From: nicky726@gmail.com (Nicky726) Date: Mon, 17 Aug 2009 16:40:49 +0200 Subject: [refpolicy] Basic policy for KDE and Konqueror In-Reply-To: <1250103483.19221.31.camel@notebook2.grift.internal> References: <200908121440.21006.Nicky726@gmail.com> <1250103483.19221.31.camel@notebook2.grift.internal> Message-ID: <200908171640.49651.Nicky726@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello, Dominick Grift wrote: > kde.fc > remove the file context specification for objects in /tmp and links to > objects in /tmp. /tmp is a filesystem for temporary objects. file > context specifications are to ensure that objects stay labeled properly. > > http://domg444.blogspot.com/2007/11/why-files-with-incompatible-types-in.html I understand that file context specification for /tmp are are wrong. How should I solve the problem of dividing KDE /tmp stuff from users for yet unconfined KDE applications, so that I don't have to allow confined KDE apps to read whole user_tmp_t? > kde.te > > How is kde going to be able to interact with and manage the objects it > owns in $home and $tmp? I intended kde module to be a layer between unconfined zone and confined KDE applications. So if there are needs to read/write some files which belong to not yet confined KDE applications, I don't have to enable this for unconfined user_tmp_t or user_home_t. So I didn't intended kde module itself to do more than just hold its files context and provide interface for already confined KDE applications to work with theese files. Thanks for your time. Ondrej Vadinsky (Nicky726) -- "Don't it always seem to go That you don't know what you've got Till it's gone." (Joni Mitchell)