Security policy maintenance
Maintenance tasks for your security policy can include determining whether any generated rules should be edited or removed, manually editing policies for efficiency and simplicity, and reviewing the contents of /dev/secpolgenerate/unused.
The secpolgenerate utility is not designed to generate a security policy
that you can use as is.
Rather, it is intended to provide input into a policy that you
modify based on the actual needs of the system. For example, in some cases, the rules for
programs like dumper need to change to allow it to function.
It is also possible to use the automatically generated policy only as a guide for producing policies that are equivalent to but better than ones that secpolgenerate produces. For example, you can use attributes in the security policy language to group related sets of capabilities and assign them to types.
In other cases, you can rewrite rules to improve them. For example, the following rule is a candidate for simplification:
allow_attach devc_pty_t {
/dev/ttyp0
/dev/ptyp0
/dev/ttyp1
/dev/ptyp1
/dev/ttyp2
/dev/ptyp2
/dev/ttyp3
/dev/ptyp3
/dev/ttyp4
/dev/ptyp4
/dev/ttyp5
/dev/ptyp5
/dev/ttyp6
/dev/ptyp6
/dev/ttyp7
/dev/ptyp7
};
This rule can be replaced with the following one:
allow_attach devc_pty_t {
/dev/ttyp*
/dev/ptyp*
};
When the system is exercised in new ways or as new services are added and others are taken
away, you need to update the policy. To perform these updates, first use
secpolgenerate to remove restrictions from types to allow processes to do
what they like without encountering errors (see Developing systems with a security policy
). Then, use
the contents of /dev/secpolgenerate/policy to determine which rules to
add to the policy. In most cases, these additional rules are merged with existing rules rather
than concatenated to the end of the existing policy file.
secpolgenerate also provides the file /dev/secpolgenerate/unused, which indicates rules or types that the system did not require. It can be used as a guide for rules or types to remove. However, it is important to consider why the rules are there because it is possible that they're only required under circumstances that have not yet occured.