[DSE-Dev] Bug#1070039: Bug#1070039: Bug#1070039: there's an unused module for window managers

Sun Nov 2 05:38:07 GMT 2025

close 1070039
thanks

On Sunday, 2 November 2025 04:40:26 AEDT Antonio Russo wrote:
> Are you willing to run upstream refpolicy?  There is some momentum gaining

The Debian/Trixie policy is 11,800 lines of patches in 27 path files away from 
upstream (some of which is backports from newer upstream git).  Since the 
version of refpolicy in Trixie I've submitted a lot of patches upstream and 
against the latest git the difference is 4,200 lines of patches in 14 patch 
files.

Anything you can do in upstream policy you should expect to be able to do in 
the Debian policy of the same era.

I have no immediate plans for doing backports but wouldn't object if someone 
else wanted to do that.  So anything in the 20250213 upstream release should 
work in Trixie.

> to get wayland confinement working.  If you're using wayland, you might want
> to start with policy/modules/session/wayland.*, and use those primitives. 
> I have no experience with X SELinux confinement, though.

In Debian SE Linux we haven't done anything with X confinement because of lack 
of time.  If you would like to help out that would be great!  Wayland gives us 
some new good options for these things.

The current policy binary packages for Debian don't include the Wayland 
module.  It wouldn't be difficult for someone to install the selinux-policy-
src package which includes the source for that and then build it locally.  But 
significantly more work is needed on this than just including that module.

If would be good if we had more people to work on such things.

> I personally use KDE (and have a bunch of SELinux rules that are too dirty
> to open an MR for right now).  But, if you open an upstream MR, I'd be
> interesting in helping out, especially with standardizing the SELinux
> interfaces for confining Wayland graphical sessions.

Do we have code in any Wayland window manager to do SE Linux checks?  Without 
that we can't do more for wayland than the user_wm_t currently allows (which 
isn't a lot).

> On 2025-11-01 09:47, Sarah M wrote:
> > On my system gnome-shell is getting launched as unconfined_t, but
> > inspecting the default policy source shows that theres already a window
> > manager module (wm.te, wm.fc, wm.if):
> > 
> > https://sources.debian.org/src/refpolicy/2%3A2.20250213-11/policy/modules/
> > apps/wm.te
> > 
> > which does give the execmem permission among other things, but only for
> > wm_domain.
> > 
> > The problem then is that gnome-shell is being launched as unconfined
> > instead of wm_domain.

semanage login -m -s user_u -r s0 __default__

You could run a command like the above to make the default login have the 
user_u identity.

semanage user -a -P user -R user_r -r s0-s0:c0.c1023 etbe
semanage login -a -s etbe -r s0-s0:c0.c1023 etbe

Or commands like the above to create a new identity and assign it to a user.

> > My selinux is rusty but if I fix it I will post a solution. Then we don't
> > have to allow execmem for everything.

You can create your own module (I used the name local.te on my systems for 
local changes) to add execmem to only domains that should have it not have a 
boolean for many domains.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/