Here is a new patch for sddm using PAM for it's own helper. This one
uses system_r instead of xdm_r and has patches for all 3 versions of the
policy config. I think it's ready for inclusion.
Signed-off-by: Russell Coker <[email protected]>
Index: refpolicy-2.20220217/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20220217.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20220217/policy/modules/services/xserver.te
@@ -843,6 +843,9 @@ manage_files_pattern(xserver_t, xdm_tmp_
manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+# for sddm to use pam for greeter, sddm greeter needs execmod
+allow xdm_t xdm_tmpfs_t:file execmod;
+
# Run Xorg.wrap
can_exec(xserver_t, xserver_exec_t)
Index: refpolicy-2.20220217/config/appconfig-mcs/seusers
===================================================================
--- refpolicy-2.20220217.orig/config/appconfig-mcs/seusers
+++ refpolicy-2.20220217/config/appconfig-mcs/seusers
@@ -1,2 +1,3 @@
root:unconfined_u:s0-mcs_systemhigh
__default__:unconfined_u:s0-mcs_systemhigh
+sddm:xdm:s0
Index: refpolicy-2.20220217/policy/users
===================================================================
--- refpolicy-2.20220217.orig/policy/users
+++ refpolicy-2.20220217/policy/users
@@ -27,6 +27,7 @@ gen_user(system_u,, system_r, s0, s0 - m
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(xdm, user, system_r, s0, s0)
# Until order dependence is fixed for users:
ifdef(`direct_sysadm_daemon',`
Index: refpolicy-2.20220217/config/appconfig-mcs/xdm_default_contexts
===================================================================
--- /dev/null
+++ refpolicy-2.20220217/config/appconfig-mcs/xdm_default_contexts
@@ -0,0 +1 @@
+system_r:xdm_t:s0 system_r:xdm_t:s0
Index: refpolicy-2.20220217/config/appconfig-mls/xdm_default_contexts
===================================================================
--- /dev/null
+++ refpolicy-2.20220217/config/appconfig-mls/xdm_default_contexts
@@ -0,0 +1 @@
+system_r:xdm_t:s0 system_r:xdm_t:s0
Index: refpolicy-2.20220217/config/appconfig-standard/xdm_default_contexts
===================================================================
--- /dev/null
+++ refpolicy-2.20220217/config/appconfig-standard/xdm_default_contexts
@@ -0,0 +1 @@
+system_r:xdm_t system_r:xdm_t
On 2/17/22 01:53, Russell Coker wrote:
> Here is a new patch for sddm using PAM for it's own helper. This one
> uses system_r instead of xdm_r and has patches for all 3 versions of the
> policy config. I think it's ready for inclusion.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20220217/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20220217.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20220217/policy/modules/services/xserver.te
> @@ -843,6 +843,9 @@ manage_files_pattern(xserver_t, xdm_tmp_
> manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
> manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
>
> +# for sddm to use pam for greeter, sddm greeter needs execmod
> +allow xdm_t xdm_tmpfs_t:file execmod;
> +
> # Run Xorg.wrap
> can_exec(xserver_t, xserver_exec_t)
>
> Index: refpolicy-2.20220217/config/appconfig-mcs/seusers
> ===================================================================
> --- refpolicy-2.20220217.orig/config/appconfig-mcs/seusers
> +++ refpolicy-2.20220217/config/appconfig-mcs/seusers
> @@ -1,2 +1,3 @@
> root:unconfined_u:s0-mcs_systemhigh
> __default__:unconfined_u:s0-mcs_systemhigh
> +sddm:xdm:s0
Did sddm:system_u fail? If we must have a new seuser, please place it in the
xserver module. The build system supports declaring users in modules.
The changes for seusers changes for standard and mls are missing.
> Index: refpolicy-2.20220217/policy/users
> ===================================================================
> --- refpolicy-2.20220217.orig/policy/users
> +++ refpolicy-2.20220217/policy/users
> @@ -27,6 +27,7 @@ gen_user(system_u,, system_r, s0, s0 - m
> gen_user(user_u, user, user_r, s0, s0)
> gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +gen_user(xdm, user, system_r, s0, s0)
>
> # Until order dependence is fixed for users:
> ifdef(`direct_sysadm_daemon',`
> Index: refpolicy-2.20220217/config/appconfig-mcs/xdm_default_contexts
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20220217/config/appconfig-mcs/xdm_default_contexts
> @@ -0,0 +1 @@
> +system_r:xdm_t:s0 system_r:xdm_t:s0
> Index: refpolicy-2.20220217/config/appconfig-mls/xdm_default_contexts
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20220217/config/appconfig-mls/xdm_default_contexts
> @@ -0,0 +1 @@
> +system_r:xdm_t:s0 system_r:xdm_t:s0
> Index: refpolicy-2.20220217/config/appconfig-standard/xdm_default_contexts
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20220217/config/appconfig-standard/xdm_default_contexts
> @@ -0,0 +1 @@
> +system_r:xdm_t system_r:xdm_t
--
Chris PeBenito
On Friday, 18 February 2022 00:48:44 AEDT Chris PeBenito wrote:
> > +# for sddm to use pam for greeter, sddm greeter needs execmod
> > +allow xdm_t xdm_tmpfs_t:file execmod;
> > +
> > # Run Xorg.wrap
> > can_exec(xserver_t, xserver_exec_t)
> >
> > Index: refpolicy-2.20220217/config/appconfig-mcs/seusers
> > ===================================================================
> > --- refpolicy-2.20220217.orig/config/appconfig-mcs/seusers
> > +++ refpolicy-2.20220217/config/appconfig-mcs/seusers
> > @@ -1,2 +1,3 @@
> > root:unconfined_u:s0-mcs_systemhigh
> > __default__:unconfined_u:s0-mcs_systemhigh
> > +sddm:xdm:s0
>
> Did sddm:system_u fail?
Yes, there's several programs that end up in the wrong domains (or try to) if
you do that.
> If we must have a new seuser, please place it in
> the xserver module. The build system supports declaring users in modules.
OK, that's in the next version.
> The changes for seusers changes for standard and mls are missing.
OK, done that too.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
These desktop managers have a pam stack and that includes
/etc/pam.d/systemd-user which provides the user with a systemd --user
instance
If you do not add a seuser for these DM-users then their systemd --user
instance ends up with system_u:system_r:init_t:s0 (the context of pid1
which creates these systemd --user instances)
One possible solution would be if we could add clauses to pam config
files like for example:
if ! (user sddm) {
session ... pam_selinux.so ...
}
But not sure if something like that is even possible, and even if it was
possible, some parts of the DE need selinux in the pam stack (for
logging in the user)
But yes the main issue is the pam_selinux call in the pam_systemd
stack. Ideally we maintain some kind of compatibility with systems that
have pam_systemd and ones that do not
The alternative way is indeed to create a seuser so that we can tell
pam_selinux explicitly to stay is system_r:xdm_t:s0 (so the systemd
--user instance for the DE user will run in xdm_t and so all the
transitions will be the same whether the DE starts it via systemd --user
or manually starts it.
--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift