Guided Policy Generation for Application Authors

Polgen is a tool for human-guided semi-automated SE Linux security policy generation. Polgen processes traces of the dynamic behavior of a target program. In that behavior, it observes instances of information flow patterns such as Pipeline, Interpreter, and Proxy. Based on the patterns it detects, Polgen creates new SE Linux types and generates policy rules. Because the dynamic behavior is insufficient to determine security policy, Polgen presents a wizard-style interface for human interaction. We call the interaction "guided automatic policy generation." We designed Polgen primarily for security administrators who confront unfamiliar programs and are obliged to integrate them into existing policy. This paper highlights changes made to Polgen to adapt it to the needs of application authors, people that are less likely to be well versed in SE Linux policy than are security administrators. Key changes include an architecture specification language and a refinement of the wizard-style interface for application authors. When complete, this tool will expand the community of policy authors, and further accelerate the adoption of SE Linux.