Booting the system for the first time

After you add security types to your system, a security policy is required to boot it. The secpolgenerate utility provides an easy method for creating this policy.

You can build a security policy yourself by writing rules in the security policy language, but it is easier to use secpolgenerate. For example, the following startup script adds the lines required to start and configure secpolgenerate, which creates a policy, then invokes secpolpush to push the policy. It assumes the binaries secpolgenerate, libsecpol-gen.so.1, and secpol-preload.so are included in the IFS:

secpolgenerate -u -t 50
LD_PRELOAD=secpol-preload.so
procmgr_symlink /proc/boot/libsecpol-gen.so.1 /proc/boot/libsecpol.so.1
 
secpolpush

This code should boot your system unless there are errors in the startup script or missing files.

In this example, the system is completely insecure. The -u option tells secpolgenerate that the system should be allowed to run in unrestricted mode, which means, generally speaking, the processes' behavior is not limited in any way.

The -t 50 option allows up to 50 security types, which is usually sufficient for a new system. However, in some cases, such as when you are starting a lot of services or the ones you were starting use many security types, a larger number of types is required.

The first time you run secpolgenerate, simply performing a system boot may be sufficient to generate a policy that you can use to familiarize yourself with the related security features. In most cases, you continue to exercise your system at intervals specific to your development process so that secpolgenerate can more thoroughly track all the possible activity that processes can generate.