From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 19 Sep 2017 18:22:10 -0400 Subject: [refpolicy] Do we need a new domain for /usr/share/misc/magic.mgc? In-Reply-To: <20170919203655.7b2757c2@vega.skynet.aixah.de> References: <20170919164021.19528-1-aranea@aixah.de> <20170919163822.GA24469@julius.enp8s0.d30> <20170919203655.7b2757c2@vega.skynet.aixah.de> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/19/2017 02:36 PM, Luis Ressel via refpolicy wrote: > On Tue, 19 Sep 2017 18:38:22 +0200 > Dominick Grift via refpolicy wrote: > >> On Tue, Sep 19, 2017 at 06:40:20PM +0200, Luis Ressel via refpolicy >> wrote: >>> Hello, >>> >>> libmagic (better known by its CLI frontend 'file') needs to mmap() >>> its signature database, which is currently labeled usr_t. If any of >>> refpolicy's application domains need to call 'file' (or use >>> libmagic) directly, we may want to create a new domain for this >>> signature db so that the map permission can be granted only on this >>> domain instead of the much bigger usr_t. >>> >>> However, the only domains I've found so far which need this access >>> are sysadm_t/staff_t/user_t and portage_t. The user domains already >>> have the neccessary permission, leaving only portage_t. Given that >>> portage_t can access *all* files in any case, I've decided to keep >>> the policy simple by just allowing it to map usr_t. >>> >>> Is anyone aware of other file/libmagic users which would warrant the >>> creation of a new domain for the signature db? >> >> Stuff like icons probably also need to be mapped and are also usr_t, >> so i don't think that confining that by itself will solve all the >> issues > > Yes, the GTK icon cache is also labeled usr_t and needs to be mappable. > However, compared to magic.mgc there are more domains which will need > this access, so I'm planning to create a new domain. > > If I don't run into any problems, I'll submit a patch after dinner. I'm not really concerned about mapping usr_t, as it is generally not writeable. -- Chris PeBenito