Hey everyone! I recently made our software SELinux compatible, ensuring all processes run under the right contexts and our files are labeled appropriately. While setting up the SELinux policy, I might have gone a bit overboard with some permissions.
Identifying missing rules is relatively easy thanks to audit log denials, but finding those overly permissive rules can be tricky. I could start from scratch to create a tighter policy, but that would take a lot of time, especially for long-running tasks like log rotation.
Does anyone know of any tools that can help spot overly permissive policies? And do you think such a tool would be useful for Linux admins? If nothing exists, I'm considering developing one myself—it could be a fun challenge!
2 Answers
It's an interesting idea! But how would you actually figure out when permissions are too broad? Understanding application intent seems complex and there aren't standard solutions. Other tools typically take the opposite approach—defining requirements to generate a tighter policy, like udica from GitHub.
I think a tool to analyze SELinux policies for over-permissiveness would be super helpful! I'd definitely be interested in contributing if you decide to create it, assuming I have some time to spare.
Good point! My thought was to run the application for an extended period and see which rules aren't triggered. Sure, it's not foolproof, but it could help streamline things for users.