--enable-xselinux Build SELinux extension Platform: amd64 x86 Reproducible: Always
Created attachment 293261 [details, diff] xorg-server-1.11.2-r1.ebuild.diff
What happens when this is enabled? It looks like it triggers the SELinux extensions for xorg, have you tested these? I'm personally more in favor of using a new USE flag for selinux extensions (xselinux or so) so that other applications that use such extensions (like Postgresql for the SEPostgresql server) can switch this as well.
xorg-server[ --enable-xselinux --enable-record ] + nouveau We could audit some application which requiring xorg at runtime via /var/log/Xorg.0.log: cat /var/log/Xorg.*.log* | audit2allow ... selinux policy rules ... xorg-server[ --enable-xselinux --enable-record ] + nvidia cat /var/log/Xorg.*.log* | audit2allow empty...
Just had a nice read on it. The XSELinux support is to introduce additional SELinux support in Xorg, but for Xorg-specific calls and objects. The article I read also stipulated that it doesn't "just work" for all cases and that the (reference) policy needs some updates as well. I suggest to let this rest for a while, possible hitting it with USE="xselinux" (which enables SELinux extension support) which we can also introduce for Postgresql then (and other applications that introduce additional security classes and privileges for their inner working).
I'm going to mark this as WONTFIX for now, primarily because I don't have the resources to properly test and support this. If a developer wants to take this up, I'll gladly reopen.
