Policy(ies) for KDE Plasma Desktop

[PseudoDistant]

I'm still kind of new to SELinux. I've used it before on Fedora and Debian, but always with GNOME. I'm finally trying to get it enforced on my daily driver, but I run Plasma. How would I get Plasma running on Arch with SELinux enforced? (It's running, but in permissive.)

[fishilico]

Hello, I do not use Plasma nor know what would be specific about it. I guess that the SELinux policy might miss some process domains and file context rules for this environment. If this is what your question is about, some good places to ask questions (and submit pull requests) would be https://github.com/SELinuxProject/refpolicy and the selinux-refpolicy@vger.kernel.org mailing list (http://vger.kernel.org/vger-lists.html#selinux-refpolicy).

This project tries to stay as close as possible to the upstream projects, and the upstream of the policy which is installed by selinux-refpolicy-arch is https://github.com/SELinuxProject/refpolicy.

[Lunarequest]

I've been looking at the avc denial logs on kde plasma and it looks like there is little work done for selinux support on the upstream policy since many binaries such as kwin_wayland are blocked from using /dev/dri/card0 which breaks kwin and kills the plasma session. I've personally not written any SELinux policies so, if someone could point towards how to fix these issue I would love to fix and upstream them!

[freedom1b2830]

@Lunarequest Let's unite in writing policy

[Lunarequest]

I've not thought about using selinux in a while. @freedom1b2830 feel free to reach out through my email luna.dragon [@] suse.com or matrix nullrequest:matrix.org