From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 23 Dec 2014 13:13:57 -0500 Subject: [refpolicy] What is security_file_type and auth_file_type? In-Reply-To: <20141223171448.GA8230@siphos.be> References: <20141221101128.GA2409@siphos.be> <5498296E.1040506@redhat.com> <20141223171448.GA8230@siphos.be> Message-ID: <5499B0E5.5050603@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/23/2014 12:14 PM, Sven Vermeulen wrote: > On Mon, Dec 22, 2014 at 09:23:42AM -0500, Daniel J Walsh wrote: >> I see security_file_type as being the type associated with types that >> should not be READ, not written. >> /etc/shadow and friends. >> >> seinfo -asecurity_file_type -x >> security_file_type >> selinux_config_t >> default_context_t >> dnssec_t >> shadow_t >> krb5_keytab_t >> selinux_login_config_t >> file_context_t >> audit_spool_t >> semanage_store_t >> auditd_etc_t >> auditd_log_t >> random_seed_t >> >> Although a couple of these (selinux config types) should probably not be >> included. > So things like private keys and passwords (or password containing files) I > can understand. Why would auditd related files be considered to be "not > readable"? What leaks/problems do you see with access to those files that > are so severe? I can see the audit_log_t files and perhaps files that MLS folks classify as SystemHigh. The audit config, should not be considered a security_file_type. Bottom line is we should define this type. I think files that potentially contain system secrets would be appropriate and then remove the type from other files. > Wkr, > Sven Vermeulen > > PS At least you can still query which types have security_file_type set. > With the 2.4 userspace if the attribute is not directly used in rules, > then it is no longer part of the policy: > > ~# seinfo -asecurity_file_type -x > ERROR: Provided attribute (security_file_type) is not a valid attribute > name. > > This is because the security_file_type is used for /excluding/ those > types from rules (like "{ file_type -security_file_type }").