Skip to content

The gnome module is an unexpected place to define the XDG Base Directories #2684

New issue
New issue
Open
Open
The gnome module is an unexpected place to define the XDG Base Directories#2684
@gucci-on-fleek

Description

@gucci-on-fleek
gucci-on-fleek
opened on May 10, 2025

On a headless server, I would expect that it would be safe to disable the gnome SELinux module. However, this module defines the SELinux rules for the XDG Base Directories:

selinux-policy/policy/modules/contrib/gnome.te

Lines 13 to 23 in 994e508

type gconf_etc_t;
files_config_file(gconf_etc_t)
type data_home_t, gnome_home_type;
userdom_user_home_content(data_home_t)
type config_home_t, gnome_home_type;
userdom_user_home_content(config_home_t)
type cache_home_t, gnome_home_type;
userdom_user_home_content(cache_home_t)

selinux-policy/policy/modules/contrib/gnome.fc

Lines 1 to 23 in 994e508

HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
HOME_DIR/\.nv/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0)
HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
HOME_DIR/\.cache/GLCache(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)

Many of the other SELinux modules depend on data_home_t and config_home_t, and Podman and systemd (among others) heavily rely on the XDG Base Directories, so these folders probably shouldn't depend on Gnome.

Also, gconf_etc_t is an unexpected name for ~/.local/, so I'd additionally suggest that this should be renamed to something like home_local_t (avoiding local_home_t since local_ is a recommended prefix for custom modules) and then making gconf_etc_t an alias of that.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions