Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp158562pxb;
        Thu, 17 Feb 2022 00:48:05 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwuLWbUMckCo6I0kVEKLWaFNGAq9yeIh+m7pIzhJ/9kupg5bFBMJ/+Al2jfa9U33umJvbqh
X-Received: by 2002:a62:8787:0:b0:4e1:b69:5ea7 with SMTP id i129-20020a628787000000b004e10b695ea7mr1895618pfe.31.1645087684898;
        Thu, 17 Feb 2022 00:48:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1645087684; cv=none;
        d=google.com; s=arc-20160816;
        b=DvCROeF1oMCl09Ht0iICDv2MmGEFBVmm2mZorF95yHaFwG9EhGz1gC5n+e4tCjOgL1
         +LJg3z82nTjE2x5n5muAxyV+ExPFvDwiyokYUPuxGEdnNrmyCWyQP7HUtd6Crq/97Dye
         ag+K7w+MxuExwFxPMJF+y/Jvmd2UF5233b8w0Bpd7c44UO4R7/jM4mWKHCC8K7HMOlbl
         lUAcxlQZGH67OBouhZdAYrxOb4b4TXgacGoh0cRZHuUAufxZKv4lQuZG+rIrm5bzAWD5
         1iLkSlfc8zHPR9mRMDu6Lh+LufiPzlBiQmY9ZO6poS7XJH7Ss6z6mwRS4aG+UCvn25nV
         /Czg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:to:from:date:dkim-signature;
        bh=jo4moJOoocTz3fqCSej7nPuYzermKjX8MEWAsiZ/g2w=;
        b=ds6ET8jh/Tm5LMmY0GJGZVK0o41kqi0cHE4Cgkbj/Wkk9El1IkGzbcikFSDjcvm5kw
         uAvUZAmO5W+s4vvzF551mvfDMP8Zu8LSzoU8LdcnIIgh/QT/MM63n51FQqUGajUPw7fg
         ex6ftQ7sS3Fgc8aNvLjgegQutN6SEM56f2SPcoozIMFzVydogKRGz3P89AjSpsRj9mFC
         i+pYCqgJmiYHzPjLPXyJciiSKt7HnXexP02IIUH24cNpoAtiKpjWG6CyOsnKFPaCtTbh
         wdiC9pkEyfSWwo8rb9v4jXoDGBbOMOGcTozf3YJ2b43XvgAwMBNlEn9mfUm+j6tfnRLf
         c9Gg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=fvuocyzW;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id s11si7566130pgs.575.2022.02.17.00.47.58;
        Thu, 17 Feb 2022 00:48:04 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=fvuocyzW;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232385AbiBQGx1 (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 22 others); Thu, 17 Feb 2022 01:53:27 -0500
Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:41888 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234450AbiBQGx1 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 17 Feb 2022 01:53:27 -0500
Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E74D327AA0F
        for <selinux-refpolicy@vger.kernel.org>; Wed, 16 Feb 2022 22:53:12 -0800 (PST)
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id B6D3CF46A
        for <selinux-refpolicy@vger.kernel.org>; Thu, 17 Feb 2022 17:53:10 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1645080791;
        bh=jo4moJOoocTz3fqCSej7nPuYzermKjX8MEWAsiZ/g2w=; l=2668;
        h=Date:From:To:Subject:From;
        b=fvuocyzWR6/Ez3aoxldIgWoB3/R+1wgDbKGhmKMjFs0UK3yy+xeNZvAytimkCNuff
         cKUVflYq9pFJzkO3TF0dkckZ4ex/B7K81V/ZOe66pAYwSVQrfPsh4U1A+1V8zFT3Hf
         AiwTea7IRinyQ/TgzZ4zvmPP4ODKIfukWvrktKOY=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id 36DD417343D9; Thu, 17 Feb 2022 17:53:06 +1100 (AEDT)
Date:   Thu, 17 Feb 2022 17:53:06 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] new sddm pam patch
Message-ID: <Yg3w0gpFvUWATmA2@xev.coker.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Here is a new patch for sddm using PAM for it's own helper.  This one
uses system_r instead of xdm_r and has patches for all 3 versions of the
policy config.  I think it's ready for inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20220217/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20220217.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20220217/policy/modules/services/xserver.te
@@ -843,6 +843,9 @@ manage_files_pattern(xserver_t, xdm_tmp_
 manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
+# for sddm to use pam for greeter, sddm greeter needs execmod
+allow xdm_t xdm_tmpfs_t:file execmod;
+
 # Run Xorg.wrap
 can_exec(xserver_t, xserver_exec_t)
 
Index: refpolicy-2.20220217/config/appconfig-mcs/seusers
===================================================================
--- refpolicy-2.20220217.orig/config/appconfig-mcs/seusers
+++ refpolicy-2.20220217/config/appconfig-mcs/seusers
@@ -1,2 +1,3 @@
 root:unconfined_u:s0-mcs_systemhigh
 __default__:unconfined_u:s0-mcs_systemhigh
+sddm:xdm:s0
Index: refpolicy-2.20220217/policy/users
===================================================================
--- refpolicy-2.20220217.orig/policy/users
+++ refpolicy-2.20220217/policy/users
@@ -27,6 +27,7 @@ gen_user(system_u,, system_r, s0, s0 - m
 gen_user(user_u, user, user_r, s0, s0)
 gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(xdm, user, system_r, s0, s0)
 
 # Until order dependence is fixed for users:
 ifdef(`direct_sysadm_daemon',`
Index: refpolicy-2.20220217/config/appconfig-mcs/xdm_default_contexts
===================================================================
--- /dev/null
+++ refpolicy-2.20220217/config/appconfig-mcs/xdm_default_contexts
@@ -0,0 +1 @@
+system_r:xdm_t:s0		system_r:xdm_t:s0
Index: refpolicy-2.20220217/config/appconfig-mls/xdm_default_contexts
===================================================================
--- /dev/null
+++ refpolicy-2.20220217/config/appconfig-mls/xdm_default_contexts
@@ -0,0 +1 @@
+system_r:xdm_t:s0		system_r:xdm_t:s0
Index: refpolicy-2.20220217/config/appconfig-standard/xdm_default_contexts
===================================================================
--- /dev/null
+++ refpolicy-2.20220217/config/appconfig-standard/xdm_default_contexts
@@ -0,0 +1 @@
+system_r:xdm_t		system_r:xdm_t