Are you willing to run upstream refpolicy? There is some momentum gaining to get wayland confinement working. If you're using wayland, you might want to start with policy/modules/session/wayland.*, and use those primitives. I have no experience with X SELinux confinement, though.
I personally use KDE (and have a bunch of SELinux rules that are too dirty to open an MR for right now). But, if you open an upstream MR, I'd be interesting in helping out, especially with standardizing the SELinux interfaces for confining Wayland graphical sessions. Antonio On 2025-11-01 09:47, Sarah M wrote:
On my system gnome-shell is getting launched as unconfined_t, but inspecting the default policy source shows that theres already a window manager module (wm.te, wm.fc, wm.if): https://sources.debian.org/src/refpolicy/2%3A2.20250213-11/policy/modules/apps/wm.te which does give the execmem permission among other things, but only for wm_domain. The problem then is that gnome-shell is being launched as unconfined instead of wm_domain. My selinux is rusty but if I fix it I will post a solution. Then we don't have to allow execmem for everything. _______________________________________________ SELinux-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/selinux-devel
