Thanks for this starting point; I have a few suggestions.
It'd be nice to use @{PROC} throughout for /proc/ rules.
It'd be nice to use Pixm for the pulseaudio program, so an existing profile for it can be used.
Granting lock to all of /usr/share/** feels too wide -- I can't think of consequences now, but it seems needless.
No existing profiles grant write privileges to /var/cache/fontconfig/* -- probably skype should also not have the ability to modify system-wide fontconfig cache files.
It would be nice to use the two-argument form of link permission for the kdeglobals rule to restrict which files can be linked.
It would be nice to use owner on the /tmp/tmp/** rule, to keep several users from colliding in this directory.
Thanks for this starting point; I have a few suggestions.
It'd be nice to use @{PROC} throughout for /proc/ rules. fontconfig/ * -- probably skype should also not have the ability to modify system-wide fontconfig cache files.
It'd be nice to use Pixm for the pulseaudio program, so an existing profile for it can be used.
Granting lock to all of /usr/share/** feels too wide -- I can't think of consequences now, but it seems needless.
No existing profiles grant write privileges to /var/cache/
It would be nice to use the two-argument form of link permission for the kdeglobals rule to restrict which files can be linked.
It would be nice to use owner on the /tmp/tmp/** rule, to keep several users from colliding in this directory.
Thanks