Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp914653pxb;
        Thu, 28 Jan 2021 03:37:37 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzOrLl4khXl9TYAv3oKyf8VX90gmYz4oCsqr0KNhESQwP8ijWVr0PyoLMfgpUADw+e7N5sy
X-Received: by 2002:a05:6402:215:: with SMTP id t21mr13627867edv.363.1611833857559;
        Thu, 28 Jan 2021 03:37:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1611833857; cv=none;
        d=google.com; s=arc-20160816;
        b=NZqj6FvoKC+yIAjGwNmWvkDb+49hipsX4CJ+zjYNfXwnM2kY6XmFraXyI/KeEWHkmX
         nJDleEX0TgXd8Ida7WNs4uJII0xgzeOLiyizUWGzPtq6pl/D9QDD60jPJBK37QJ9mpKS
         EW3nakb8tvZED0JtS9XeeEzQD4RH4ZdPqwRSjIHrwk24EUQHEP5IdZtXXXoBX1oUpk3X
         Gbqmx6WRE64e0fQirnBLmNdLyWYB6FhN0Qou9G6oJToQYcIi3y3tbcQriopDyRlSSBxq
         73gDu4BcpCmeBmkRMU8RGTDJssXDrRMbjwYx9qYzcqcQ2LpKEyFFsA2eQ7PwxecVHMe5
         6bOg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to
         :date:references:subject:cc:to:from:dkim-signature:dkim-filter;
        bh=LMYrIQ2ZkUi08HfgYsPJwG9eFJkCM/JTgJQjg/QxDE4=;
        b=eIdI6Gtwm+gxan6ADL1tF2YutiPTZX3ZVDblHLFyKOS3yJ4lALcFpT0yu34JS1xybz
         gFsoU0qrcVCrPmC91abpDR6WA3IREM7oPK2VbMHgjWmKint14usWH8KamLjBCi1K0y9I
         ezIwp3Tjd+TrCpr5EhFPHKFOC8eOCkgUFBOWBtIg3zeRf1fiPcZ1z+Y9L1Lwtkzs0GFp
         K6rw4pfjfEKAmO/6IemIkgZU2KI9bQhZdEn/2MujSyW4a2I+sABbr36v7W42VHYGPjIB
         5qn0nOngT9A1et697F0oed7XidgpU76tx2OaU8AzL3AUESX2FQAGamKj/+U5lZaul7TT
         2mOA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=PLoiFqHW;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id gb28si2345758ejc.510.2021.01.28.03.37.33;
        Thu, 28 Jan 2021 03:37:37 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=PLoiFqHW;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231266AbhA1LhF (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 16 others); Thu, 28 Jan 2021 06:37:05 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34206 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231256AbhA1LhD (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 28 Jan 2021 06:37:03 -0500
Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id C82FAC061573
        for <selinux-refpolicy@vger.kernel.org>; Thu, 28 Jan 2021 03:36:23 -0800 (PST)
Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438])
        by agnus.defensec.nl (Postfix) with ESMTPSA id 2727C2A1250;
        Thu, 28 Jan 2021 12:36:22 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 2727C2A1250
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl;
        s=default; t=1611833782;
        bh=LMYrIQ2ZkUi08HfgYsPJwG9eFJkCM/JTgJQjg/QxDE4=;
        h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
        b=PLoiFqHWpy9eEZqTfXg1hE5oJj79S9ig8AnRSqAwmDwlOSyX27H9e7XB9Ob+lUDKd
         0FosAPR1oTEHizXyHVCxOrYKKAveSVNop9ybtWCOa2kYpzc77QPgPWopvcXtISFJMT
         gywREepkd8Z8WgOcHxOMioHkwr6p8JuhFaNwMRjw=
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: sddm issue and patch not for inclusion
References: <YBKffiAQlZZZbCix@xev> <ypjl4kj1jny7.fsf@defensec.nl>
Date:   Thu, 28 Jan 2021 12:36:19 +0100
In-Reply-To: <ypjl4kj1jny7.fsf@defensec.nl> (Dominick Grift's message of "Thu,
        28 Jan 2021 12:33:20 +0100")
Message-ID: <ypjlzh0ti98s.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Dominick Grift <dominick.grift@defensec.nl> writes:

> Russell Coker <russell@coker.com.au> writes:
>
>> In Debian/Unstable (which will soon be frozen and become the next stable
>> release) the sddm X login program (the one that's generally recommended
>> and specifically known to generally work well with SE Linux) uses PAM to
>> start a session for the "greeter" (the program that asks for a password
>> before a new session is started).
>>
>> With the policy currently in Debian that means the sddm user matches
>> "__default__" and gets unconfined_u:unconfined_r:unconfined_t, not what
>> is desirable for a program that takes input from unauthenticated users.
>>
>> role xdm_r;
>> role xdm_r types xdm_t;
>> allow system_r xdm_r;
>> allow xdm_t xdm_tmpfs_t:file execmod;
>
> that looks like a bug or at least bad code
>
>> corecmd_bin_entry_type(xdm_t)

