I'm trying to implement a policy for an ICQ client and, maybe, for
other network clients that may provide a huge security leak within a
user's domain. In order to check the SELinux inner workings, I try to
restrict Eterm's permissions because it is my goal to restrict licq to
its configuration directory only and deny any reads/writes outside of
that -- except maybe for /usr/lib/licq etc.


The .te file:

type Eterm_exec_t, file_type, exec_type;
type Eterm_dir_t, file_type;
type Eterm_t, daemon;
domain_auto_trans(user_t, Eterm_exec_t, Eterm_t)
domain_auto_trans(sysadm_t, Eterm_exec_t, Eterm_t)


The .fc file:

# Eterm
HOME_DIR/\.Eterm(/.+)? system_u:object_r:Eterm_t
/usr/bin/Eterm -- system_u:object_r:Eterm_exec_t
/usr/lib/Eterm/.* -- system_u:object_r:Eterm_exec_t


After rebuilding and reloading the policy files, running Eterm gives
me a transition from system_u:system_r:sysadm_t to
system_u:system_r:Eterm_t. However, although I have not granted any rights to
the Eterm_t domain, I can still work as a regular user and access all
of my files.

Do you know what's the problem here?

Best regards,
Mark

p.s. I'm running KDE and therefore (AFAIK) I'm running in the sysadm_t
domain when logged in as a regular user.