On Tue, 9 Mar 2004 11:52, Josh Boyer <jwboyer@xxxxxxxxxxx> wrote:
> I get these avcs when running kopete:
Firstly one thing to note is that KDE does weird stuff with executables, so
everything seems to be "kdeinit". This limits what can be done with SE Linux
policy as everything runs in the domain for kdeinit (user_t in this case).
> avc: denied { write } for pid=4371 exe=/usr/bin/kdeinit
> path=/var/tmp/kdecache-jwboyer/http/l/loginnet.passport.com_login.srf_42a23
>9b5.new dev=hda5 ino=1571952 scontext=jwboyer:user_r:user_t
> tcontext=jwboyer:object_r:file_t tclass=file
Generally nothing should be labelled as file_t. The problem is that when
installing we can't relabel /tmp and /var/tmp properly as there's no good way
of knowing which file should have each context. If you logout and then do
"rm -rf /var/tmp/kdecache-jwboyer" and the same for any other KDE stuff that
may be hanging around in /var/tmp (maybe ksocket-jwboyer and kde-jwboyer, and
mcop-jwboyer) then your next login should have it working properly.
> to solve issues like this, should i define a new policy for kdeinit, put
> kdeinit into a different domain, define some dontaudit rules, etc?
Running different domains for different parts of KDE will be really difficult.
They all want read/write access to the same config files, and it becomes a
real mess. This is just background info not related to the solution to your
problem.
> there are lots of avcs to deal with, and i am just trying to determine what
> an appropriate fix for some of them are.
The appropriate fix for the problems you show is to correctly label the files
under /var/tmp. This means removing the kde temporary files while you are
logged out.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
