From: aranea@aixah.de (Luis Ressel) Date: Tue, 19 Sep 2017 18:40:20 +0200 Subject: [refpolicy] Do we need a new domain for /usr/share/misc/magic.mgc? Message-ID: <20170919164021.19528-1-aranea@aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello, libmagic (better known by its CLI frontend 'file') needs to mmap() its signature database, which is currently labeled usr_t. If any of refpolicy's application domains need to call 'file' (or use libmagic) directly, we may want to create a new domain for this signature db so that the map permission can be granted only on this domain instead of the much bigger usr_t. However, the only domains I've found so far which need this access are sysadm_t/staff_t/user_t and portage_t. The user domains already have the neccessary permission, leaving only portage_t. Given that portage_t can access *all* files in any case, I've decided to keep the policy simple by just allowing it to map usr_t. Is anyone aware of other file/libmagic users which would warrant the creation of a new domain for the signature db? Regards, Luis Ressel