> It seems like all those folders should be created ahead of time (login
> script? tmp could be on tmpfs), and their context set to the right thing
> - but the right thing should be in the policy - should be able to use
> restorecon on those files. Couldn't such tmp files be made to work
> similarly to the home directories? Any suggestions?

So couldn't a new expansion be added called USER that expands to the corresponding user name?

/tmp                   <<none>>
/tmp/orbit-USER        system_u:object_r:ROLE_orbit_tmp_t
/tmp/gconfd-USER       system_u:object_r:ROLE_gconfd_tmp_t
/tmp/scrollkeeper-USER system_u:object_r:ROLE_scrollkeeper_tmp_t
/tmp/hsperfdata_USER   system_u:object_r:ROLE_java_tmp_t
/tmp/.esd              system_u:object_r:esd_tmp_t

And then, in /etc/profile.d/selinux.sh, create a whole bunch of those folders, or restorecon existing ones?

-- 
Ivan Gyurdiev <ivg2@cornell.edu>
Cornell University


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.