kdeinit avcs

[Russell Coker]

On Tue, 9 Mar 2004 11:52, Josh Boyer <jwboyer at charter.net> wrote:
> I get these avcs when running kopete:

Firstly one thing to note is that KDE does weird stuff with executables, so 
everything seems to be "kdeinit".  This limits what can be done with SE Linux 
policy as everything runs in the domain for kdeinit (user_t in this case).

> avc:  denied  { write } for  pid=4371 exe=/usr/bin/kdeinit
> path=/var/tmp/kdecache-jwboyer/http/l/loginnet.passport.com_login.srf_42a23
>9b5.new dev=hda5 ino=1571952 scontext=jwboyer:user_r:user_t
> tcontext=jwboyer:object_r:file_t tclass=file

Generally nothing should be labelled as file_t.  The problem is that when 
installing we can't relabel /tmp and /var/tmp properly as there's no good way 
of knowing which file should have each context.  If you logout and then do 
"rm -rf /var/tmp/kdecache-jwboyer" and the same for any other KDE stuff that 
may be hanging around in /var/tmp (maybe ksocket-jwboyer and kde-jwboyer, and 
mcop-jwboyer) then your next login should have it working properly.

> to solve issues like this, should i define a new policy for kdeinit, put
> kdeinit into a different domain, define some dontaudit rules, etc?

Running different domains for different parts of KDE will be really difficult.  
They all want read/write access to the same config files, and it becomes a 
real mess.  This is just background info not related to the solution to your 
problem.

> there are lots of avcs to deal with, and i am just trying to determine what
> an appropriate fix for some of them are.

The appropriate fix for the problems you show is to correctly label the files 
under /var/tmp.  This means removing the kde temporary files while you are 
logged out.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page