secpolgenerate

QNX SDP8.0Utilities ReferenceUtilities

Generate the security policy file

Syntax:

secpolgenerate -C clear used|errors
secpolgenerate -C load event_file
secpolgenerate [-lNnuv] [-c config_file] [-f time] [-L max_logs] 
               [-r range_file][-S base_policy] [-s state_file] 
               [-T options] [-t number_of_types]

Runs on:

QNX OS

Options:

-C clear used|errors
Send a clear command to an existing secpolgenerate process. Specify either used or errors. Both options cause secpolgenerate to forget about events related to the use of abilities and path attachments. The difference is that used affects successful calls while errors affects unsuccessful calls.
-C load event_file
Send a load command to an existing secpolgenerate process. The specified file contains information that simulates the use of specific privileges by processes. It is compiled using secpolcompile with the -e option. For more information, see State and event files in the System Security Guide.
-c config_file
Read information from a configuration file. See Configuration file.
-f time
Improve logging by flushing the trace events every time seconds.
-L max_logs
The maximum number of error logs to include in /dev/secpolgenerate/errors. Default is 100.
-l
Log security check errors to a slog2 buffer.
-N
Create a security policy completely from scratch instead of basing it on an existing one.
-n
Use names instead of numbers in the state_file (which can make the information easier to interpret but is less efficient).
-r range_file
Get named range definitions from the specified file. See Named range file in the QNX OS System Security Guide.
-S base_policy
Use the base_policy instead of /proc/boot/secpol.bin.
-s state_file
The secpolgenerate utility uses the state_file to save and restore the state. It does not have to be accessible when the utility starts. For more information, see State and event files in the System Security Guide.
-T options
In most cases, you test a service's behavior with respect to security policies by running it in a system that is using secpolgenerate using normal policy generation. However, if this type of system is not available, the following options may allow you to successfully run your service as a type in a system that mixes the features of a system that uses a security policy with features of one that doesn't:
  • all_connect — the type ID of any channel you attach to a path (using resmgr_attach()) is switched to 0. A type ID of 0 allows all processes to connect to a channel, irrespective of the process's abilities. This can prevent the system from failing because the channels of the process you're testing have non-zero type IDs.
  • zero_id — sets the policy ID of the policy that secpolgenerate provides at /proc/boot/secpol.bin to 0 instead of 1. Because a policy ID of 0 usually indicates no policy, specifying zero_id allows you to use secpolgenerate but other components behave as if it is not in use.

You can specify -T multiple times — once for each option you want to enable.

When you use these options, be aware that running a system that has features that use a policy as well as ones that ignore the policy can have unexpected results.

-t number_of_types
Allow this many more types in the new policy than currently exist in the base policy.
-u
Allow unrestricted behavior in the policy. For example, when you intend to use the policy in a development environment that is an insecure variant of another system.
-v
Write verbose output of errors to stderr.

Description:

The secpolgenerate utility is a tool for generating security policy rules by observing the system in action to determine the set of abilities each specific process needs. The rules it generates can either form a completely new security policy if one doesn't exist already, or they can indicate changes to the existing policy.

To allow changes from an existing policy in the generated policy, you must use either the –u or –t option.

However, if you choose to use the secpolgenerate utility on a secure system, you should not use either the –u or –t option.

This tool allows you to automate the process of developing a policy instead of creating one manually and reduces the amount of configuration required. Use it to identify updates that might be required to increase (or relax) security. Over time, information is generated and collected in the policy, unused and errors files in the /dev/secpolgenerate/ directory.

Note:
  • Unless you are using secpolgenerate for monitoring only, you need to use libsecpol-gen.so.1 with the name libsecpol.so.1 instead of libsecpol.so.1 itself. You can rename libsecpol-gen.so.1 or use a process manager symlink. For example:
    procmgr_symlink /proc/boot/libsecpol-gen.so.1 /proc/boot/libsecpol.so.1
  • To help you discover any paths that might generate too-permissive abilities, preload secpol-preload.so into all processes by setting the LD_PRELOAD environment variable. For more information, see Identifying abilities added to override incorrect permissions in the Access Control chapter of the System Security Guide.
See the System Security Guide for more information about:
  • how to design a security policy and automate its creation using secpolgenerate
  • the grammar that is used in the uncompiled, text version of the security policy file (generated or manual)
  • tutorials and information about booting the system for the first time
  • how to compile a security policy with the secpolcompile utility
  • best practices for security integration

Configuration file:

The secpolgenerate utility is designed to operate without any explicit configuration. However, using a configuration file provides a much more flexible and easy-to-use development environment and a way to handle some rare problems.

