From: nicky726@gmail.com (Nicky726)
Date: Mon, 17 Aug 2009 16:40:49 +0200
Subject: [refpolicy] Basic policy for KDE and Konqueror
In-Reply-To: <1250103483.19221.31.camel@notebook2.grift.internal>
References: <200908121440.21006.Nicky726@gmail.com>
	<1250103483.19221.31.camel@notebook2.grift.internal>
Message-ID: <200908171640.49651.Nicky726@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello,

Dominick Grift wrote:
> kde.fc
> remove the file context specification for objects in /tmp and links to
> objects in /tmp. /tmp is a filesystem for temporary objects. file
> context specifications are to ensure that objects stay labeled properly.
> 
> http://domg444.blogspot.com/2007/11/why-files-with-incompatible-types-in.html

I understand that file context specification for /tmp are are wrong. How should 
I solve the problem of dividing KDE /tmp stuff from users for yet unconfined KDE 
applications, so that I don't have to allow confined KDE apps to read whole 
user_tmp_t? 

> kde.te
> 
> How is kde going to be able to interact with and manage the objects it
> owns in $home and $tmp?

I intended kde module to be a layer between unconfined zone and confined KDE 
applications. So if there are needs to read/write some files which belong to 
not yet confined KDE applications, I don't have to enable this for unconfined 
user_tmp_t or user_home_t. So I didn't intended kde module itself to do more 
than just hold its files context and provide interface for already confined KDE 
applications to work with theese files.

Thanks for your time.

Ondrej Vadinsky
(Nicky726)

-- 

"Don't it always seem to go
That you don't know what you've got
Till it's gone."

                                         (Joni Mitchell)