[refpolicy] What is security_file_type and auth_file_type?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] What is security_file_type and auth_file_type?
Date: Tue, 23 Dec 2014 18:14:48 +0100	[thread overview]
Message-ID: <20141223171448.GA8230@siphos.be> (raw)
In-Reply-To: <5498296E.1040506@redhat.com>

On Mon, Dec 22, 2014 at 09:23:42AM -0500, Daniel J Walsh wrote:
> I see security_file_type as being the type associated with types that
> should not be READ, not written.
> /etc/shadow and friends. 
> 
>  seinfo -asecurity_file_type  -x
>    security_file_type
>       selinux_config_t
>       default_context_t
>       dnssec_t
>       shadow_t
>       krb5_keytab_t
>       selinux_login_config_t
>       file_context_t
>       audit_spool_t
>       semanage_store_t
>       auditd_etc_t
>       auditd_log_t
>       random_seed_t
> 
> Although a couple of these (selinux config types) should probably not be
> included.  

So things like private keys and passwords (or password containing files) I
can understand. Why would auditd related files be considered to be "not
readable"? What leaks/problems do you see with access to those files that
are so severe?

Wkr,
	Sven Vermeulen

PS At least you can still query which types have security_file_type set.
   With the 2.4 userspace if the attribute is not directly used in rules,
   then it is no longer part of the policy:

   ~# seinfo -asecurity_file_type -x
   ERROR: Provided attribute (security_file_type) is not a valid attribute
   name.

   This is because the security_file_type is used for /excluding/ those
   types from rules (like "{ file_type -security_file_type }").

next prev parent reply	other threads:[~2014-12-23 17:14 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-21 10:11 [refpolicy] What is security_file_type and auth_file_type? Sven Vermeulen
2014-12-22 14:23 ` Daniel J Walsh
2014-12-23 17:14   ` Sven Vermeulen [this message]
2014-12-23 18:13     ` Daniel J Walsh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20141223171448.GA8230@siphos.be \
    --to=sven.vermeulen@siphos.be \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.