A compartment definition can be tagged with the
keyword discover. See Section . The discover keyword instructs the system to discover all of the rules necessary
to make the application function correctly. This feature is intended
to only be used in a test environment.
To use discover mode, mark
a compartment as discover and run the application
as you normally would. The system identifies all resource accesses
and creates the required rules.
After the initial execution of the application,
use the getrules –m compartment_name command to generate a machine readable version of rules.
The system generated rules are required to make
the application function successfully in the test environment, but
may need to be generalized. For example, the system may generate a
rule that involves a port number in anonymous port range, where the
kernel, not the application, selects the port number. When the application
is run again, it may end up with a different port number, requiring
a different rule. The rule may need to be generalized such that either
all ports or at least the port numbers in the anonymous port range
are specified.
Printable version