Also wondering what or which bin_t file or files this applies to and if
it instead is not possible to give these a private type 

>>
>> To get this working as a test I put the above in a local policy file,
>> edited /etc/selinux/default/contexts/default_contexts to add a suitable
>> context to the system_r:xdm_t:s0 line, and run the following 2 commands:
>> semanage user -a -r s0 -L s0 -R xdm_r -P user xdm
>> semanage login -a -s xdm -r s0 sddm
>>
>> I mention the above for the benefit of people who do web searches for such
>> things and get the list archives.
>>
>> Below is the policy I'm using which will be in the next release of Debian
>> if no-one else has a better idea.  NB a "better idea" doesn't mean running
>> the greeter as unconfined_t IMHO.  Also while we can debate about whether
>> modifying sddm to not use PAM for the greeter session is a good idea, such
>> a change would potentially affect people who don't use SE Linux so I won't
>> even waste the time of the sddm maintainer by discussing that possibility
>> with them before the release.  After the release we can discuss such
>> things, but now we need to get things working well in the next few days in
>> a manner that will make users happy for the next 2 years.
>>
>> Index: refpolicy-2.20210126/policy/modules/services/xserver.te
>> ===================================================================
>> --- refpolicy-2.20210126.orig/policy/modules/services/xserver.te
>> +++ refpolicy-2.20210126/policy/modules/services/xserver.te
>> @@ -18,6 +18,7 @@ gen_require(`
>>  	class x_resource all_x_resource_perms;
>>  	class x_event all_x_event_perms;
>>  	class x_synthetic_event all_x_synthetic_event_perms;
>> +	role xdm_r;
>>  ')
>>  
>>  ########################################
>> @@ -152,6 +153,10 @@ init_daemon_domain(xdm_t, xdm_exec_t)
>>  xserver_object_types_template(xdm)
>>  xserver_common_x_domain_template(xdm, xdm_t)
>>  
>> +# for sddm to use pam for greeter
>> +role xdm_r types xdm_t;
>> +allow system_r xdm_r;
>> +
>>  type xdm_lock_t;
>>  files_lock_file(xdm_lock_t)
>>  
>> @@ -848,6 +853,11 @@ manage_files_pattern(xserver_t, xdm_tmp_
>>  manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
>>  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
>>  
>> +# for sddm to use pam for greeter
>> +corecmd_bin_entry_type(xdm_t)
>> +# sddm greeter needs execmod
>> +allow xdm_t xdm_tmpfs_t:file execmod;
>> +
>>  # Run Xorg.wrap
>>  can_exec(xserver_t, xserver_exec_t)
>>  
>> Index: refpolicy-2.20210126/config/appconfig-mcs/seusers
>> ===================================================================
>> --- refpolicy-2.20210126.orig/config/appconfig-mcs/seusers
>> +++ refpolicy-2.20210126/config/appconfig-mcs/seusers
>> @@ -1,2 +1,3 @@
>>  root:unconfined_u:s0-mcs_systemhigh
>>  __default__:unconfined_u:s0-mcs_systemhigh
>> +sddm:xdm:s0
>> Index: refpolicy-2.20210126/policy/users
>> ===================================================================
>> --- refpolicy-2.20210126.orig/policy/users
>> +++ refpolicy-2.20210126/policy/users
>> @@ -27,6 +27,7 @@ gen_user(system_u,, system_r, s0, s0 - m
>>  gen_user(user_u, user, user_r, s0, s0)
>>  gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
>>  gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
>> +gen_user(xdm, user, xdm_r, s0, s0)
>>  
>>  # Until order dependence is fixed for users:
>>  ifdef(`direct_sysadm_daemon',`
>> Index: refpolicy-2.20210126/config/appconfig-mcs/xdm_default_contexts
>> ===================================================================
>> --- /dev/null
>> +++ refpolicy-2.20210126/config/appconfig-mcs/xdm_default_contexts
>> @@ -0,0 +1 @@
>> +system_r:xdm_t:s0		xdm_r:xdm_t:s0
>> Index: refpolicy-2.20210126/policy/modules/kernel/kernel.te
>> ===================================================================
>> --- refpolicy-2.20210126.orig/policy/modules/kernel/kernel.te
>> +++ refpolicy-2.20210126/policy/modules/kernel/kernel.te
>> @@ -32,6 +32,7 @@ role system_r;
>>  role sysadm_r;
>>  role staff_r;
>>  role user_r;
>> +role xdm_r;
>>  
>>  # here until order dependence is fixed:
>>  role unconfined_r;
>>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift