I'm looking into it, thanks for your suggestion. I've only written a few profiles, and I'm not too familiar with wayland.
But I think the existing wm.te files in the policy could be adapted, since they contain other rules which are not limited to the X server, like dbus etc. On Sat, 1 Nov 2025, 17:49 Antonio Russo, <[email protected]> wrote: > Are you willing to run upstream refpolicy? There is some momentum gaining > to get wayland confinement working. If you're using wayland, you might > want > to start with policy/modules/session/wayland.*, and use those primitives. > I > have no experience with X SELinux confinement, though. > > I personally use KDE (and have a bunch of SELinux rules that are too dirty > to open an MR for right now). But, if you open an upstream MR, I'd be > interesting in helping out, especially with standardizing the SELinux > interfaces for confining Wayland graphical sessions. > > Antonio > > On 2025-11-01 09:47, Sarah M wrote: > > On my system gnome-shell is getting launched as unconfined_t, but > > inspecting the default policy source shows that theres already a window > > manager module (wm.te, wm.fc, wm.if): > > > > > https://sources.debian.org/src/refpolicy/2%3A2.20250213-11/policy/modules/apps/wm.te > > > > which does give the execmem permission among other things, but only for > > wm_domain. > > > > The problem then is that gnome-shell is being launched as unconfined > > instead of wm_domain. > > > > My selinux is rusty but if I fix it I will post a solution. Then we don't > > have to allow execmem for everything. > > > > > > _______________________________________________ > > SELinux-devel mailing list > > [email protected] > > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/selinux-devel > > -- > To unsubscribe, send mail to [email protected]. >
