Tracking bug: RBAC for KDE Plasma

[secureworkstation]

I'm working on making RBAC work in KDE Plasma. This is a tracking bug for all the effort I make towards the goal.

Small PRs for selinux-policy-contrib:

• Fix for Pulseaudio Allow to use nnp_transition in pulseaudio_role #191
• Label /run/user/.../bus correctly Label /run/user/.../bus as session_dbusd_tmp_t #196
• Label /run/user/.../pulse/ correctly Label /run/user/.../pulse/ as pulseaudio_home_t #197

Small PRs for selinux-policy:

• Fix for ssh-agent eating logs Allow ssh_agent_type to append .xsession-errors selinux-policy#316
• Dontaudit for ptmx_t macro Add ioctl to term_dontaudit_use_ptmx macro selinux-policy#315
• Label /usr/bin/fusermount3 Make file context more variable for /usr/bin/fusermount and /bin/fuse… selinux-policy#317
• Pulseaudio & DBUS have correct labels in /run/user/.../ Allow logind to manage /run/user of pulseaudio and session dbus selinux-policy#321

Transitioning for kwalletd5 (when launched by PAM):

• Patch https://phabricator.kde.org/D26979?download=true
• Upstream (in progress) https://phabricator.kde.org/D26979
• Downstream

KDE Plasma policy:

• Confinement for kdeconnect
• Confinement for kwalletd5
• Main patchset prepared
• Main patchset merged

Overall:

• KDE Plasma testable in RBAC enforcing
• Make a test suite
• KDE Plasma correctly working in RBAC enforcing

Related proposals:

• Labeling for wayland
• Labeling for session systemd

[secureworkstation]

Good news: it starts with 0 sealerts in RBAC enforcing :)
And same with gnome-shell running kdeconnect and kwallet on X11 on sddm.
And (almost) same with gnome-shell running both on X11 and Wayland on gdm.
And (almost) same with KDE Plasma on X11 on gdm.