Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp3029755ybp; Sun, 6 Oct 2019 03:14:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqzR1RovP1rFGG62IYHw1YUHGDAkdA2omEM9vGolL+gE2XCmnD++1hs+1D9Q4qrOjzbrZjCn X-Received: by 2002:a17:906:4d8d:: with SMTP id s13mr19384480eju.5.1570356884382; Sun, 06 Oct 2019 03:14:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570356884; cv=none; d=google.com; s=arc-20160816; b=bIY6sEHaADPXPORXhQROz1B7Qz+fqeLdYosDBUiXLegYsLNhmAQvTR+/J3dRZW3r9A dHO/PqE0vi7veqLucRKBqWW3VP7KWIiFRnxo8hfs2TZm7eFR6R0Sdg0dVClYIC+MHA5L ZkDqjyYIg4vknNx/oRh+L0Xi6aeBs+zlj8e3aLPIKIBjqFnLErYspsLe/k/0GdEGWuq2 hak1RRgtAXEjX6PvgencgKw+oGnbekXXvgIcTFZprlsWWTbfPUprEkLrtOjldjD+kmtM +VUyS6CaX/SSdjtoXh309U1NSb3zoqOxJvRppY67PYsUMEvbD5rUgWjC/Rh574V9E1OL VDTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:to:from:date:dkim-signature; bh=H8yCyVwmZO6hkYGQYfCC26R3c2AgKnVN6BLU3YS0jf8=; b=OtvkL+h5TrXs9EV4ITPEYSePpBzM7ba2bgtDOa8D6/nsDk7NGbcwF8yfruX0YdqT9A 6pM0P1N3BskHzZEtdEuBidp3JsgLL6Gs7PercYiJ/OKLkFIWxck3q5nc2HIm2/XqoOwA bit9Jd0m/rLpXeSY0sa+TvKGJCHBkgCvA+Tt31ZKyQgwEHVmviHPYM3v+xHXZzKYRM9a Xq0xhVZQO53gAfowx3WC9tycOCcY1qFMmrcL1p4RA899/XZledfGFr4VdiOPsspPIWum 5sNphzpHGCzmZ3Of1wq0dSNnu4/Eoubz/8DMVckxXTUhblDsCRwqIgEmLHQHYPhDOzNo Pivw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=TRxQtnwZ; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id op4si5389634ejb.77.2019.10.06.03.14.40; Sun, 06 Oct 2019 03:14:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=TRxQtnwZ; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726271AbfJFKNo (ORCPT + 11 others); Sun, 6 Oct 2019 06:13:44 -0400 Received: from mail-ed1-f67.google.com ([209.85.208.67]:35381 "EHLO mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726261AbfJFKNn (ORCPT ); Sun, 6 Oct 2019 06:13:43 -0400 Received: by mail-ed1-f67.google.com with SMTP id v8so9789832eds.2 for ; Sun, 06 Oct 2019 03:13:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=H8yCyVwmZO6hkYGQYfCC26R3c2AgKnVN6BLU3YS0jf8=; b=TRxQtnwZ3jEHMvRx8SgO5MwQyKHwMyy8umEDgCSPgc80pFBcsXdgA73JMw/ssHHzD+ GAWRPHzGQcjb5sORva9ct93viQKVVTKuAhxaDBX6V2gHzBin/R6DfbOoV2CUu989UxJt aXn5oXOVr99NRJt6W0SxhaTRrtcqT2GRvW+4KT/i10R+mlfPpCUdLdCVAVgcmu5148/i PrFmnk7YRykPXyo+YMQjNksglJeno9AE09SyxvsnwKis9ZbZojBdZclWmkIR2wR3J9PO cV125Wl6NFttHaz2dq9K4gkXtPma+9AZlpFD5Tw4PFuEaFESrM0iNx7PLwHDzP8Ike60 ikbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to :references:mime-version:content-disposition:in-reply-to:user-agent; bh=H8yCyVwmZO6hkYGQYfCC26R3c2AgKnVN6BLU3YS0jf8=; b=L1DPTBOBVgrdp7JIy0yoGZRQGH8uhSq0Up6Ai5ucpCYiZIA3wBzeeV/PuHMcIDxJTj 2r7jYnFwnrkTNEFXyrgU8M2Vfo2a1aRpeeS43Xklzj4Ut4CbfY2erLYgTN/txGMM+4Jy iaqrVjFhLT2o43DNkIDF6cO/oj8yjZVMQV6cB/df0FxmSR07YRYKKOv+oTJr9df1SgZ9 4Me5KnIlDQJS7keoNAlYXKmT9QYbN86etataqRFA7Qx6jP67BwOsGAms4bYu5PWeUdcW fPyPmTJLHc8gPg2hRjwIGABt90YqGQz4XACSjV0hnCK9hIvuEKSctOYlk3Da04TpD32E eT0g== X-Gm-Message-State: APjAAAVAS/JHH+0QPAlmp9sJlbjdaYXcjBRK4roPCxJGbYAFY7NHJx6W J0HtxiamGDCqm7aIF804cME= X-Received: by 2002:a17:906:9381:: with SMTP id l1mr18871351ejx.93.1570356821725; Sun, 06 Oct 2019 03:13:41 -0700 (PDT) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id i5sm2551268edv.29.2019.10.06.03.13.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 06 Oct 2019 03:13:40 -0700 (PDT) Date: Sun, 6 Oct 2019 12:13:38 +0200 From: Dominick Grift To: Laurent Bigonville , selinux-refpolicy@vger.kernel.org Subject: Re: systemd --user for GDM started as unconfined_t instead of xdm_t Message-ID: <20191006101338.GD469820@brutus.lan> Mail-Followup-To: Laurent Bigonville , selinux-refpolicy@vger.kernel.org References: <20191006094156.GB469820@brutus.lan> <20191006100125.GC469820@brutus.