policy for k3b (and cdrecord)

[Luke Kenneth Casson Leighton <lkcl@lkcl.net>]

i'm writing a policy for k3b (kde cd burner) and cdrecord because
write access by users to /dev/hdc is banned (policy violation) and
because, well, because.

sadly, k3b uses find to search the ENTIRE drive e.g. /dev and /
and stuff and so i get a whole stack of search and read permissions
requested.

this i can put up with by banning with dontaudit: i can do this because
i actually don't _want_ users to burn CDs with k3b except from anything from
their home directory, and any excessive number of dontaudits i am
personally quite happy with.

(and for backup purposes they can have a nice shiny button on the
desktop, using a different program, which will get its own nice policy
file).

my question is, therefore:

- for more generic use, obviously k3b must be allowed to access pretty
  much anything on / so what should i put in place of all the
  dontaudits and allow k3b_t user_home_t etc. stuff?

ta,

l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.