LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Why aren't policies automatically generated?

Why aren't policies automatically generated?

Posted Feb 10, 2007 21:21 UTC (Sat) by skybrian (subscriber, #365)
Parent article: SLIDE into SELinux policy development

I'm sure folks who study this have thought of it already, but it seems like taking a different approach would work better: instead of manually writing policies, compiling and installing a program should automatically generate a policy that grants access to all the resources that the program could potentially need, and no more, with links back to the code that requires access. The jail's role is only to make sure that the program meets its own policy. Security would come from reviewing program policies for red flags and looking at any changes in new versions. Developers would then be able to improve security by rewriting their code to remove any dependencies that aren't strictly needed. Nobody would need to write policies.

(This assumes a lot from static program analysis, but that's inherent in the problem since policies are static.)

(Log in to post comments)

Why aren't policies automatically generated?

Posted Mar 3, 2007 12:34 UTC (Sat) by erich (subscriber, #7127) [Link]

First of all, you'd need to have the application trigger all it's behaviour.
If you just start up the browser and close it right away, it might not write files to its cache etc.; so a trained policy will also likely be incomplete.

Then you don't know about the precision; one application might be accessing /home/user/.browser/cache/foobar, and another /etc/resolv.conf.
How is a learning algorithm expected to know that in the first case it's supposed to be a wildward like $HOME/.browser/cache/* whereas in the second case it's an exact match only?
There is no "open all files in this directory" command, to the OS it's just a bunch of file accesses.

Also lots of applications have bugs, and access files that they do not need.

Futhermore, application behaviour can depend on various other modules. For example, when you use libpam-ldap, suddenly many applications will start connecting to LDAP servers. You'd need to learn each app in each configuration setting.
If you are using an abstraction layer, it's easy to find out which applications are using PAM or NSS, and then map them to accessing ldap, kerberos, winbind, mysql, whatever datasource.

Automatic learning just won't work properly, sorry.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds