Since a few days i'm playing around with spice. Eventually also on a selinux gentoo. However, in the first place it didn't work on such a system until i disable all security feature's with paxctl. Right now the "spice-vdagent" executable looks like this, which works: baltix ~ # paxctl -v /usr/bin/spice-vdagent PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu> - PaX flags: -p-s-m-x-e-r [/usr/bin/spice-vdagent] PAGEEXEC is disabled SEGMEXEC is disabled MPROTECT is disabled RANDEXEC is disabled EMUTRAMP is disabled RANDMMAP is disabled However, i also just play around with selinux and i guess such changes to executables are usually handled with the "selinux" useflag (which is not present right now) and therefore with policies. I also search the web for such an policy and found that [1] but unfortunately i don't know how to implement new policies so i hope someone can add one :) [1] https://bugzilla.redhat.com/show_bug.cgi?id=648553
I couldn't immediately find a reference in that bug where the policy itself is at, but refpolicy already holds a policy for vdagent (which I believe is the same thing, not?) However, that policy confined the spice-vdagentd (daemon), whereas your path looks like a client-side package. In any case, I'll add in selinux-vdagent to support the daemon to start with.
rev4 is in hardened-dev overlay, which includes the selinux-vdagent policy. When it hits the main tree, I'll also add in the dependency on splace towards this policy (can't do it sooner for obvious reasons).
In main tree, ~arch'ed (rev 5)
stabilized