Booting securely

To boot the system securely, remove the lines that run secpolgenerate from the startup script, rebuild the OS image, and reboot.

Make sure the compiled security policy is in the IFS in /proc/boot. To avoid having to specify the location wherever it is needed, QNX recommends that you use the default policy filepath /proc/boot/secpol.bin.

In the startup script, remove the lines that run secpolgenerate (described in “Booting the system for the first time”). In the following example, the lines are commented out:

# secpolgenerate -u -t 50
# LD_PRELOAD=secpol-preload.so
# procmgr_symlink /proc/boot/libsecpol-gen.so.1 /proc/boot/libsecpol.so.1
 
secpolpush

After you rebuild your OS image with these changes, you reboot the system. After the reboot, system activity is restricted to what's in the policy—behavior that secpolgenerate observed when you exercised the system.