From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] What is security_file_type and auth_file_type?
Date: Mon, 22 Dec 2014 09:23:42 -0500 [thread overview]
Message-ID: <5498296E.1040506@redhat.com> (raw)
In-Reply-To: <20141221101128.GA2409@siphos.be>
On 12/21/2014 05:11 AM, Sven Vermeulen wrote:
> Hi all
>
> Originally, the use of the security_file_type attribute was to reduce the
> size of the policy, and its purpose was mainly to differentiate between
> files that could be dontaudited and those that couldn't (we want to see when
> user domains access security_file_type types that they do not have access
> to).
>
> However, I could not find what the scope should be for a security_file_type
> (and auth_file_type). When should a type be assigned to be a
> security_file_type? "security" is a broad term...
>
> Is it types that could jeopardize the security (confidentiality? integrity?
> availability?) of the system when the resources of that type are /read/ by
> unauthorized domains? Or is it when the resources are written to? The latter
> (writes) is of course much broader (writing to /etc/pam.d or to the libraries
> on the system for instance).
>
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
I see security_file_type as being the type associated with types that
should not be READ, not written.
/etc/shadow and friends.
seinfo -asecurity_file_type -x
security_file_type
selinux_config_t
default_context_t
dnssec_t
shadow_t
krb5_keytab_t
selinux_login_config_t
file_context_t
audit_spool_t
semanage_store_t
auditd_etc_t
auditd_log_t
random_seed_t
Although a couple of these (selinux config types) should probably not be
included.
next prev parent reply other threads:[~2014-12-22 14:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-21 10:11 [refpolicy] What is security_file_type and auth_file_type? Sven Vermeulen
2014-12-22 14:23 ` Daniel J Walsh [this message]
2014-12-23 17:14 ` Sven Vermeulen
2014-12-23 18:13 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5498296E.1040506@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.