[DSE-Dev] Bug#1070039: Bug#1070039: there's an unused module for window managers
Antonio Russo
aerusso at aerusso.net
Sat Nov 1 17:40:26 GMT 2025
Are you willing to run upstream refpolicy? There is some momentum gaining
to get wayland confinement working. If you're using wayland, you might want
to start with policy/modules/session/wayland.*, and use those primitives. I
have no experience with X SELinux confinement, though.
I personally use KDE (and have a bunch of SELinux rules that are too dirty
to open an MR for right now). But, if you open an upstream MR, I'd be
interesting in helping out, especially with standardizing the SELinux
interfaces for confining Wayland graphical sessions.
Antonio
On 2025-11-01 09:47, Sarah M wrote:
> On my system gnome-shell is getting launched as unconfined_t, but
> inspecting the default policy source shows that theres already a window
> manager module (wm.te, wm.fc, wm.if):
>
> https://sources.debian.org/src/refpolicy/2%3A2.20250213-11/policy/modules/apps/wm.te
>
> which does give the execmem permission among other things, but only for
> wm_domain.
>
> The problem then is that gnome-shell is being launched as unconfined
> instead of wm_domain.
>
> My selinux is rusty but if I fix it I will post a solution. Then we don't
> have to allow execmem for everything.
>
>
> _______________________________________________
> SELinux-devel mailing list
> SELinux-devel at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/selinux-devel
More information about the SELinux-devel
mailing list