Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp158562pxb; Thu, 17 Feb 2022 00:48:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJwuLWbUMckCo6I0kVEKLWaFNGAq9yeIh+m7pIzhJ/9kupg5bFBMJ/+Al2jfa9U33umJvbqh X-Received: by 2002:a62:8787:0:b0:4e1:b69:5ea7 with SMTP id i129-20020a628787000000b004e10b695ea7mr1895618pfe.31.1645087684898; Thu, 17 Feb 2022 00:48:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645087684; cv=none; d=google.com; s=arc-20160816; b=DvCROeF1oMCl09Ht0iICDv2MmGEFBVmm2mZorF95yHaFwG9EhGz1gC5n+e4tCjOgL1 +LJg3z82nTjE2x5n5muAxyV+ExPFvDwiyokYUPuxGEdnNrmyCWyQP7HUtd6Crq/97Dye ag+K7w+MxuExwFxPMJF+y/Jvmd2UF5233b8w0Bpd7c44UO4R7/jM4mWKHCC8K7HMOlbl lUAcxlQZGH67OBouhZdAYrxOb4b4TXgacGoh0cRZHuUAufxZKv4lQuZG+rIrm5bzAWD5 1iLkSlfc8zHPR9mRMDu6Lh+LufiPzlBiQmY9ZO6poS7XJH7Ss6z6mwRS4aG+UCvn25nV /Czg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=jo4moJOoocTz3fqCSej7nPuYzermKjX8MEWAsiZ/g2w=; b=ds6ET8jh/Tm5LMmY0GJGZVK0o41kqi0cHE4Cgkbj/Wkk9El1IkGzbcikFSDjcvm5kw uAvUZAmO5W+s4vvzF551mvfDMP8Zu8LSzoU8LdcnIIgh/QT/MM63n51FQqUGajUPw7fg ex6ftQ7sS3Fgc8aNvLjgegQutN6SEM56f2SPcoozIMFzVydogKRGz3P89AjSpsRj9mFC i+pYCqgJmiYHzPjLPXyJciiSKt7HnXexP02IIUH24cNpoAtiKpjWG6CyOsnKFPaCtTbh wdiC9pkEyfSWwo8rb9v4jXoDGBbOMOGcTozf3YJ2b43XvgAwMBNlEn9mfUm+j6tfnRLf c9Gg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=fvuocyzW; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s11si7566130pgs.575.2022.02.17.00.47.58; Thu, 17 Feb 2022 00:48:04 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=fvuocyzW; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232385AbiBQGx1 (ORCPT + 22 others); Thu, 17 Feb 2022 01:53:27 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:41888 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234450AbiBQGx1 (ORCPT ); Thu, 17 Feb 2022 01:53:27 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E74D327AA0F for ; Wed, 16 Feb 2022 22:53:12 -0800 (PST) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id B6D3CF46A for ; Thu, 17 Feb 2022 17:53:10 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1645080791; bh=jo4moJOoocTz3fqCSej7nPuYzermKjX8MEWAsiZ/g2w=; l=2668; h=Date:From:To:Subject:From; b=fvuocyzWR6/Ez3aoxldIgWoB3/R+1wgDbKGhmKMjFs0UK3yy+xeNZvAytimkCNuff cKUVflYq9pFJzkO3TF0dkckZ4ex/B7K81V/ZOe66pAYwSVQrfPsh4U1A+1V8zFT3Hf AiwTea7IRinyQ/TgzZ4zvmPP4ODKIfukWvrktKOY= Received: by xev.coker.com.au (Postfix, from userid 1001) id 36DD417343D9; Thu, 17 Feb 2022 17:53:06 +1100 (AEDT) Date: Thu, 17 Feb 2022 17:53:06 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] new sddm pam patch Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Here is a new patch for sddm using PAM for it's own helper. This one uses system_r instead of xdm_r and has patches for all 3 versions of the policy config. I think it's ready for inclusion. Signed-off-by: Russell Coker Index: refpolicy-2.20220217/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20220217.orig/policy/modules/services/xserver.te +++ refpolicy-2.20220217/policy/modules/services/xserver.te @@ -843,6 +843,9 @@ manage_files_pattern(xserver_t, xdm_tmp_ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +# for sddm to use pam for greeter, sddm greeter needs execmod +allow xdm_t xdm_tmpfs_t:file execmod; + # Run Xorg.wrap can_exec(xserver_t, xserver_exec_t) Index: refpolicy-2.20220217/config/appconfig-mcs/seusers =================================================================== --- refpolicy-2.20220217.orig/config/appconfig-mcs/seusers +++ refpolicy-2.20220217/config/appconfig-mcs/seusers @@ -1,2 +1,3 @@ root:unconfined_u:s0-mcs_systemhigh __default__:unconfined_u:s0-mcs_systemhigh +sddm:xdm:s0 Index: refpolicy-2.20220217/policy/users =================================================================== --- refpolicy-2.20220217.orig/policy/users +++ refpolicy-2.20220217/policy/users @@ -27,6 +27,7 @@ gen_user(system_u,, system_r, s0, s0 - m gen_user(user_u, user, user_r, s0, s0) gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(xdm, user, system_r, s0, s0) # Until order dependence is fixed for users: ifdef(`direct_sysadm_daemon',` Index: refpolicy-2.20220217/config/appconfig-mcs/xdm_default_contexts =================================================================== --- /dev/null +++ refpolicy-2.20220217/config/appconfig-mcs/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t:s0 system_r:xdm_t:s0 Index: refpolicy-2.20220217/config/appconfig-mls/xdm_default_contexts =================================================================== --- /dev/null +++ refpolicy-2.20220217/config/appconfig-mls/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t:s0 system_r:xdm_t:s0 Index: refpolicy-2.20220217/config/appconfig-standard/xdm_default_contexts =================================================================== --- /dev/null +++ refpolicy-2.20220217/config/appconfig-standard/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t system_r:xdm_t