Labeling of ~/.local, ~/.config, ... owned by gnome though not gnome specific

Daniel J Walsh dwalsh at redhat.com
Fri Sep 17 13:04:38 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/17/2010 03:37 AM, Nicky726 wrote:
> Dne Čt 16. září 2010 23:34:16 jste napsal(a): 
>> On 09/16/2010 05:13 PM, Nicky726 wrote:
>>> Dne Čt 16. září 2010 21:22:07 jste napsal(a):
>>>> On 09/16/2010 12:16 PM, Nicky726 wrote:
>>>>> Hello,
>>>>>
>>>>> while working on confinement of selected KDE apps, I came to following
>>>>> issue:
>>>>>
>>>>> Directories ~/.config, ~/.local, ~/.local/share (and possibly others)
>>>>> are labeled as config_home_t, gconf_home_t and data_home_t all owned
>>>>> by gnome module. These directories are used by much more programs than
>>>>> just GNOME, ranging from KDE apps, pure Qt or GTK apps to for exaple
>>>>> ibus. User's trash is also put in one of those.
>>>>> Therefore I think, that the directories should be labeled with types
>>>>> that are owned by another application/DE unspecific module (Dominick
>>>>> Grift in conversation mentioned these are part of freedesktop
>>>>> specifications, so I guess it can be named eg. freedesktop). And their
>>>>> naming should also resign from application specific names, which is
>>>>> the case of
>>>>> gconf_home_t for ~/.local.
>>>>>
>>>>> Regards,
>>>>> Ondrej Vadinsky
>>>>
>>>> That is fine, and messages like this should go to the refpolicy mail
>>>> list. refpolicy at oss.tresys.com
>>>
>>> Those types seem to be part of Fedora SELinux policy, I could not find
>>> them in refpolicy, therefore I wrote to Fedora mailing list.
>>>
>>>> We have lots of types that have used specific applications and ended up
>>>> being used by other applications.  We have not gone back and changed the
>>>> names, mainly because of the hassle.  For example.
>>>>
>>>> /usr/bin/epiphany	--	system_u:object_r:mozilla_exec_t:s0
>>>
>>> Uh, ok, if you say so.
>>>
>>> Regards,
>>> Ondrej Vadinsky
>>
>> BTW I am not arguing with you and since they are not in refpolicy yet,
>> it makes it easier to change them.
> 
> I guess I misunderstood. You intend to eventually fix it then?
> 
> Regards
> Ondrej Vadinsky
> 
No I am saying you can suggest renames and try to get them upstream, if
you do I will convert to using them. Once they are upstream it becomes a
pain to change.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyTZ2YACgkQrlYvE4MpobPYhgCcC4KjQQN5PYU4aIzicPI42Ab5
eXUAoKxiFq+N8WJ9ueFrO6xJTqFtOnQd
=NWgL
-----END PGP SIGNATURE-----

More information about the selinux mailing list