Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2992412ybp; Sun, 6 Oct 2019 02:23:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqzTWKb4gSS7CHqSOJymV3q5XdwRT3K+rFdzF0Wby87wWJ9UE1SzBOX2HyBxzHh9ueaRoLwA X-Received: by 2002:aa7:c812:: with SMTP id a18mr24417326edt.240.1570353790192; Sun, 06 Oct 2019 02:23:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570353790; cv=none; d=google.com; s=arc-20160816; b=aOfTFutgO/SoVXo6osCD1KyrtS0FbVlcH7+Mxl0X0VKUgxF1uT6lgwxNOObaNuJbj5 /K+1JStQqYR5QXHRz2K6BZkdFFgbTmeI/ARdqOi48+FHqUYxd9w0mSCkr3nnCDx0P3AR Shni+I4QXzlCm9foCy4BwX8TO8E9PAQc/LnMMYSexF3dIkEDg1Edgs+KoXJh6ruY7egn NJhHo3I1O/Q8TUObEMce1nm8Fc/lMUuW2kx8W1bDA2d2kduCMThN6lJzn/I/mu+1Y3tC NNCoVK1qeHWLCTqyO9Bv/Pbtab14DBtj2QjakxEWf9TR/ulbYCe5ZzsmAJQVtQtkCket AbHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:mime-version:user-agent:date:message-id :autocrypt:subject:from:to; bh=lxt2V8SCBERuqEbHhxS8ztH5VVLzGB0h/XN3mDw4lH8=; b=Hmbj5oE3RAtHJLAXKeKNhfQDegaVlE0AZM4kIy3T49l9xkBjlZ12iVlKlPY4gRZdqf jUeaJkPc69UXOxRYUQV46bFVTnv5eVobgXBDbsXVKo0u3TQF6GoAn3M1lY5zxU50CCnf lXId7w8km0Ed4aHsdzynOG9++n10MucnL7+6/+vbTcqmfp5b97+4nzdwk4JYiioABeLv UeFCj3ip0suugtZEbTK1G7pVr7X0bLio2MXhNL1Vcrl6utB8s9LKJLh2LabQ3J+yRHhr x/819KahONCcYGm/y2OhqSzgTtANv6uSuRTLtJ/goR6yEZ8j113S3qKIoIdfZAhPKrVo hP9A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id oz25si5454374ejb.175.2019.10.06.02.23.05; Sun, 06 Oct 2019 02:23:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726289AbfJFJWE (ORCPT + 11 others); Sun, 6 Oct 2019 05:22:04 -0400 Received: from ithil.bigon.be ([163.172.57.153]:58428 "EHLO ithil.bigon.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726224AbfJFJWE (ORCPT ); Sun, 6 Oct 2019 05:22:04 -0400 Received: from localhost (localhost [IPv6:::1]) by ithil.bigon.be (Postfix) with ESMTP id BBF5C1FE4B for ; Sun, 6 Oct 2019 11:22:00 +0200 (CEST) Received: from ithil.bigon.be ([IPv6:::1]) by localhost (ithil.bigon.be [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id XZaoMts3c9T8 for ; Sun, 6 Oct 2019 11:22:00 +0200 (CEST) Received: from [IPv6:2a02:a03f:3c7a:f100:bcaf:8fb1:6b58:314a] (unknown [IPv6:2a02:a03f:3c7a:f100:bcaf:8fb1:6b58:314a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) (Authenticated sender: bigon@bigon.be) by ithil.bigon.be (Postfix) with ESMTPSA for ; Sun, 6 Oct 2019 11:22:00 +0200 (CEST) To: selinux-refpolicy@vger.kernel.org From: Laurent Bigonville Subject: systemd --user for GDM started as unconfined_t