I'm trying to create a module for the Net ID electronic identification
system used in Sweden.  With the standard policy, this does not work
with SELinux enabled, but works fine in permissive mode.

Net ID works as a plugin to Firefox.  The plugin starts a separate
program "iid".  This program needs access to some files in the user's
home directory, and also to open a graphical window for reading a
passphrase and the like.

My idea was create a specific domain for this program, and try to
allow this domain as little as necessary.  I'm working with this in
permissive mode, trying check what it tries to do, and trying to find
the correct M4 macros to enable it.

One thing confuses me.  If I try to run the same thing in enforcing
mode, the application doesn't come up at all.  That's not surprising,
the new policy isn't finished yet.

But what IS surprising is I don't get any AVC telling me why.  Even if
I rebuld with "semodule -DB" I only get a couple of comments about the
plugin-container not being allowed to read/write an unix_stream_socket
with the type xdm_t.  As I understand it, that is unrelated and
normally dontaudited.

But then, why don't I get any AVC:s?  What is blocking without
telling?

For reference, I attach the policy so far as I've come.  But note that
it is not under development.  (But comments on mistakes I've made and
other suggestions are welcome in any case! :-)