From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sun, 21 Dec 2014 11:11:28 +0100
Subject: [refpolicy] What is security_file_type and auth_file_type?
Message-ID: <20141221101128.GA2409@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi all

Originally, the use of the security_file_type attribute was to reduce the
size of the policy, and its purpose was mainly to differentiate between
files that could be dontaudited and those that couldn't (we want to see when
user domains access security_file_type types that they do not have access
to).

However, I could not find what the scope should be for a security_file_type
(and auth_file_type). When should a type be assigned to be a
security_file_type? "security" is a broad term...

Is it types that could jeopardize the security (confidentiality? integrity?
availability?) of the system when the resources of that type are /read/ by
unauthorized domains? Or is it when the resources are written to? The latter
(writes) is of course much broader (writing to /etc/pam.d or to the libraries
on the system for instance).

Wkr,
	Sven Vermeulen