Hey everyone! I've recently transitioned our software to be SELinux-friendly, ensuring that all our processes are running with the correct context and that our files and data have the appropriate SELinux labels. I've programmed specific rules to allow our processes access to certain parts of the Linux environment, but I think I may have made some of those rules overly permissive as I was learning the ropes of SELinux.
While it's easy to identify missing rules through audit log denials, pinpointing overly permissive rules isn't as straightforward. I could start fresh and develop a new, tighter SELinux policy, but that would take a lot of time—especially for long-running tasks like log rotation, where the test cycles can be prolonged.
So I'm curious, does anyone know of any tools that can help identify overly permissive policies? Do you think such a tool would be beneficial for Linux administrators? If nothing like this exists, I'd be interested in possibly creating one myself as a fun project!
3 Answers
How do you plan to gauge when permissions are too broad? It's a tricky area since you'd need to understand the application's purpose, and there isn't a formal method I'm aware of. Other tools tend to describe what you need first and then generate more standard policies. For instance, check out udica, which does something similar.
That sounds like a worthwhile project! I'd definitely be interested in contributing if time allows.
I think if the application runs for an extended period and certain rules aren't triggered, that could indicate those rules aren't necessary. Of course, there will be some guesswork involved, but I'd let the users of the tool make the final call.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures