First of all, you'd need to have the application trigger all it's behaviour.
If you just start up the browser and close it right away, it might not write files to its cache etc.; so a trained policy will also likely be incomplete.
Then you don't know about the precision; one application might be accessing /home/user/.browser/cache/foobar, and another /etc/resolv.conf.
How is a learning algorithm expected to know that in the first case it's supposed to be a wildward like $HOME/.browser/cache/* whereas in the second case it's an exact match only?
There is no "open all files in this directory" command, to the OS it's just a bunch of file accesses.
Also lots of applications have bugs, and access files that they do not need.
Futhermore, application behaviour can depend on various other modules. For example, when you use libpam-ldap, suddenly many applications will start connecting to LDAP servers. You'd need to learn each app in each configuration setting.
If you are using an abstraction layer, it's easy to find out which applications are using PAM or NSS, and then map them to accessing ldap, kerberos, winbind, mysql, whatever datasource.
Automatic learning just won't work properly, sorry.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds