From: dac.override@gmail.com (Dominick Grift) Date: Tue, 19 Sep 2017 18:38:22 +0200 Subject: [refpolicy] Do we need a new domain for /usr/share/misc/magic.mgc? In-Reply-To: <20170919164021.19528-1-aranea@aixah.de> References: <20170919164021.19528-1-aranea@aixah.de> Message-ID: <20170919163822.GA24469@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Sep 19, 2017 at 06:40:20PM +0200, Luis Ressel via refpolicy wrote: > Hello, > > libmagic (better known by its CLI frontend 'file') needs to mmap() its > signature database, which is currently labeled usr_t. If any of > refpolicy's application domains need to call 'file' (or use libmagic) > directly, we may want to create a new domain for this signature db so > that the map permission can be granted only on this domain instead of > the much bigger usr_t. > > However, the only domains I've found so far which need this access are > sysadm_t/staff_t/user_t and portage_t. The user domains already have the > neccessary permission, leaving only portage_t. Given that portage_t can > access *all* files in any case, I've decided to keep the policy simple > by just allowing it to map usr_t. > > Is anyone aware of other file/libmagic users which would warrant the > creation of a new domain for the signature db? Stuff like icons probably also need to be mapped and are also usr_t, so i don't think that confining that by itself will solve all the issues > > Regards, > Luis Ressel > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170919/2aca0e1d/attachment.bin