From: aranea@aixah.de (Luis Ressel)
Date: Mon, 12 Dec 2016 03:35:16 +0100
Subject: [refpolicy] [PATCH v3] wm: update the window manager (wm)
 module and enable its role template
In-Reply-To: <1481493363.24999.3.camel@trentalancia.net>
References: <1481130053.3300.9.camel@trentalancia.net>
	<1481217618.20182.8.camel@trentalancia.net>
	<1481322107.2989.1.camel@trentalancia.net>
	<8ab3fb4a-3892-0fd3-100f-97d375489432@ieee.org>
	<1481487209.2628.12.camel@trentalancia.net>
	<c2197d1d-5d14-4a3a-e838-5b27f8c4baa7@ieee.org>
	<1481493363.24999.3.camel@trentalancia.net>
Message-ID: <20161212033516.73caebfa@gentp.lnet>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, 11 Dec 2016 22:56:03 +0100
Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:

> > I don't understand how making separate optionals mandates a
> > confined window manager.??It does the reverse.  
> 
> As it is, the wm role should be enabled only if the dbus and gnome
> modules are loaded.

I agree with both of you here. :)

Ideally, we would do
"
    optional_policy
        gnome...
        optional_policy
            wm...
"
but AFAIK, that's not possible.

Therefore, I'd suggest we use Chris' option (two separate
optional_policy blocks) and just recommend (out-of-band) not to use wm
without gnome in its present state. This has two added benefits:

* Makes it easier for gnome folks *not* to use the wm module, in case
  it's still lacking some required permissions.

* Makes it easier for non-gnome folks to test the wm module.

Regards,
Luis Ressel