From: aranea@aixah.de (Luis Ressel)
Date: Tue, 19 Sep 2017 18:40:20 +0200
Subject: [refpolicy] Do we need a new domain for /usr/share/misc/magic.mgc?
Message-ID: <20170919164021.19528-1-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello,

libmagic (better known by its CLI frontend 'file') needs to mmap() its
signature database, which is currently labeled usr_t. If any of
refpolicy's application domains need to call 'file' (or use libmagic)
directly, we may want to create a new domain for this signature db so
that the map permission can be granted only on this domain instead of
the much bigger usr_t.

However, the only domains I've found so far which need this access are
sysadm_t/staff_t/user_t and portage_t. The user domains already have the
neccessary permission, leaving only portage_t. Given that portage_t can
access *all* files in any case, I've decided to keep the policy simple
by just allowing it to map usr_t.

Is anyone aware of other file/libmagic users which would warrant the
creation of a new domain for the signature db?

Regards,
Luis Ressel