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="veXX9dWIonWZEC6h" Content-Disposition: inline In-Reply-To: <20191006100125.GC469820@brutus.lan> User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --veXX9dWIonWZEC6h Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 06, 2019 at 12:01:25PM +0200, Dominick Grift wrote: > On Sun, Oct 06, 2019 at 11:41:56AM +0200, Dominick Grift wrote: > > On Sun, Oct 06, 2019 at 11:22:00AM +0200, Laurent Bigonville wrote: > > > Hello, > > >=20 > > > I discovered today that the GDM own processes are started as unconfin= ed_t > > > instead of xdm_t because systemd --user process itself is started in = that > > > context. > > >=20 > > > This is probably related to: > > >=20 > > > commit da156aea1e89a6ff6025be7e50c9c8173e5a6dcf > > > Author: Chris PeBenito > > > Date:=A0=A0 Fri Apr 19 11:50:59 2019 -0400 > > >=20 > > > =A0=A0=A0 systemd: Add initial policy for systemd --user. > > >=20 > > > =A0=A0=A0 This is just a start; it does not cover all uses. > > >=20 > > > =A0=A0=A0 Signed-off-by: Chris PeBenito > > >=20 > > > Was that expected and/or wanted? > >=20 > > It just means that gdm hooks into pam, and since 1. your __default__ id= is set to unconfined_u and 2. you do not have a private id for gdm (and gn= ome-initial-setup) systemd will start gdm's systemd --user instance with un= confined_u:unconfined_r:unconfined_t. > >=20 > > One (ugly but arguable less ugly than the alternative) solution is to c= reate a "xdm_u" and allow systemd to run a systemd --user instance on behal= f of gdm with "xdm_u:system_r:xdm_t" > >=20 > > That way you can tell selinux that gdm's systemd --user instance should= never transition out of xdm_u:system_r:xdm_t > >=20 > > echo "system_r:init_t:s0 system_r:xdm_t:s0" > /etc/selinux/TYPE/context= s/users/xdm_u > >=20 > > Then all processes in the gdm session should stay in xdm_t (but some pr= ocesses will be associate with xdm_u and other with system_u). > >=20 > > You would probably also want to add to semanage.conf: > >=20 > > ignoredirs =3D /var/lib/gdm;/run/gnome-initial-setup > >=20 > > and make sure that selinux does not relabel /run/user/$(id -u gdm) >=20 > Just to clarify. The patch you reference is not responsible for the uglyn= ess that is GDM/Gnome > Without this patch, the systemd --user instance of GDM (and any other use= rs) would run in "init_t". This is obviously also not desirable. I wonder what you happen if you would (would gdm still work?): sudo systemctl mask user@$(id -u gdm).service user-runtime-dir@$(id -u gdm)= =2Eservice >=20 > >=20 > > >=20 > > > Kind regards, > > >=20 > > > Laurent Bigonville > > >=20 > >=20 > > --=20 > > Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6= B02 > > Dominick Grift >=20 >=20 >=20 > --=20 > Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 > Dominick Grift --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --veXX9dWIonWZEC6h Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl2Zvk4ACgkQJXSOVTf5 R2lMXAwAobBR+D9Mppub0VhY1LQj8IhJ3umZRlIk1pq7CzOSZODiCVAAqCaHP4Kq yD2DMxwxfKvq8o2112AEjUc4qFqDxNy/iLQZ2JvNI8D7Pob9JO6Y4Izj9zho5rKl J6zOhqhPOOvH0szGnprsso7r1tUop0z3WZaISpqGehuspl/Ex32myy4fzzwptHA0 /YIs+rFzAUF1PjxAKi2jSNDJB4ZxhstW6DCJH4DE3Niptw7kimfFK5crEftDg71W HJ6I+RDWOA3XpedC1vYxgPCBQUP5eS61z6MXP4xlnnbUxCw2zMwyTvUTbYJQlsqN IjxbKOQ9NSmSfrfAgcFCR3fHb0DJOfNqX/109D123uVv6jE8au8lqtLCbRYt0GFU UV7vMWRg/YyB2ijmDxk4N4Z9CNYwUqByqDTKP7ribEZILsgE52zCmVcKMq+1SNJU BwUQO585DV34Ekj0jwr9unH+oYDJCxuVedtLAfGmnCOvEQpM9qCl0BQSlK3lTIwo 8hNezNlc =851b -----END PGP SIGNATURE----- --veXX9dWIonWZEC6h--