From: aranea@aixah.de (Luis Ressel) Date: Mon, 12 Dec 2016 03:35:16 +0100 Subject: [refpolicy] [PATCH v3] wm: update the window manager (wm) module and enable its role template In-Reply-To: <1481493363.24999.3.camel@trentalancia.net> References: <1481130053.3300.9.camel@trentalancia.net> <1481217618.20182.8.camel@trentalancia.net> <1481322107.2989.1.camel@trentalancia.net> <8ab3fb4a-3892-0fd3-100f-97d375489432@ieee.org> <1481487209.2628.12.camel@trentalancia.net> <1481493363.24999.3.camel@trentalancia.net> Message-ID: <20161212033516.73caebfa@gentp.lnet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 11 Dec 2016 22:56:03 +0100 Guido Trentalancia via refpolicy wrote: > > I don't understand how making separate optionals mandates a > > confined window manager.??It does the reverse. > > As it is, the wm role should be enabled only if the dbus and gnome > modules are loaded. I agree with both of you here. :) Ideally, we would do " optional_policy gnome... optional_policy wm... " but AFAIK, that's not possible. Therefore, I'd suggest we use Chris' option (two separate optional_policy blocks) and just recommend (out-of-band) not to use wm without gnome in its present state. This has two added benefits: * Makes it easier for gnome folks *not* to use the wm module, in case it's still lacking some required permissions. * Makes it easier for non-gnome folks to test the wm module. Regards, Luis Ressel