[DSE-Dev] Bug#1070039: Bug#1070039: there's an unused module for window managers

Sarah M sarah.m07899 at gmail.com
Mon Nov 10 06:28:49 GMT 2025 

I'm looking into it, thanks for your suggestion. I've only written a few
profiles, and I'm not too familiar with wayland.

But I think the existing wm.te files in the policy could be adapted, since
they contain other rules which are not limited to the X server, like dbus
etc.

On Sat, 1 Nov 2025, 17:49 Antonio Russo, <aerusso at aerusso.net> wrote:

> Are you willing to run upstream refpolicy?  There is some momentum gaining
> to get wayland confinement working.  If you're using wayland, you might
> want
> to start with policy/modules/session/wayland.*, and use those primitives.
> I
> have no experience with X SELinux confinement, though.
>
> I personally use KDE (and have a bunch of SELinux rules that are too dirty
> to open an MR for right now).  But, if you open an upstream MR, I'd be
> interesting in helping out, especially with standardizing the SELinux
> interfaces for confining Wayland graphical sessions.
>
> Antonio
>
> On 2025-11-01 09:47, Sarah M wrote:
> > On my system gnome-shell is getting launched as unconfined_t, but
> > inspecting the default policy source shows that theres already a window
> > manager module (wm.te, wm.fc, wm.if):
> >
> >
> https://sources.debian.org/src/refpolicy/2%3A2.20250213-11/policy/modules/apps/wm.te
> >
> > which does give the execmem permission among other things, but only for
> > wm_domain.
> >
> > The problem then is that gnome-shell is being launched as unconfined
> > instead of wm_domain.
> >
> > My selinux is rusty but if I fix it I will post a solution. Then we don't
> > have to allow execmem for everything.
> >
> >
> > _______________________________________________
> > SELinux-devel mailing list
> > SELinux-devel at alioth-lists.debian.net
> > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/selinux-devel
>
> --
> To unsubscribe, send mail to 1070039-unsubscribe at bugs.debian.org.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/selinux-devel/attachments/20251110/9bb721e3/attachment-0001.htm>

More information about the SELinux-devel mailing list