instead of xdm_t Autocrypt: addr=bigon@debian.org; keydata= mQINBEt3P9IBEAC883icAuxmVt4deGPxDeiEV2cT4pw4uXibIeZ1XNSrwrWcAgsK/o61nZWT hxIpTFe2c3/B+ijBdEHXqV9lZMsIgiAyExfkwM4DCamEtXoC3Cec9BlGuIJ/Eti8bb/wsvOt SQiQC7X/j51ExB7ag+f/9LINLcNgn1PP4kqAAo+d1zgEXyQLJmqqxaYwuwyJausPUu3UuSUH k6Gujhs3eB5lf5SNPR347JGLyv/L03EbwBgUxte4w0IkXfxxFSj93aOv69+mJNmPUgjNDn+A oYTLT5ddsls4iNzwd4zdqDJtCrNnlG7xXf1mkB+v4j96n00JTMYX2v+vN1TK2kAzo1WnMhhc WZv6f50uskCcdqzuNkSzEHBPoVZRX6FPtSfqbBcqRvyYwNn6Dv8V+k0LWLr6SJukl96a/C7u ZLOnIzie+B3/Oj+YQKJf7TLUJUi0tt6Z/LFZ4Qrwu2vJwprlhyKCsos2+rPs7BQHzg/JEROj j3wXkkILZSuBB+bFIIKJljVwIYM4Feqk0WDhiYbazRY7MWro7ZY8Pp4STjLgaWvJwaUnCrhh T4taVNl7ZxnohbFZhxgtgoK7XHijWbGJnG9Mkg5T4AnI0bQTkZfFR9gReKl2RPHLooHHILBg anj16MvZdebRP7S7JeAy/tpBTJ6chSu6dTevk7jGnxVT51YHHwARAQABtCVMYXVyZW50IEJp Z29udmlsbGUgPGJpZ29uQGRlYmlhbi5vcmc+iQI9BBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYC AwEAAh4BAheABQJUsu1cBQkSz9NMAAoJEMf3+WYNgqaCGOMQAIzBswBywK8pTscmqYcDb6cg aJ8johh/ldRX5zVm0GPzwIAbBTVJxXtTODFbCUL1nDP2NzcbI1w/5m5lN/e3blu29BA+oc6d 2/SM9JlBwmtRpD7DDBfiB40qbVIsDPEPVrM1i7HkBGJJ53hIIDnphdclAWSaJD1b/mJ0fuo1 zxrs3ONxyq2aGyDhX4dT2PH+hoGUTIiQwcYR4yruwpYi+t8w9qb1d50ldWT7BUi+USPRStck Js4cV1cdumBLF29WgAHtHZ23uZ6bJ3Ck/OTk/ntWXPeEBnk2ZvBIHwAeOe5RHVFaR/PnNn26 VyC+RH+Qa1byWJRo4ohd5MUHY0EEIMumT1x3vh6LxGoNaH/nT4KVN4MTMZjAtsKKYrV6UA7y Igcn9yHRoW7p16sYvteO+z68+ox3NSOOKerJawe72xDL8+UXmO4Frxuv7ugplPh2/l4LVVMq 8V6maNz6Q62myMwsScye8zmk8M8R10LtvmT8tUty4ts9Naj9BSt9fRap0nqX/+PJ7KIOzCyZ pOi+shUvRye5PI/yjV+wN8gKQ/k2DMPvlX6PBuWFKxIX5cWloGvAkc0dIbj6ksRPo+Mh9SmA w0dqWtUF2LnMY/xugjvimdkrHJTVuG87gRp/sii/SMrYlF6rCkEEXtse+JEz3vICFuG2BRjN C5491zOTXK/NuQENBEt3QC4BCACpWl7cu9SkZWejaFEHehoZkTN44y5cSOCnptBtOA08tl4m UsWO7j/HmqTgseYAj6p1NO7lK5llcJShb05SWycVlDI/ekVLzE4pIwJ5R5JgxU6FrbT9UXuV 8VAmKXGCtf9SByxRQIqdryJ5fOszrK+Bq/1JDdvNh6F0Ex1S9vjGNIuZGQKEcm8QvJl9EuGk 87kWUlW9brf7eKao9WcJPP+cT2GCE0BFCzOGanBzi4kOSXATO4x1GUBoC0/9ny1ZqFJf9Jab dJDXJy6FzZ9yiUNeMLtqdwCVfXkVfL3BL4h2GgceAE+V1C5deYnA05Uil0IV/QO8zJmIhgYu KjRT08JXABEBAAGJA1sEGAEIACYCGwIWIQR+DtPSs0oDsV+fMSHH9/lmDYKmggUCXJ3U+QUJ EwprSwEpwF0gBBkBCAAGBQJLd0AuAAoJEB/FiR66sEPV7AcH/RwgUYPdxetaY0tOwE1hVIYE 6+hiJXQ9r2SENy2JogTiiRWudzFoDbnQq5g12SGgFy2ANlr26X1/zrgjNkHxq+b3WO7l+8Gx YtSn9nyDfqSQu2AEPlLBrERt4Zqk2yMfosRnIaO+0rXytnsAJSz9SfMBjHT+W7PG0p5XTZaE odA5jvpj1OB4jjq1k3SvLc2MVJTFwi3cgYQBfLOT1hutlyyf/g1U/TZbvfVTKaRAKmUu5Vbr wVXWze+gfm9JUu6cG/43D4Xwi64clLbiLs0jlEjg91NiStGOsBdU7gRHx2f7l2dJhTZCT5le cOxo392L1YAZo9FF250uZ3niH799LfUJEMf3+WYNgqaCiesP/jlx0jEBk3O1y4TNaCUok0C+ liC+o2egjwHvaU1nZzQ5ihT4Z1/2ka6fGkhBKy3Jzh/FctPTVHenaTbMRxikcEvwqm8e1RJW cw+WS8TEGn1iiUmPJ9fQOT0lJbzq9JRvG+wfSVyF2BYX0axttMtzKTVJtBExULh80NGtdETZ PS8oAX1DTLMqB2LKh27VNZwY/SmyXgI59bdy4rXH7bp7CYqmgx49zTcnY5JdKnqRlaVKW4K8 g3qrBg+x8TpCngRTbFRWU8ZEH2qbrOdtLwnQHAwRYledLQOSgHcQbfjT3TXzm6dAPASmAbY6 L7M9mzKKYJs+gr97l9HxHBgAPmlZifvbsPGKiw0nVdqjDypwCUABrg1ljEGHjDqRE3sr5oId 3g+h2lB+XMylrhFJcG8M3nNQnJCCmqHJaiK6lj3WwvYVJ8JYNt9duZKPu82L9I/3c3jjPBKL rrPGjVVc+jmkJCug5vqenJeDu9wPLwHszm128u5cSn75DxPsqkRedP0VcnHYBFECVHXyx6r4 H/4SBcpn8uyKb0gmnWMrvEISPYMn49tu7fIeS/cUdlsw0W7Z5wXW+CG1Y/CnwSxiuqbCUKij rwHPQcd82IJijNJTulI8jbd1CIvWc21HEnOjQcnE+jYkyAxeriC3tPlwafhJqvTzi6ql/pXB 3RihKQ02trTJuQENBEt3QD0BCADDNTw/N1A48sO//JssmJpItyHrJnWdGJvDh5Uq5VqolS39 B8aNdQjjCtIwKLX5afMYvCR5eUjEgEGlfwMcHzAPtLpZlXMoiDaCm/CpSxehUTlfyxWq9Fv8 4dNbz1ecLLRsKodmbXj1D5ZBexIQU2lteV2ljCdy8GWQ0Tgh1LWjVmmK4qdYY9/SOUFlrnTO +CG0hJYm8H9GZSWxWfI/SJjUBJVFM5+U70d5rfKlwvtuFAW1rVWFEHY51XsV8NdUE5GaVLMB P1gvSf/F35LPw2ylyOD6yBy5qG9zFopXR3L1dSapzY9EUlfd6vLisF5oBiKcnO+9VzRcJVBm NZ7Rp41NABEBAAGJAjwEGAEIACYCGwwWIQR+DtPSs0oDsV+fMSHH9/lmDYKmggUCXJ3VGQUJ EwprXAAKCRDH9/lmDYKmgidDD/0RWIHe9AMDcAG5vXBH8djXHgYGMXHKsbhRrMKejykKulK2 Os3fz4ikWsOgNXwoMOXP1uVOMoh9db3hCfpBi8WRBAfBbzZEXTWBIfYj41wydQ+nTs96RWOJ wTPV741Mtv6farz7Uyl6NGn0TIrYvAuFAPGbl2eVAGuCM+gosjvThW4+iy8cIwYxPzjz68W9 FbzSiBH6DDaOtqGJTzbpc5CYfqGHTOPbvzQ2uBHhQhwJWMdq1/0KkC9s3mE46ZiTyuEsTqmt XNCdV81/7fJxaEr+F4EZHuEPN/bvoPHyNx/IUuoIhxMQ0RnpLnjpopjogzy+KEugqLevc6XP 5YSmVHoZlBtOa0X4m5ypLkJBGEVkGPV0QNhfmZDc0LgVlfULKqjFvhvO6R0Kt6AyoT/QeJ+V kXzW0uphVvXWKDvMmQGytMYgIzpcNOo0nDgzfgP7wduJlm5Kwqd0LIgJ27ejgblwJsqBEJ07 RFViATm5VMioXA8CjUf4t8DIGGIAq6dEbkQ7/LGI1re6C6mrugrWbZxvy0SAyWPYhSn6uMll VdO90/1mLOUVme97oVnmoNgcrk44FkJeV/8kF6YQrlssk96KPjONpHyNPhERilAO2Y1yBC98 pxDzQ7s5MrW77TSH81HT4+Jqqh/2LMRL2zeD7swT8llQw5u2AJ5XX+Eanpbk2g== Message-ID: Date: Sun, 6 Oct 2019 11:22:00 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Hello, I discovered today that the GDM own processes are started as unconfined_t instead of xdm_t because systemd --user process itself is started in that context. This is probably related to: commit da156aea1e89a6ff6025be7e50c9c8173e5a6dcf Author: Chris PeBenito Date:   Fri Apr 19 11:50:59 2019 -0400     systemd: Add initial policy for systemd --user.     This is just a start; it does not cover all uses.     Signed-off-by: Chris PeBenito Was that expected and/or wanted? Kind regards, Laurent Bigonville