From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 3 Aug 2011 13:48:20 -0400 Subject: [refpolicy] [PATCH/RFC] Add support for the skype_t domain In-Reply-To: <4E395374.6040105@redhat.com> References: <20110724153808.GA25350@siphos.be> <4E32AEB5.2030100@tresys.com> <20110803134256.GB9734@siphos.be> <4E395374.6040105@redhat.com> Message-ID: <4E3989E4.3000906@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/03/11 09:56, Daniel J Walsh wrote: > On 08/03/2011 09:42 AM, Sven Vermeulen wrote: >> On Fri, Jul 29, 2011 at 08:59:33AM -0400, Christopher J. PeBenito >> wrote: >>> On 07/24/11 11:38, Sven Vermeulen wrote: >>>> The skype application is a popular voice and video chat >>>> application. This patch adds preliminary support for skype on >>>> SELinux. >> [...] >>>> +userdom_manage_user_home_content_dirs(skype_t) >>>> +userdom_manage_user_home_content_files(skype_t) >>> >>> Is this really necessary since there is skype_home_t? > >> Depends on the use case, but Skype can be used to send and receive >> files, so skype_t needs to be able to manage the users' home >> directory content. > >> Not that I'm happy with that, but it seems to be how most >> applications handle this. I personally prefer a specific type for >> interacting with the "outside" world (user_download_t or so) and have >> the apps be able to manage that type rather than user_home_t. But >> that does make it more difficult to explain to users (not really >> userfriendly). > >> Thanks for the feedback (also on the other RFC mail)! > > Can skype work fine without this ability? I would think you could add a > boolean and for most people who only do Video or phone calls would not > need the ability to read/write user_home_t. Agreed. I'd prefer it this way, if possible. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com