Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp909360pxb; Thu, 28 Jan 2021 03:28:59 -0800 (PST) X-Google-Smtp-Source: ABdhPJwILkx+U5eWUBxiyzPJtX+5yxZT+2spv+GiurxHA5hALdFl+1tGtxLr6K8o9DlOJ62Ty7gn X-Received: by 2002:a50:e3c4:: with SMTP id c4mr13504659edm.77.1611833339578; Thu, 28 Jan 2021 03:28:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611833339; cv=none; d=google.com; s=arc-20160816; b=hqg/G+BV6/7hFwe3ZCvqYTuTqDEVvQYT/BZlPB7otz8phj/pMwbvMzhnvzGwiOTMg7 BbGJZlkDBxRLR58jOOkxMCavqjvNO+Z0UQ8RZ33iuN610RxZJYp+e+OLoY7F0aSP0NrD fGFQMHNlxiJqlSLW1CQkySQKNHG12GAYqWC75iczqqrEKVyqjgiPrleXMpBg2RCVMr9L lbUPZcotOAaNeBhnXThbqfHL4Xktz/S/FGieI/VILCG+BukVt0GIu6iacgK2mXq/cn/U QG3p5RHolQm6cKTFFW/oOm2T2TLeVJ2QypvTSO7druRlThotn3Om8Rg3Avwltrmm5T1J S9+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=wwYJ2EW0YwHG7f83EBphk6YEFXvye68aa9RrCK1KuzY=; b=w1HMGKHFKe7Y0EprU6WcV/XVbEpkEUKivjv1X3EhDStqpvS6+5pehqzvhbQXnrY1er jHSp9vTatowCT6f3HiY+JePce+lD5OntS6DCXPF2YDsao8SXWEeWl0jo1vaLSMrgc0U+ l/wkq8AaRTsyOur5NdWwcshyE1Vhpci+4jXPUcZNM/06cKUn8p4nBe7Z/FWon6boz6Ps ndmcdx+fBjZHGdsRAN1ezz3bgcAz3XCPVgJx24pz3LZch9TFlR76gGyUMkNCSmHcsVoK cLRo2NLH96KSbtkCB4zJx4przVF+3Qhf0+HX7siy1NehHHPTsogoXw5WIZwk4tneM5z/ QSkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=L7iduY5d; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id he39si2461168ejc.512.2021.01.28.03.28.52; Thu, 28 Jan 2021 03:28:59 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=L7iduY5d; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231422AbhA1L2n (ORCPT + 16 others); Thu, 28 Jan 2021 06:28:43 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:56464 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231357AbhA1L1p (ORCPT ); Thu, 28 Jan 2021 06:27:45 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id D020416B03 for ; Thu, 28 Jan 2021 22:26:58 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1611833219; bh=wwYJ2EW0YwHG7f83EBphk6YEFXvye68aa9RrCK1KuzY=; l=4578; h=Date:From:To:Subject:From; b=L7iduY5dz5uW5WRdhRJd3WI9ZMboiXRTVdx+SRkUjaavPQk5GD+tgFl0Z4pGQipQ9 4fW6txUI3GOODm7/TTUHyiAI+VL56MHpYQ5I6u1kOhPPumdQkcMbqX/CJzBz6apllr ohjYAlSQHvNR4QrgshUZu+UD0eSKqsSPee2f4HlI= Received: by xev.coker.com.au (Postfix, from userid 1001) id 8FB24133DEE6; Thu, 28 Jan 2021 22:26:54 +1100 (AEDT) Date: Thu, 28 Jan 2021 22:26:54 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: sddm issue and patch not for inclusion Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org In Debian/Unstable (which will soon be frozen and become the next stable release) the sddm X login program (the one that's generally recommended and specifically known to generally work well with SE Linux) uses PAM to start a session for the "greeter" (the program that asks for a password before a new session is started). With the policy currently in Debian that means the sddm user matches "__default__" and gets unconfined_u:unconfined_r:unconfined_t, not what is desirable for a program that takes input from unauthenticated users. role xdm_r; role xdm_r types xdm_t; allow system_r xdm_r; allow xdm_t xdm_tmpfs_t:file execmod; corecmd_bin_entry_type(xdm_t) To get this working as a test I put the above in a local policy file, edited /etc/selinux/default/contexts/default_contexts to add a suitable context to the system_r:xdm_t:s0 line, and run the following 2 commands: semanage user -a -r s0 -L s0 -R xdm_r -P user xdm semanage login -a -s xdm -r s0 sddm I mention the above for the benefit of people who do web searches for such things and get the list archives. Below is the policy I'm using which will be in the next release of Debian if no-one else has a better idea. NB a "better idea" doesn't mean running the greeter as unconfined_t IMHO. Also while we can debate about whether modifying sddm to not use PAM for the greeter session is a good idea, such a change would potentially affect people who don't use SE Linux so I won't even waste the time of the sddm maintainer by discussing that possibility with them before the release. After the release we can discuss such things, but now we need to get things working well in the next few days in a manner that will make users happy for the next 2 years. Index: refpolicy-2.20210126/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20210126.orig/policy/modules/services/xserver.te +++ refpolicy-2.20210126/policy/modules/services/xserver.te @@ -18,6 +18,7 @@ gen_require(` class x_resource all_x_resource_perms; class x_event all_x_event_perms; class x_synthetic_event all_x_synthetic_event_perms; + role xdm_r; ') ######################################## @@ -152,6 +153,10 @@ init_daemon_domain(xdm_t, xdm_exec_t) xserver_object_types_template(xdm) xserver_common_x_domain_template(xdm, xdm_t) +# for sddm to use pam for greeter +role xdm_r types xdm_t; +allow system_r xdm_r; + type xdm_lock_t; files_lock_file(xdm_lock_t) @@ -848,6 +853,11 @@ manage_files_pattern(xserver_t, xdm_tmp_ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +# for sddm to use pam for greeter +corecmd_bin_entry_type(xdm_t) +# sddm greeter needs execmod +allow xdm_t xdm_tmpfs_t:file execmod; + # Run Xorg.wrap can_exec(xserver_t, xserver_exec_t) Index: refpolicy-2.20210126/config/appconfig-mcs/seusers =================================================================== --- refpolicy-2.20210126.orig/config/appconfig-mcs/seusers +++ refpolicy-2.20210126/config/appconfig-mcs/seusers @@ -1,2 +1,3 @@ root:unconfined_u:s0-mcs_systemhigh __default__:unconfined_u:s0-mcs_systemhigh +sddm:xdm:s0 Index: refpolicy-2.20210126/policy/users =================================================================== --- refpolicy-2.20210126.orig/policy/users +++ refpolicy-2.20210126/policy/users @@ -27,6 +27,7 @@ gen_user(system_u,, system_r, s0, s0 - m gen_user(user_u, user, user_r, s0, s0) gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(xdm, user, xdm_r, s0, s0) # Until order dependence is fixed for users: ifdef(`direct_sysadm_daemon',` Index: refpolicy-2.20210126/config/appconfig-mcs/xdm_default_contexts =================================================================== --- /dev/null +++ refpolicy-2.20210126/config/appconfig-mcs/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t:s0 xdm_r:xdm_t:s0 Index: refpolicy-2.20210126/policy/modules/kernel/kernel.te =================================================================== --- refpolicy-2.20210126.orig/policy/modules/kernel/kernel.te +++ refpolicy-2.20210126/policy/modules/kernel/kernel.te @@ -32,6 +32,7 @@ role system_r; role sysadm_r; role staff_r; role user_r; +role xdm_r; # here until order dependence is fixed: role unconfined_r;