System monitoring using secpolgenerate

Updated: April 19, 2023

In addition to development tasks, you can use secpolgenerate in a secure, deployed system to detect errors.

Ideally, secpolgenerate starts like any other service with its own type. When it is used for monitoring instead of policy generation, it runs after the security policy is pushed to procnto instead of before (that is, after secpolpush runs). For example, start it using the following command:

on -T secpolgen_t -u 40 secpolgenerate

When secpolgenerate runs this way (on starts secpolgenerate without -t or -u), it does not attempt to modify the existing policy but instead simply monitors system activity and reports any errors in /dev/secpolgenerate/errors.

Although this technique requires security policy rules for secpolgen_t, secpolgenerate can't provide them because it can't monitor its own usage until it starts, and after it has started it is too late to monitor its usage. The following rules are the minimum set that is required:

type secpolgen_t;
allow secpolgen_t self:ability {
    nonroot
    pathspace
    mem_phys
    prot_exec
    interrupt:2147418112
    io
    trace
    map_fixed
    public_channel
};
allow_attach secpolgen_t /dev/secpolgenerate/...;
allow_attach secpolgen_t /dev/name/local/_tracelog;
    

If any shared objects required by secpolgenerate are located outside of the IFS, you may have to add other abilities to these rules (e.g., if the security type for the filesystem is devb_t, add channel_connect: devb_t) . Once secpolgenerate is running, you can look at /dev/secpolgenerate/errors to determine any further abilities it needs.