Received: by 2002:a05:6a10:5594:0:0:0:0 with SMTP id ee20csp434632pxb; Mon, 25 Apr 2022 13:11:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz3zdCgt8w8HFs138mWfLaQ/2YG6b5X3QjxarXCMiZPyyI2boZIs79kFXNE3wJvmZMpXBZg X-Received: by 2002:a05:6402:2932:b0:425:d7b3:e0d1 with SMTP id ee50-20020a056402293200b00425d7b3e0d1mr11846057edb.141.1650917503853; Mon, 25 Apr 2022 13:11:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650917503; cv=none; d=google.com; s=arc-20160816; b=SaNp1uFUfsN6h0ErE1a2Gn6oul9l6IzGBdU669hcHcm5qLkloKh3eZgtVu3Yc0Onf6 yrXCTxaSRYyYnpqEvill3mjO9cd0OBSSu9NYc/2kydRi7b3kExqeegsjZ5q39OZ6w3R5 hTTR8P8k2LyHTET97Nwc8T0OIKs3eqMrFr7yetEDJRhgRqVZ0W54QLZV2kyA7XqBZts3 morx+odwB+XPCn7uODPRvoyb8AyQcbuI12NKmlRYVm5JB8fzMDpJ/iCUMrgaUDnhz4vi ZU/eZxgmoptUCzL05A8/flc+iJPCvBGcJfPSx+s++8gjEKhvot3QIJyualZsVQNDJOvo WKpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:date:reply-to :subject:to:from:dkim-signature; bh=aQ1R7SI0IlylYA7K00NFA/Ey2Cm9Q6JJWAkDC0OEgYM=; b=J/6DHNkPcIZFJ4Mw8SWFw1QEbayyLoTVj8pUbx+rM7qplXhcG99eH0PDqyYE7gpY14 vafzoTdrGxDytToi/pEz4TZWm+HvWbgatRkOI91seMuRhX0aAswFADZiQs57p626fljE F6XfDLCevP2uCbca9mpO9a1R/gYXJH34EcbucyJHY3+JtN+V7q/USgRcLmVdTI7Z3VGa Jc+rqBUucZgHpwhA/bGNXZpSFEMZLiyUAjj0ImNXDng+bdvfFHKmlVApCQ0W23A1whgY lDhod8ABlnzhr//4NH9jH1tRZNZfia3jHACi/Y7aHwRRKcxfbjLQ60S9wZ5xag0NfFdq T7xg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=ZYX8k4hJ; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=defensec.nl Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d17-20020a1709063cf100b006e891984f60si12855687ejh.708.2022.04.25.13.11.35; Mon, 25 Apr 2022 13:11:43 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=ZYX8k4hJ; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=defensec.nl Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230012AbiDYRHZ (ORCPT + 22 others); Mon, 25 Apr 2022 13:07:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48916 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242850AbiDYRHZ (ORCPT ); Mon, 25 Apr 2022 13:07:25 -0400 X-Greylist: delayed 393 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 25 Apr 2022 10:04:19 PDT Received: from markus.defensec.nl (markus.defensec.nl [45.80.168.93]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F15C93B001 for ; Mon, 25 Apr 2022 10:04:19 -0700 (PDT) Received: from brutus (brutus.lan [IPv6:2a10:3781:2099::438]) by markus.defensec.nl (Postfix) with ESMTPSA id D119AFC13B6 for ; Mon, 25 Apr 2022 18:57:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=defensec.nl; s=default; t=1650905864; bh=5Tocw9Gvo8bekRhhovgWQQWI2YiD1GmRBrjBNlujdTM=; h=From:To:Subject:Reply-To:Date:From; b=ZYX8k4hJwxj2WFzCZ5gG+XmvItBV1WzqE7RWL9yRO0wIRiO/86kNwCDHbd9GJlxei e/XRqQ5KQ1K3ADaQi/RYtG/x+z4hdTGqy8WwFVq6GVbLvaK5W2kpqY1IjYU6PEsLWu AwfqlsaL4YzoVMdnQYyVyA9CSz6DKjheIDZF2M/0= From: Dominick Grift To: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] new sddm pam patch Reply-To: Date: Mon, 25 Apr 2022 18:57:42 +0200 Message-ID: <875ymx5ce1.fsf@defensec.nl> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FAKE_REPLY_C,RCVD_IN_DNSWL_LOW, SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org These desktop managers have a pam stack and that includes /etc/pam.d/systemd-user which provides the user with a systemd --user instance If you do not add a seuser for these DM-users then their systemd --user instance ends up with system_u:system_r:init_t:s0 (the context of pid1 which creates these systemd --user instances) One possible solution would be if we could add clauses to pam config files like for example: if ! (user sddm) { session ... pam_selinux.so ... } But not sure if something like that is even possible, and even if it was possible, some parts of the DE need selinux in the pam stack (for logging in the user) But yes the main issue is the pam_selinux call in the pam_systemd stack. Ideally we maintain some kind of compatibility with systems that have pam_systemd and ones that do not The alternative way is indeed to create a seuser so that we can tell pam_selinux explicitly to stay is system_r:xdm_t:s0 (so the systemd --user instance for the DE user will run in xdm_t and so all the transitions will be the same whether the DE starts it via systemd --user or manually starts it. -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift