Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp912583pxb; Thu, 28 Jan 2021 03:34:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJwtWYC0Nck6fUqcVCb49IcE10Px3cE2RLQlKJzLFWA54FOBDku6MmNmp2lyrRZPMM2EBJmD X-Received: by 2002:a17:906:4e0c:: with SMTP id z12mr10417245eju.370.1611833660663; Thu, 28 Jan 2021 03:34:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611833660; cv=none; d=google.com; s=arc-20160816; b=z4w0ff+n7cSn+dGEkCNe46iWxyU3R3WOa7Xq3xY+q14vDmCsNIeRktUa+ymJYnZQyW 1Y14qBLptHWA/XAwJudYgyeChZQ3sHNnxI+EkXXMiXvR8jK9APpfiNTt8fjlZ8OPmobu YIjvMN6FMLMu0fHXnbpD32ffVzKIvbyMn7a94K0DmYCTTQoA6i/Y5qzJge7k12prF4v1 +szelEMy6afVJ1BB6SKFGEq7ehlbc1/teNjZme7i6WlPwy2OoShjyuk22kb/GfuxBH+n 3s7wD6b0nH6ZDi0SKbSCfrbodUrFxDyqJLtvUQ5kAEoiiwMflWMalTIe4KCv8x1Diory c2Nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature:dkim-filter; bh=HqWWjWoxJZVeOUKFjRU9/h1inaLa1KIfF0tk76PJB58=; b=AVJuuJ4af2uEDgimFeVfHKM2bmj+wHEM1tI9QZ3HPS2JhFglv6DXydMIRIH9IfHGQk /y/qe+fpaNJNHA9Ezb6BLDPnJly9OH8LO1JG8qoXI0fs6PKcsCH9ua+aM7icFcEDF0FK 1ghHWydBw8ttmnC70XBMJM1I7n4FJhtAJ7pjXQMy04y6MffbFu20vKKXFWZB9hl/qbNU WFiWeSka4cmksFJDrAxY2Uvtj65WNrfuNqSyVyT8jduGVSbTd+NuDHzGXqdX1eIId1Ke 4oZY0maonxYXzLeE8VNQjN7cdKa5rewSXmJhKtajtHsjA4xMDzCpiKpzNYMeYilC7Mcq 9aBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=EnYI01To; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f17si1085261eds.588.2021.01.28.03.34.16; Thu, 28 Jan 2021 03:34:20 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=EnYI01To; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229900AbhA1LeL (ORCPT + 16 others); Thu, 28 Jan 2021 06:34:11 -0500 Received: from agnus.defensec.nl ([80.100.19.56]:43988 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229530AbhA1LeJ (ORCPT ); Thu, 28 Jan 2021 06:34:09 -0500 Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 71AF72A1250; Thu, 28 Jan 2021 12:33:23 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 71AF72A1250 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1611833603; bh=HqWWjWoxJZVeOUKFjRU9/h1inaLa1KIfF0tk76PJB58=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=EnYI01TogrfTbv1QtI0s7iV/kQspZRvjxoKNKFoqJwA+qZ9uEMOUFniMijP745B+X gbwtg07tvSYLb1v539gHjXMDfQhxgalc3XFvKRw8+h0unbIXTcwtPZ4BBSttq+74S+ SH3mXTTIJpMHy7s4pW9OqkP3s+1g6aXhryrA23nM= From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: sddm issue and patch not for inclusion References: Date: Thu, 28 Jan 2021 12:33:20 +0100 In-Reply-To: (Russell Coker's message of "Thu, 28 Jan 2021 22:26:54 +1100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > In Debian/Unstable (which will soon be frozen and become the next stable > release) the sddm X login program (the one that's generally recommended > and specifically known to generally work well with SE Linux) uses PAM to > start a session for the "greeter" (the program that asks for a password > before a new session is started). > > With the policy currently in Debian that means the sddm user matches > "__default__" and gets unconfined_u:unconfined_r:unconfined_t, not what > is desirable for a program that takes input from unauthenticated users. > > role xdm_r; > role xdm_r types xdm_t; > allow system_r xdm_r; > allow xdm_t xdm_tmpfs_t:file execmod; that looks like a bug or at least bad code > corecmd_bin_entry_type(xdm_t) > > To get this working as a test I put the above in a local policy file, > edited /etc/selinux/default/contexts/default_contexts to add a suitable > context to the system_r:xdm_t:s0 line, and run the following 2 commands: > semanage user -a -r s0 -L s0 -R xdm_r -P user xdm > semanage login -a -s xdm -r s0 sddm > > I mention the above for the benefit of people who do web searches for such > things and get the list archives. > > Below is the policy I'm using which will be in the next release of Debian > if no-one else has a better idea. NB a "better idea" doesn't mean running > the greeter as unconfined_t IMHO. Also while we can debate about whether > modifying sddm to not use PAM for the greeter session is a good idea, such > a change would potentially affect people who don't use SE Linux so I won't > even waste the time of the sddm maintainer by discussing that possibility > with them before the release. After the release we can discuss such > things, but now we need to get things working well in the next few days in > a manner that will make users happy for the next 2 years. > > Index: refpolicy-2.20210126/policy/modules/services/xserver.te > =================================================================== > --- refpolicy-2.20210126.orig/policy/modules/services/xserver.te > +++ refpolicy-2.20210126/policy/modules/services/xserver.te > @@ -18,6 +18,7 @@ gen_require(` > class x_resource all_x_resource_perms; > class x_event all_x_event_perms; > class x_synthetic_event all_x_synthetic_event_perms; > + role xdm_r; > ') > > ######################################## > @@ -152,6 +153,10 @@ init_daemon_domain(xdm_t, xdm_exec_t) > xserver_object_types_template(xdm) > xserver_common_x_domain_template(xdm, xdm_t) > > +# for sddm to use pam for greeter > +role xdm_r types xdm_t; > +allow system_r xdm_r; > + > type xdm_lock_t; > files_lock_file(xdm_lock_t) > > @@ -848,6 +853,11 @@ manage_files_pattern(xserver_t, xdm_tmp_ > manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) > manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) > > +# for sddm to use pam for greeter > +corecmd_bin_entry_type(xdm_t) > +# sddm greeter needs execmod > +allow xdm_t xdm_tmpfs_t:file execmod; > + > # Run Xorg.wrap > can_exec(xserver_t, xserver_exec_t) > > Index: refpolicy-2.20210126/config/appconfig-mcs/seusers > =================================================================== > --- refpolicy-2.20210126.orig/config/appconfig-mcs/seusers > +++ refpolicy-2.20210126/config/appconfig-mcs/seusers > @@ -1,2 +1,3 @@ > root:unconfined_u:s0-mcs_systemhigh > __default__:unconfined_u:s0-mcs_systemhigh > +sddm:xdm:s0 > Index: refpolicy-2.20210126/policy/users > =================================================================== > --- refpolicy-2.20210126.orig/policy/users > +++ refpolicy-2.20210126/policy/users > @@ -27,6 +27,7 @@ gen_user(system_u,, system_r, s0, s0 - m > gen_user(user_u, user, user_r, s0, s0) > gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) > gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) > +gen_user(xdm, user, xdm_r, s0, s0) > > # Until order dependence is fixed for users: > ifdef(`direct_sysadm_daemon',` > Index: refpolicy-2.20210126/config/appconfig-mcs/xdm_default_contexts > =================================================================== > --- /dev/null > +++ refpolicy-2.20210126/config/appconfig-mcs/xdm_default_contexts > @@ -0,0 +1 @@ > +system_r:xdm_t:s0 xdm_r:xdm_t:s0 > Index: refpolicy-2.20210126/policy/modules/kernel/kernel.te > =================================================================== > --- refpolicy-2.20210126.orig/policy/modules/kernel/kernel.te > +++ refpolicy-2.20210126/policy/modules/kernel/kernel.te > @@ -32,6 +32,7 @@ role system_r; > role sysadm_r; > role staff_r; > role user_r; > +role xdm_r; > > # here until order dependence is fixed: > role unconfined_r; > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift