The files ultimately still need to have types assigned to them. No compiler can figure out what a program is actually doing with all of its files and figure out the best way to assign types to the files in order to achieve least privilege. Having a tool that looked at the file paths the application referenced and guesses types for them while constructing a policy would be somewhat useful. But it would be no substitute for a human.
In a number of cases, SELinux has revealed application bugs like the kerberos libraries trying to open /etc/krb5.conf with write permissions.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds