On Mon, May 04, 2009 at 10:21:14 -0400, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >> > The suggesting here is to use dbus to start applications in terminal > shell as the same user UID, not to have the system dbus start the app. > So I fail to see how this affects auditing. The goal here is to run > restorecond as my UID. Not Root. Adding some module to pam does not > help the multiple restorecond programs running, problem. And I still > have the problem of cleaning up in the pam stack on exit. I don't think you understand what my comcern is. It may be that it isn't a big enough risk that its worth worrying about. But I'll try to describe it better. The user has some files in is home directory label say special_t that are not writeable by processes except for a few given processes. There are some processes which read these files (but not ones labelled user_home_t) and do things where one would be concerned if bad data was in these files. These files' names are known to selinux for relabelling purposes. Some app is run by the user. This app then removes files labelled special_t and creates new ones with the same names labelled user_home_t as normal. The daemon process then relabels these files to special_t and bad things proceed to happen. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list