Okay, mozilla's handling of saved files is a problem. Here's what it does - files saved under ROLE_home_dir_t, or ROLE_home_t directories turn to ROLE_mozilla_home_t via file_type_auto_trans. Here's what gift does by default - it has a download folder where it puts stuff. The downloaded files turn to ROLE_gift_home_t (context of parent folder, which is ~/.giFT/completed or something). Here's what mencoder does - it saves stuff as ROLE_mplayer_home_t via file_type_auto_trans. ============== This is bad for interoperability. Using the home_domain macro, the user has access to the home_domain type of an application. However one app has no access to the home_domain type of another app. Basically I can never play (mplayer) a movie that I just downloaded, whether or not it was via mozilla, or gift. Alternatively, there could be a common data type - ROLE_home_t. However none of those apps can save its data directly under /home/username as ROLE_home_t, because all of them have a home_domain, and that's where the file_type_auto_trans rule is used. There can't be more than one file_type_auto_trans on the same folder type (right?). Furthermore this seems to be explicitly avoided for mozilla (it does not write to ROLE_home_t for security reasons - overwriting .bashrc?). ============ Ok, here Fundamentally, what I want to know is: 1) Do desktop apps need to be confined? Is it a good idea to confine them? 2) If so, a shared data type is needed for interoperability. Is ROLE_home_t acceptable for that purpose. 3) 0) No 1) Shared data type is needed for interoperability 2) Keeping both application settings, and user data in the same folder is a problem