LightDM is split into two parts: the main part and greeter. The greeter logs in
as root so switches to staff_t and is not in xdm_t anymore and needs to get the
list of users. It crashes and fails to start without this.
type=USER_AVC msg=audit(1470642176.704:342177): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_call interface=org.freedesktop.Accounts member=ListCachedUsers dest=org.freedesktop.Accounts spid=8833 tpid=5007 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1470642176.705:342178): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_return dest=:1.108 spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1470642176.706:342179): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.Accounts spid=8833 tpid=5007 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1470642176.709:342180): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_return dest=:1.108 spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1470642176.714:342181): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=Get dest=org.freedesktop.DisplayManager spid=8833 tpid=4994 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1470642176.838:342182): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=signal interface=org.freedesktop.Accounts.User member=Changed dest=org.freedesktop.DBus spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1470642176.849:342183): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.Accounts spid=8833 tpid=5007 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1470642176.851:342184): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_return dest=:1.108 spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
---
policy/modules/roles/staff.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 33c6993..448a83c 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
#
optional_policy(`
+ accountsd_dbus_chat(staff_t)
+')
+
+optional_policy(`
apache_role(staff_r, staff_t)
')
--
2.7.3
On 08/08/2016 10:10 AM, Jason Zaman wrote:
> LightDM is split into two parts: the main part and greeter. The greeter logs in
> as root so switches to staff_t and is not in xdm_t anymore and needs to get the
> list of users. It crashes and fails to start without this.
I am not expecting any changes here but for the record i will still
leave a comment.
It is transitioning to the login shell domain because it is told to. In
DSSP this is handled differently for the various login programs (except
local login)
Instead of telling it with pam_selinux to transition to the login shell
domain , it is told to transition to a prefixed login program domain. In
this scenario for example staff_xdmuser_t. The transition to the login
shell domain happens based on the prefix when the actual login shell is
run (probably after xsession).
Using that approach the login shell does not end up with permissons a
login shell does not need. All these permissions required because login
programs transition too early to the login shell domain really add up
Same with for example sshd, by transitioning too early you have to
associate the permisisons that sshd needs for functionality such as X
forwarding, tunnelling etc with the login shell domain.
>
> type=USER_AVC msg=audit(1470642176.704:342177): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_call interface=org.freedesktop.Accounts member=ListCachedUsers dest=org.freedesktop.Accounts spid=8833 tpid=5007 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(1470642176.705:342178): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_return dest=:1.108 spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(1470642176.706:342179): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.Accounts spid=8833 tpid=5007 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(1470642176.709:342180): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_return dest=:1.108 spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(1470642176.714:342181): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=Get dest=org.freedesktop.DisplayManager spid=8833 tpid=4994 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(1470642176.838:342182): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=signal interface=org.freedesktop.Accounts.User member=Changed dest=org.freedesktop.DBus spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(1470642176.849:342183): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=org.freedesktop.Accounts spid=8833 tpid=5007 scontext=root:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
> type=USER_AVC msg=audit(1470642176.851:342184): pid=4762 uid=101 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for msgtype=method_return dest=:1.108 spid=5007 tpid=8833 scontext=system_u:system_r:accountsd_t:s0-s0:c0.c1023 tcontext=root:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=101 hostname=? addr=? terminal=?'
> ---
> policy/modules/roles/staff.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 33c6993..448a83c 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
> #
>
> optional_policy(`
> + accountsd_dbus_chat(staff_t)
> +')
> +
> +optional_policy(`
> apache_role(staff_r, staff_t)
> ')
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160808/82c35e24/attachment.bin
On 08/08/16 11:07, Dominick Grift wrote:
> On 08/08/2016 10:10 AM, Jason Zaman wrote:
>> LightDM is split into two parts: the main part and greeter. The greeter logs in
>> as root so switches to staff_t and is not in xdm_t anymore and needs to get the
>> list of users. It crashes and fails to start without this.
>
> I am not expecting any changes here but for the record i will still
> leave a comment.
>
> It is transitioning to the login shell domain because it is told to. In
> DSSP this is handled differently for the various login programs (except
> local login)
>
> Instead of telling it with pam_selinux to transition to the login shell
> domain , it is told to transition to a prefixed login program domain. In
> this scenario for example staff_xdmuser_t. The transition to the login
> shell domain happens based on the prefix when the actual login shell is
> run (probably after xsession).
>
> Using that approach the login shell does not end up with permissons a
> login shell does not need. All these permissions required because login
> programs transition too early to the login shell domain really add up
>
> Same with for example sshd, by transitioning too early you have to
> associate the permisisons that sshd needs for functionality such as X
> forwarding, tunnelling etc with the login shell domain.
I have been concerned about what you're describing (particularly for
sshd) for some time. I would prefer to fix things the correct way. I
am open to new login domains to better fix these types of problems.
Patches, even if just to put together a skeleton, would be appreciated.
i.e. it doesn't have to fully work in enforcing, but at least set up the
new domains and transitions.
--
Chris PeBenito
On 08/13/2016 02:50 PM, Chris PeBenito wrote:
> On 08/08/16 11:07, Dominick Grift wrote:
>> On 08/08/2016 10:10 AM, Jason Zaman wrote:
>>> LightDM is split into two parts: the main part and greeter. The
>>> greeter logs in
>>> as root so switches to staff_t and is not in xdm_t anymore and needs
>>> to get the
>>> list of users. It crashes and fails to start without this.
>>
>> I am not expecting any changes here but for the record i will still
>> leave a comment.
>>
>> It is transitioning to the login shell domain because it is told to. In
>> DSSP this is handled differently for the various login programs (except
>> local login)
>>
>> Instead of telling it with pam_selinux to transition to the login shell
>> domain , it is told to transition to a prefixed login program domain. In
>> this scenario for example staff_xdmuser_t. The transition to the login
>> shell domain happens based on the prefix when the actual login shell is
>> run (probably after xsession).
>>
>> Using that approach the login shell does not end up with permissons a
>> login shell does not need. All these permissions required because login
>> programs transition too early to the login shell domain really add up
>>
>> Same with for example sshd, by transitioning too early you have to
>> associate the permisisons that sshd needs for functionality such as X
>> forwarding, tunnelling etc with the login shell domain.
>
> I have been concerned about what you're describing (particularly for
> sshd) for some time. I would prefer to fix things the correct way. I
> am open to new login domains to better fix these types of problems.
> Patches, even if just to put together a skeleton, would be appreciated.
> i.e. it doesn't have to fully work in enforcing, but at least set up the
> new domains and transitions.
>
>
In refpolicy i would at least initially focus on dealing with this for
sshd first. Because that is simpler than desktop managers, and the
benefits will be more visible and more compelling. That will also then
serve as a proof of concept.
Doing this for desktop managers will not show the benefits unless you
confine the desktop as well. So if you start there then it may not seem
compelling to you since many of the permisisons you would be able to
shave off if you would confine the desktop would still be needed when
you run the desktop in the login shell domain (for example gnome control
center will need to system bus chat with accountsd)
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160814/cf84a4d1/attachment.bin