From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 17 Sep 2010 09:04:38 -0400 Subject: [refpolicy] Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific In-Reply-To: <201009170937.11115.Nicky726@gmail.com> References: <201009161816.19552.Nicky726@gmail.com> <201009162313.46206.Nicky726@gmail.com> <4C928D58.80209@redhat.com> <201009170937.11115.Nicky726@gmail.com> Message-ID: <4C936766.3010307@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/17/2010 03:37 AM, Nicky726 wrote: > Dne ?t 16. z??? 2010 23:34:16 jste napsal(a): >> On 09/16/2010 05:13 PM, Nicky726 wrote: >>> Dne ?t 16. z??? 2010 21:22:07 jste napsal(a): >>>> On 09/16/2010 12:16 PM, Nicky726 wrote: >>>>> Hello, >>>>> >>>>> while working on confinement of selected KDE apps, I came to following >>>>> issue: >>>>> >>>>> Directories ~/.config, ~/.local, ~/.local/share (and possibly others) >>>>> are labeled as config_home_t, gconf_home_t and data_home_t all owned >>>>> by gnome module. These directories are used by much more programs than >>>>> just GNOME, ranging from KDE apps, pure Qt or GTK apps to for exaple >>>>> ibus. User's trash is also put in one of those. >>>>> Therefore I think, that the directories should be labeled with types >>>>> that are owned by another application/DE unspecific module (Dominick >>>>> Grift in conversation mentioned these are part of freedesktop >>>>> specifications, so I guess it can be named eg. freedesktop). And their >>>>> naming should also resign from application specific names, which is >>>>> the case of >>>>> gconf_home_t for ~/.local. >>>>> >>>>> Regards, >>>>> Ondrej Vadinsky >>>> >>>> That is fine, and messages like this should go to the refpolicy mail >>>> list. refpolicy at oss.tresys.com >>> >>> Those types seem to be part of Fedora SELinux policy, I could not find >>> them in refpolicy, therefore I wrote to Fedora mailing list. >>> >>>> We have lots of types that have used specific applications and ended up >>>> being used by other applications. We have not gone back and changed the >>>> names, mainly because of the hassle. For example. >>>> >>>> /usr/bin/epiphany -- system_u:object_r:mozilla_exec_t:s0 >>> >>> Uh, ok, if you say so. >>> >>> Regards, >>> Ondrej Vadinsky >> >> BTW I am not arguing with you and since they are not in refpolicy yet, >> it makes it easier to change them. > > I guess I misunderstood. You intend to eventually fix it then? > > Regards > Ondrej Vadinsky > No I am saying you can suggest renames and try to get them upstream, if you do I will convert to using them. Once they are upstream it becomes a pain to change. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkyTZ2YACgkQrlYvE4MpobPYhgCcC4KjQQN5PYU4aIzicPI42Ab5 eXUAoKxiFq+N8WJ9ueFrO6xJTqFtOnQd =NWgL -----END PGP SIGNATURE-----