This patch adds a role for the xdm program. It's needed by sddm because
it uses PAM to run it's own worker process and thus needs to do all the
checks for a valid session for it's own UID.
Signed-off-by: Russell Coker <[email protected]>
Index: refpolicy-2.20220216/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20220216.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20220216/policy/modules/services/xserver.te
@@ -18,6 +18,7 @@ gen_require(`
class x_resource all_x_resource_perms;
class x_event all_x_event_perms;
class x_synthetic_event all_x_synthetic_event_perms;
+ role xdm_r;
')
########################################
@@ -152,6 +153,10 @@ init_daemon_domain(xdm_t, xdm_exec_t)
xserver_object_types_template(xdm)
xserver_common_x_domain_template(xdm, xdm_t)
+# for sddm to use pam for greeter
+role xdm_r types xdm_t;
+allow system_r xdm_r;
+
type xdm_lock_t;
files_lock_file(xdm_lock_t)
@@ -843,6 +848,9 @@ manage_files_pattern(xserver_t, xdm_tmp_
manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+# for sddm to use pam for greeter, sddm greeter needs execmod
+allow xdm_t xdm_tmpfs_t:file execmod;
+
# Run Xorg.wrap
can_exec(xserver_t, xserver_exec_t)
Index: refpolicy-2.20220216/config/appconfig-mcs/seusers
===================================================================
--- refpolicy-2.20220216.orig/config/appconfig-mcs/seusers
+++ refpolicy-2.20220216/config/appconfig-mcs/seusers
@@ -1,2 +1,3 @@
root:unconfined_u:s0-mcs_systemhigh
__default__:unconfined_u:s0-mcs_systemhigh
+sddm:xdm:s0
Index: refpolicy-2.20220216/policy/users
===================================================================
--- refpolicy-2.20220216.orig/policy/users
+++ refpolicy-2.20220216/policy/users
@@ -27,6 +27,7 @@ gen_user(system_u,, system_r, s0, s0 - m
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(xdm, user, xdm_r, s0, s0)
# Until order dependence is fixed for users:
ifdef(`direct_sysadm_daemon',`
Index: refpolicy-2.20220216/config/appconfig-mcs/xdm_default_contexts
===================================================================
--- /dev/null
+++ refpolicy-2.20220216/config/appconfig-mcs/xdm_default_contexts
@@ -0,0 +1 @@
+system_r:xdm_t:s0 xdm_r:xdm_t:s0
Index: refpolicy-2.20220216/policy/modules/kernel/kernel.te
===================================================================
--- refpolicy-2.20220216.orig/policy/modules/kernel/kernel.te
+++ refpolicy-2.20220216/policy/modules/kernel/kernel.te
@@ -32,6 +32,7 @@ role system_r;
role sysadm_r;
role staff_r;
role user_r;
+role xdm_r;
# here until order dependence is fixed:
role unconfined_r;
On 2/16/2022 08:12, Russell Coker wrote:
> This patch adds a role for the xdm program. It's needed by sddm because
> it uses PAM to run it's own worker process and thus needs to do all the
> checks for a valid session for it's own UID.
IMO this is a bug in the code.
> Index: refpolicy-2.20220216/config/appconfig-mcs/seusers
> ===================================================================
> --- refpolicy-2.20220216.orig/config/appconfig-mcs/seusers
> +++ refpolicy-2.20220216/config/appconfig-mcs/seusers
> @@ -1,2 +1,3 @@
> root:unconfined_u:s0-mcs_systemhigh
> __default__:unconfined_u:s0-mcs_systemhigh
> +sddm:xdm:s0
Did you try sddm:system_u instead? That seems like it could make the
change a bit simpler, since we won't need the additional xdm_r.
Also, config changes should be reflected in the appconfig-standard and
appconfig-mls configs, in addition to -mcs.
--
Chris PeBenito
On Thursday, 17 February 2022 02:40:59 AEDT Chris PeBenito wrote:
> On 2/16/2022 08:12, Russell Coker wrote:
> > This patch adds a role for the xdm program. It's needed by sddm because
> > it uses PAM to run it's own worker process and thus needs to do all the
> > checks for a valid session for it's own UID.
>
> IMO this is a bug in the code.
Maybe, but I think we have to deal with this.
> > Index: refpolicy-2.20220216/config/appconfig-mcs/seusers
> > ===================================================================
> > --- refpolicy-2.20220216.orig/config/appconfig-mcs/seusers
> > +++ refpolicy-2.20220216/config/appconfig-mcs/seusers
> > @@ -1,2 +1,3 @@
> > root:unconfined_u:s0-mcs_systemhigh
> > __default__:unconfined_u:s0-mcs_systemhigh
> > +sddm:xdm:s0
>
> Did you try sddm:system_u instead? That seems like it could make the
> change a bit simpler, since we won't need the additional xdm_r.
That works I'll send an updated patch.
> Also, config changes should be reflected in the appconfig-standard and
> appconfig-mls configs, in addition to -mcs.
OK I'll do that in the next patch too.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/