On Mon, 21 Jun 2004 10:47, Richard Hally <rhallyx@xxxxxxxxxxxxxx> wrote:
> Jun 20 20:31:30 new2 kernel: audit(1087777890.697:0): avc: denied {
> write } for pid=3471 exe=/usr/lib/mozilla-1.6/mozilla-xremote-client
> name=X0 dev=hda2 ino=1840568 scontext=richard:staff_r:staff_mozilla_t
> tcontext=system_u:object_r:xdm_tmp_t tclass=sock_file
That's a known issue. The policy regarding X client applications connecting
to servers needs to be re-written to make it cleaner. For the moment just
allow this.
> Jun 20 20:31:34 new2 kernel: audit(1087777894.263:0): avc: denied {
> unlink } for pid=3457 exe=/usr/lib/mozilla-1.6/mozilla-bin
> name=.fonts.cache-1 dev=hda2 ino=1091707
> scontext=richard:staff_r:staff_mozilla_t
> tcontext=richard:object_r:staff_home_t tclass=file
This is an instance of the big problem with having multiple domains used for
applications run from the user's account. They have files that are used by
multiple applications and there is no consistent way of managing them.
The .fonts.cache file is used by many programs other than mozilla, most of
which run as staff_t (in the case of staff_r logins) and therefore the type
is staff_home_t. Labelling the file as staff_mozilla_rw_t is not going to
work as I think that some programs will unlink and recreate it.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
