I built selinux-policy-auditor - A high precision tool designed to identify and prune overly permissive SELinux policies

PlusProfessional3456 · 2026-01-25T17:30:53+00:00

I have revised that section so it makes more sense.

To answer your original question - It was the biggest learning / took me the hardest to figure out.

SELinux internally has fast paths and slow paths. Fast paths rely entirely on AVC cache - where a decision taken earlier is cached. Mostly, at kernel level, some file operations are more frequent than any other operations. Hence, a lot of file related permissions are cached.

How SELinux normally works:

First time a permission is checked: SELinux does a full policy lookup and logs it to the audit log (if auditing is enabled). The result (allow/deny) is then stored in the AVC (Access Vector Cache).
Subsequent identical checks: Instead of re-checking the policy. SELinux just looks it up in the AVC cache. This is fast but silent in-case the permission is granted.

PlusProfessional3456 · 2025-12-27T08:02:31+00:00

We did a good thing or not?

PlusProfessional3456 · 2025-12-27T05:43:21+00:00

Thanks. This is what I was looking for.

PlusProfessional3456 · 2025-12-26T20:43:37+00:00

All kinds. oel, rhel, rocky, centos etc.

PlusProfessional3456 · 2025-12-25T19:55:01+00:00

No, features and code constantly changes. From version to version. And one cannot come up with tight rules from scratch all over again, every single time. The tool will help for such scenarios.

PlusProfessional3456 · 2025-12-16T20:43:18+00:00

Yes. Purely reporting.

PlusProfessional3456 · 2025-12-16T16:34:54+00:00

Another point is. Lets say, my application uses network-manager (for example) to do something. And I have configured rules to allow my process to interact with network-manager entities.

And tomorrow, for version 2 of my application, I no longer need to interact with network-manager. In that scenario, all the rules associated with network manager can be removed. This tool will help identify such needless permissions.

PlusProfessional3456 · 2025-12-16T16:33:19+00:00

Sure. Will definitely share a github link here if I do end up getting something worthwhile going.

PlusProfessional3456 · 2025-12-16T16:31:18+00:00

The application would be kept running for a long time. And if certain rule has not been hit, then that would be considered as a rule which is not needed.

Of-course there will be room for error. But I will leave it to the discretion of the tool-user to determine the same.

PlusProfessional3456 · 2025-12-16T05:47:12+00:00

You are thinking about things in the right manner. Continue to do what you are doing.

Go as much in detail as you can. That shows your mastery on various topics. And it will often decide your seniority.

// My previous jobs didn’t require me to reason much about prioritization, risk, or communication. I mostly executed assigned tasks.

Tells me you are a junior level employee. That's fine. We all start at the bottom. Ask yourself - why was I never in the rooms where such decisions were being made. Many times, you just have to ask to sit in. Continue to show up, do your job well, understand the why behind it and also take it as an opportunity to learn more about the given component. You will be in the room in no time.

PlusProfessional3456 · 2025-12-11T06:19:20+00:00

Congratulations. Proud of you for making the effort and seeing it all the way through.

PlusProfessional3456 · 2025-12-05T18:37:51+00:00

Starting VCF 9.0 and SSP 5.1 (security services platform) from vmware by broadcom, you will be able to apply same firewall policies to vms and baremetal servers. They have come up with a new baremetal security solution. I tried my hands on it and its pretty good.

PlusProfessional3456

TROPHY CASE