Lukas Vrabec: > Hi, > Could you attach raw AVCs and source policy files? > > Thank you. Of course. The policy is "under development". It is mostly coming from running in permissive mode with dontaudit rules disabled, and putting the output through "audit2allow". I've started to clean it up a little; much should be dontaudit:ed instead. But as I said, I've only started. To avoid spamming the list I placed the complete files at ftp://ftp.uddeborg.se/pub/teamviewer-selinux The pieces that I believe are interesting for the purpose of this discussion are: >From teamviewer.te: type teamviewerd_t; type teamviewerd_exec_t; init_daemon_domain(teamviewerd_t, teamviewerd_exec_t) allow init_t self:process execmem; allow teamviewerd_t self:process { execmem setsched }; >From teamviewer.fc: /opt/teamviewer/tv_bin/teamviewerd -- gen_context(system_u:object_r:teamviewerd_exec_t,s0) Relevant AVC:s before I added the allow rules: type=AVC msg=audit(1467890892.113:74507): avc: denied { execmem } for pid=26267 comm="teamviewerd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1 type=AVC msg=audit(1467890892.114:74508): avc: denied { execmem } for pid=26267 comm="teamviewerd" scontext=system_u:system_r:teamviewerd_t:s0 tcontext=system_u:system_r:teamviewerd_t:s0 tclass=process permissive=1 -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
