /dev/ttyp3
    /dev/ptyp3
    /dev/ttyp4
    /dev/ptyp4
    /dev/ttyp5
    /dev/ptyp5
    /dev/ttyp6
    /dev/ptyp6
    /dev/ttyp7
    /dev/ptyp7
};

This rule can be replaced with the following one:

allow_attach devc_pty_t {
    /dev/ttyp*
    /dev/ptyp*
};    

When the system is exercised in new ways or as new services are added and others are taken away, you need to update the policy. To perform these updates, first use secpolgenerate to remove restrictions from types to allow processes to do what they like without encountering errors (see Developing systems with a security policy). Then, use the contents of /dev/secpolgenerate/policy to determine which rules to add to the policy. In most cases, these additional rules are merged with existing rules rather than concatenated to the end of the existing policy file.

secpolgenerate also provides the file /dev/secpolgenerate/unused, which indicates rules or types that the system did not require. It can be used as a guide for rules or types to remove. However, it is important to consider why the rules are there because it is possible that they're only required under circumstances that have not yet occured.