From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 21 Dec 2014 11:11:28 +0100 Subject: [refpolicy] What is security_file_type and auth_file_type? Message-ID: <20141221101128.GA2409@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi all Originally, the use of the security_file_type attribute was to reduce the size of the policy, and its purpose was mainly to differentiate between files that could be dontaudited and those that couldn't (we want to see when user domains access security_file_type types that they do not have access to). However, I could not find what the scope should be for a security_file_type (and auth_file_type). When should a type be assigned to be a security_file_type? "security" is a broad term... Is it types that could jeopardize the security (confidentiality? integrity? availability?) of the system when the resources of that type are /read/ by unauthorized domains? Or is it when the resources are written to? The latter (writes) is of course much broader (writing to /etc/pam.d or to the libraries on the system for instance). Wkr, Sven Vermeulen