From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.186.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D58EA43CEC8 for ; Tue, 5 May 2026 13:03:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=144.76.186.9 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777986204; cv=none; b=sQXn+BtpPy9/xXcQOGu7iFyt0fUwPAiOW3Wpt//AhlowEI1NVIchAkqJC/jesBWuqfgEOZrPyGV0tz+JkwCUNhjsHt4wmTMKC2xSBG0HuGAGOJomGdj+JzNck4Rgma4gdJTMPt2JqKcZDxPc1Rb15rVlJyOB1gDDsFaeS8GQRc0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777986204; c=relaxed/simple; bh=mR5TjJO6NOyWCErUUbBKIGRhW4OlBMPFJFv9aLGHZgQ=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=qQsfhmxe8kFwlJDpzWvyjPvKTZ3JhtSW1iHh6iVbDMlnkXpnKLbxNsEeor75nClMe8fOznH23kanjouRhPm6KxKobfhtQFMZPCIBZip9Yqm3fewFzbu4mOSF97OF6jppP85SxRVgbioQYeZ8SUC0cuuAohLplcU3kvqywUWvoXg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au; spf=pass smtp.mailfrom=coker.com.au; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b=lhzREX3k; arc=none smtp.client-ip=144.76.186.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=coker.com.au Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="lhzREX3k" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1777986195; bh=E9aeXUTjleuxn+f9tpVH7Rzt1DVL41vs7RKiwuxde1U=; l=1714; h=From:To:Reply-To:Subject:Date:From; b=lhzREX3kRhoGrA2Uoj4A3tA423/9Vhh0N/c/E6nfa28rlxhcKJzf1tbN7NAgYrSXE vyCbXxM53bY6P5zk+t24C7F44UKroO5rERFNFIv9xPeylxanpmQDpy3JkbB8qYgold rlyT7GthSgGwKlaXS7K+LbVjyONI4l0KkEui8/Zk= Received: from xev.localnet (123-243-116-70.tpgi.com.au [123.243.116.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id E789B10EDF for ; Tue, 05 May 2026 23:03:14 +1000 (AEST) From: Russell Coker To: selinux-refpolicy@vger.kernel.org Reply-To: russell@coker.com.au Subject: xserver policy Date: Tue, 05 May 2026 23:03:11 +1000 Message-ID: <3065155.e9J7NaK4W3@xev> Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8" type_transition user_t xserver_exec_t:process xserver_t; type_transition user_wm_t mono_exec_t:process mono_t; type_transition user_wm_t wine_exec_t:process wine_t; type_transition user_wm_t xserver_exec_t:process xserver_t; Currently in the Debian SE Linux policy (which I believe to be identical to upstream refpolicy in this regard) the above are the possible transitions from user_t to unconfined domains. The mono and wine modules can be removed for essentially identical functionality if you happen to not use mono or wine. Both GNOME and KDE are dropping support for X11. If we don't drop policy support for X11 I think we should at least separate xdm and xserver into separate modules so you can have XDM for Wayland without having an unconfined X server policy. As an aside the current situation is that if you remove the unconfined module it will be impossible to login with any XDM program. There is also an issue of xdm_t being unconfined, I'm working on a patch to fix that, I have a test machine with confined xdm_t working well. Below is the list of unconfined domains: $ seinfo -a unconfined_domain_type -x Type Attributes: 1 attribute unconfined_domain_type; apt_t dpkg_script_t dpkg_t httpd_unconfined_script_t inetd_child_t init_t initrc_t kernel_t ldconfig_t mono_t nagios_unconfined_plugin_t prelink_t puppet_t samba_unconfined_script_t spc_t spc_user_t unconfined_execmem_t unconfined_java_t unconfined_mount_t unconfined_munin_plugin_t unconfined_qemu_t unconfined_sendmail_t unconfined_t wine_t xdm_t xserver_t -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/