On Tuesday, 03 January 2017 at 13:18, Ralf Corsepius wrote:
On 01/03/2017 11:53 AM, Martin Gansser wrote:
i am the package maintainer of boomaga and users told me that there is a problem with access rights, when writing to ~/.cache directory. A selinux package already exists for testing in: https://martinkg.fedorapeople.org/Review/test/boomaga/ And a bugzilla bug report also exists: https://bugzilla.redhat.com/show_bug.cgi?id=1409115 Bugreport on the boomaga developer site: https://github.com/Boomaga/boomaga/issues/43
Can someone help to write the correct selinux rules ?
Well, rpms are not suppose to touch anything below $HOME at all.
I.e. $HOME rsp. ~/ is out of rpm's (and SELinux's) business
While the above is correct for rpm, SELinux does have business in protecting $HOME. Just run ls -lZ in your home directory and see for yourself. For example, ~/public_html has httpd_user_content_t context, ~/bin has home_bin_t, ~/.config has config_home_t, etc.
In this particular case, ~/.cache has cache_home_t context, so the application needs a policy update to have write access to that context. You should be able to create a policy semi-automatically using audit2allow when running in permissive mode.
Regards, Dominik