File location

On production systems, because secpolgenerate is either not running or running in a manner that cannot impact security, it makes no difference from a security point of view where its configuration file is located or what permissions it has.

For a development environment, however, the location of the configuration file has a significant impact on how easily you can implement changes to it as you work. For more information, see Developing systems with a security policy in the Tutorial: Build a system that uses a security policy chapter in the System Security Guide.

File contents

secpolgenerate reads the configuration file line by line. Each line contains an option class followed by its configuration. Empty lines or lines whose first non-space character is a pound sign (#) are ignored.

ability options
These options use the following format:
ability ability-name [option...]
Options Description
range Configures the ability to support sub-ranges. This option is primarily for dynamic abilities that are all assumed by default not to take sub-ranges. In principle, it can be applied to a small number of static abilities (such as prot_exec) that secpolgenerate treats as non-ranged but which do support ranges (although these ranges are considered to be of little use).
type Indicates that the specified dynamic ability is subranged by type rather than numerically. This option causes secpolgenerate to create policy statements that use type names. Currently, secpolcompile does not support these kinds of ranges except for the two abilities that it knows can be subranged by type: settypeid and channel_connect.
warn Generates warning messages in the secpolgenerate errors file that indicate when the specified ability is used and by what process.
deny Denies the ability even if the type or all types are unconstrained.
type options
These options use the following format:
type type-name [option...]
Options Description
unrestricted Indicates that the type should be unrestricted even if secpolgenerate is running with types restricted to the existing policy. This option allows you to selectively relax the policy while the rest of the system runs as intended.
restricted Indicates the type should be restricted to rules in the existing policy even if secpolgenerate is run in an unrestricted manner.
deny:ability-spec[:user]...
When a type is run in an unrestricted manner, denies all abilities in the comma-separated ability list either for just non-root or for both root and non-root. For example:
type type1 deny:setuid,setgid:nonroot deny:fork

This entry denies the setuid and setgid abilities for non-root only and the fork ability for all user IDs.

When secpolgenerate generates a policy, it usually allows all abilities and monitors which ones are used. In some rare cases, allowing an ability can cause problems. For example, some versions of sshd try to verify that they are unable to revert to a user ID of 0 and exit if they can. This option allows you to deny sshd the setuid ability even when its behavior is otherwise unrestricted.

keep:ability-list
When a type is run in an unrestricted manner, maintain any restrictions in the existing policy for the abilities specified in the comma-separated list. For example:
type type1 keep:setuid,setgid

Maintains the rules for the setuid and setgid abilities for type type1 regardless of whether the type is run in an restricted manner.

unlock:ability-list Preserve the default permissions for each ability in the comma-separated list of abilities and prevent them from being locked. This option has the same effect as when secpolgenerate detects that a process is attempting to configure an ability using procmgr_ability().

To detect an ability configuration, secpolgenerate requires that the process preload the library secpol-preload.so. In the rare case where this preloading cannot be done, this option can be used to achieve the same result. If the option is needed but not provided, the process will likely experience an error when it tries to configure its abilities.

allow:ability-list Override the effect of the warn and deny options for the abilities specified in a comma-separated list. The specified abilities are permitted when the type is unconstrained and any use of the ability doesn't generate warnings.
global options
These options use the following format:
option option...
Options Description
deny_read_exec Deny all types the iofunc/read and iofunc/exec abilities (even when the type is unrestricted) instead of just warning that these abilities are used. If a specific type needs either of these abilities, start with an initial policy that grants it.

When a type needs these abilities, it typically indicates a problem with filesystem permissions.

restricted Configures secpolgenerate to restrict types to the rules contained in the policy by default. Individual types may be made unrestricted by specifying the type option with unrestricted. This option overrides the -u command line argument.
unrestricted Configures secpolgenerate to allow types unrestricted privileges by default. Individual types may be restricted to the existing policy by specifying the type option with restricted.

This option is almost equivalent to using the -u command line option. Unlike unrestricted, the -u or -t command line options enable secpolgenerate to override the policy in any way as well as making types unrestricted. For systems where the configuration file is on a writable file system, unrestricted provides an easy way to make changes to restrictions.

Page updated: