Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp3010151ybp; Sun, 6 Oct 2019 02:49:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqwzm/XId0emInXZvPZIsrX9SPyLVgVE1dsp23NxI5WXWrldr7EuSLbsC/dNefqJStfbFIyP X-Received: by 2002:a17:906:4a51:: with SMTP id a17mr19193814ejv.279.1570355373923; Sun, 06 Oct 2019 02:49:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570355373; cv=none; d=google.com; s=arc-20160816; b=X2B11TgFR/ShwLvE5/wycvIOXDQXTzYXTYqKPh1BIFCz1Vf3N3Y/nlv6lkeVWsGkLw a+B75hS9qmYn1ZV1RgVAsGRTA0Rcl/25ix9fsmE+wQoRUDkczgp1W5l2MgSHQ40HVq0o 6v8WNNrFI5aDBSrbLBLwu8MggjfPfkUwCBszTWZ24qTJw2bsLbZpkGQxWAuf4mWEbfwG I3MC/WzTgVwd46p7n+U9LsFitupONQv/2DnSbTB16SPxbtinUZ/CST0vsAMKELwYQxF2 z9gVKTlUZtGcCSHHqiGVffsNxGvNfQ3AueCacMDgOa4/YrcD1kK7mPGLYORYMCRC0hdz AhAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=JqUjx5mWrIyg9NV+ekexN2T62rVrzmkqSdEAezIsvBg=; b=qgrVn9oa8/VTYmr4e6W+eHGVQ1lce9EiCF41NTxYsHtvPRTl1wwpwxEQ1G54iUe1EF urnYRZM6yVzruR09tddaYbYAB5SdbG0OtFxUF7wytS/2BwJzz0+MxYAiRNlaODZ3eNQz Vd1d7vPW/mGlJqe0JYaej7k0tI4lzHiG5m0WdQDYVpBPgrWztrjJO0qLVToEp3R1MRE3 VelGXmz8fJvdnIv7nTDJg3jZ04xzAXztF0fHyYVpJ3H5/d9/0u6XGUpN6Rr/eArOsIT9 TlQFqBA3lEx6u96pnplkY42VdgtcYxbWvvaJZOMnY8SdOrlDJfM4rjtN6+JkajREl2zF Hnrg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=k0fSDymY; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z16si6863639edb.420.2019.10.06.02.49.29; Sun, 06 Oct 2019 02:49:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=k0fSDymY; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726224AbfJFJmB (ORCPT + 11 others); Sun, 6 Oct 2019 05:42:01 -0400 Received: from mail-ed1-f53.google.com ([209.85.208.53]:37475 "EHLO mail-ed1-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726185AbfJFJmB (ORCPT ); Sun, 6 Oct 2019 05:42:01 -0400 Received: by mail-ed1-f53.google.com with SMTP id r4so9743078edy.4 for ; Sun, 06 Oct 2019 02:42:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=JqUjx5mWrIyg9NV+ekexN2T62rVrzmkqSdEAezIsvBg=; b=k0fSDymYqTJAV6eOWZe08ALKoWmkdcIAGlVrij8xgArmIR4TEB/FX9X8LP5mu64vVH qgba2pZa8titlF7ulRrE7+r9GURMWtRSJzDqRVWReStubxy0AjQK81xOXcKEfv37iYbO 0jfnqUGpYMgMT2GKejO/1AmhV7PMxm4MkFBoAR1SK215oYxvwjfQvpjV2ZCqpc/ZTLe5 /9671E44dh0dMIrgmp5mr5NM8Kqg6S0PqnJ/JIN1WE9IJWcgjekPX5BP7pNJvJhBh9TF Vu1/1yVIbHR/qT7ODZ8vSFxL8bYTue5DaPTCezRwmlSxnn5nC6k+8xLHhPKkVTTvA8Iv mksg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=JqUjx5mWrIyg9NV+ekexN2T62rVrzmkqSdEAezIsvBg=; b=iFXqc7JRuckpYs9vZf3Z2fKyNl6sBuPkFkrKvfCd+fv5bcQrob7teWCYEV8DerLkX1 BptmK4/EoUYpsy7ePMmFvPWLo/qxPLRoPwvF5jy3VcPfjuqJ7Fuby0vWdh1zrMGZtT/s gRkHI/vuP6TRqSRGCWtDLq5djyGLRYiN0YVbxiqyR1ncOlv8vW/yeUgFuDMENstdsLrI WLUp0ezHHvog1GkHVYfrWPlBvxzeiWh4HrWQIFOttE7sdE3HyLzMYpt36DFn6IKYsqdM OhcZ2R3X+lAbcriRZITirQ+TWcqVoSUqqTpov7e2fhGHcYbA6a+o9kKA5aupQoMClNvC GLFQ== X-Gm-Message-State: APjAAAVrF+D/8XWYnIcNISWJHOaLAH/cKuJpiYUoEOGqZ6UI65UyNY5T aK/MYUl1rzWCmYYkWx2YIROEGHUF X-Received: by 2002:a17:906:cf82:: with SMTP id um2mr19365107ejb.254.1570354919511; Sun, 06 Oct 2019 02:41:59 -0700 (PDT) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id f4sm2621923edf.47.2019.10.06.02.41.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 06 Oct 2019 02:41:58 -0700 (PDT) Date: Sun, 6 Oct 2019 11:41:56 +0200 From: Dominick Grift To: Laurent Bigonville Cc: selinux-refpolicy@vger.kernel.org Subject: Re: systemd --user for GDM started as unconfined_t instead of xdm_t Message-ID: <20191006094156.GB469820@brutus.lan> Mail-Followup-To: Laurent Bigonville , selinux-refpolicy@vger.kernel.org References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Y7xTucakfITjPcLV" Content-Disposition: inline In-Reply-To: User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --Y7xTucakfITjPcLV Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 06, 2019 at 11:22:00AM +0200, Laurent Bigonville wrote: > Hello, >=20 > I discovered today that the GDM own processes are started as unconfined_t > instead of xdm_t because systemd --user process itself is started in that > context. >=20 > This is probably related to: >=20 > commit da156aea1e89a6ff6025be7e50c9c8173e5a6dcf > Author: Chris PeBenito > Date:=A0=A0 Fri Apr 19 11:50:59 2019 -0400 >=20 > =A0=A0=A0 systemd: Add initial policy for systemd --user. >=20 > =A0=A0=A0 This is just a start; it does not cover all uses. >=20 > =A0=A0=A0 Signed-off-by: Chris PeBenito >=20 > Was that expected and/or wanted? It just means that gdm hooks into pam, and since 1. your __default__ id is = set to unconfined_u and 2. you do not have a private id for gdm (and gnome-= initial-setup) systemd will start gdm's systemd --user instance with unconf= ined_u:unconfined_r:unconfined_t. One (ugly but arguable less ugly than the alternative) solution is to creat= e a "xdm_u" and allow systemd to run a systemd --user instance on behalf of= gdm with "xdm_u:system_r:xdm_t" That way you can tell selinux that gdm's systemd --user instance should nev= er transition out of xdm_u:system_r:xdm_t echo "system_r:init_t:s0 system_r:xdm_t:s0" > /etc/selinux/TYPE/contexts/us= ers/xdm_u Then all processes in the gdm session should stay in xdm_t (but some proces= ses will be associate with xdm_u and other with system_u). You would probably also want to add to semanage.conf: ignoredirs =3D /var/lib/gdm;/run/gnome-initial-setup and make sure that selinux does not relabel /run/user/$(id -u gdm) >=20 > Kind regards, >=20 > Laurent Bigonville >=20 --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --Y7xTucakfITjPcLV Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl2ZtuAACgkQJXSOVTf5 R2k2jAv/aPkBiziXSkE8b6NJvcAPBbKDN2R3pXHD9UVrDTp4NAAG4/f6+BAbFx04 Hx2xmAo9LpIcrGAZzplUf/pP2eTUvcrKbzqPoH/KwuhbDRYZq4QyszyQu6Rum/sf F56r6WITMv5tQQdwYl34irU0uz9gs3j9soB9WkQmfJlWXy2+e19Z30OnGr6T1R+j uoi0IyZ5fjkHfkn8eQ6XhX7J1qUlNiu3QfVM2E6x+mp+Bq2QiJs7ai1gz+ev50nZ fGNiGYr8LRdVUl52/qoxesBBIv3K/v47ONlbC2Hi8ZI8+WBXDxaNam47D5Vqdo2S HWEsbvoU+9WJ/VXLGIg4CS4JGto4aIPr3yXDczfHnlnP4fE+GeQt1PktuqqcEVpg y1Xyv3VTWvGH6gms3wOeyHSvIGuhVZhLWEtx1IJVoP0g7y+efUse+S2WNnreXu8V LxtkBhinWHIcpXbBLkejse5e/fih3ee7jESUx3ozv6L58BXn7vDng0lOd+A/zVeX CVgxZjKu =HLe2 -----END PGP SIGNATURE----- --Y7xTucakfITjPcLV--