Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp1123235pxb; Wed, 16 Feb 2022 11:32:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJxRBzu3yFZ6tfJco1ZxwJh0aDgc41A6XYMMEGTt1LKbN7Mqv2+HszKQmVwNwtJLsr2KlyoQ X-Received: by 2002:a17:902:d642:b0:14c:e9a7:d542 with SMTP id y2-20020a170902d64200b0014ce9a7d542mr396215plh.38.1645039931828; Wed, 16 Feb 2022 11:32:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645039931; cv=none; d=google.com; s=arc-20160816; b=pI3qFOevV7NQDIgiKo1nbm89XUpKMicM+gKkPYStCT/zysXWAaUGz5mpPFGUKJnjlf BA4CdXFSKYr97z6HEF6zB/c1FSkE7SWEBiCt0S13exydh6YuXEEr+17GXIMt1vfiRLr/ HES/tb0u1IWoy/W13TJp+mq09ZGpWdpAqpu0wIn5lBiGsPgEvO7/srC/64ZGyqctX5mE rAacYFVlHivojBZhgKwInDLdu/Sv53/UPiFAUZAZ3nW3TORxnIfDQP7ADpfjaGIMmgMv tP2lMBS+OxUybMJNtk8Dy3X2haysCsePD1P1elar9e6IF8Y78D9rnA79GzDxlSyxul/Q 2uUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature:dkim-filter; bh=Np7cSs2VQqOR4HoqPOP8hs9MKSOoOo94StrTjXolYvU=; b=szzXAJJXRY0jWEed93kteRtLyVTAXvZvJ3IubUduBkuPXdmUDLkYbWJJb3xcG3T07w Sv6YP/5P9XVAXaLwPbOSmbXPzDjQgNBOQTl2IVQ8KQuvoDSOQjS6sZiTXXgIbxhn4iFg tbgmnSyj7Ny15LM6Z5OE2nHgqm8FE01Nn7cqFRsng6hmuism712a2u1qc9Ul6KeKeWzI t+rYu9fk1YHo6eHtWjJDGkh9Yr/e0G+Rt3bEqWc9qVGyjhZUpYvCsGFn6X6bG/seHbBD a+E7qk97jTpnRrdIlitH7I0CcesIINQO4ScxH4N/69tj1pnX2d7jyywRdSybsj1SMf5l HJgA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=fff5n3DV; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u190si6240056pgd.578.2022.02.16.11.32.06; Wed, 16 Feb 2022 11:32:11 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=fff5n3DV; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231878AbiBPPlP (ORCPT + 22 others); Wed, 16 Feb 2022 10:41:15 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:44446 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230491AbiBPPlO (ORCPT ); Wed, 16 Feb 2022 10:41:14 -0500 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 60207291F86 for ; Wed, 16 Feb 2022 07:41:02 -0800 (PST) Received: from [192.168.254.13] (unknown [72.85.44.115]) by linux.microsoft.com (Postfix) with ESMTPSA id 9E6D820BA5DF; Wed, 16 Feb 2022 07:41:01 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9E6D820BA5DF DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1645026062; bh=Np7cSs2VQqOR4HoqPOP8hs9MKSOoOo94StrTjXolYvU=; h=Date:Subject:To:References:From:In-Reply-To:From; b=fff5n3DVol+UIKa9KZUfestw978GFsCnMthLxKlxQFXBbCJIkhRo7htbJEIoLxNtO G8WYJ/dMhGo7GrPh+hKml6e4UiQIsJ1AXpkT3OwAiWMWJKSW8xcgxaHbTmsHIqTlGM 0LqOT1YkMu7hLlSMB2jLW2AVuIFxVF6bsA1RbHdo= Message-ID: <25751c9c-5c83-b7e2-a261-d2b7f8d8883d@linux.microsoft.com> Date: Wed, 16 Feb 2022 10:40:59 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.6.0 Subject: Re: [PATCH] sddm role Content-Language: en-US To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-19.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/16/2022 08:12, Russell Coker wrote: > This patch adds a role for the xdm program. It's needed by sddm because > it uses PAM to run it's own worker process and thus needs to do all the > checks for a valid session for it's own UID. IMO this is a bug in the code. > Index: refpolicy-2.20220216/config/appconfig-mcs/seusers > =================================================================== > --- refpolicy-2.20220216.orig/config/appconfig-mcs/seusers > +++ refpolicy-2.20220216/config/appconfig-mcs/seusers > @@ -1,2 +1,3 @@ > root:unconfined_u:s0-mcs_systemhigh > __default__:unconfined_u:s0-mcs_systemhigh > +sddm:xdm:s0 Did you try sddm:system_u instead? That seems like it could make the change a bit simpler, since we won't need the additional xdm_r. Also, config changes should be reflected in the appconfig-standard and appconfig-mls configs, in addition to -mcs. -- Chris PeBenito