From: dac.override@gmail.com (Dominick Grift)
Date: Mon, 2 Jan 2017 21:47:37 +0100
Subject: [refpolicy] sddm policy help needed
In-Reply-To: <CAJ2a_Df+Jje8UXJD+=KV7pg8Uu8N16BQr4s8G03SPdLc=i=OwA@mail.gmail.com>
References: <CAJ2a_DfxPBapLf0dd39VaQgvudWzk_hZQXkWJqt_PCg+Z3JFOA@mail.gmail.com>
	<ecb62636-6c3c-b870-a995-9ccbd3d6c867@gmail.com>
	<CAJ2a_Df+Jje8UXJD+=KV7pg8Uu8N16BQr4s8G03SPdLc=i=OwA@mail.gmail.com>
Message-ID: <afb93b38-eea6-e429-a2b9-28ea21b3cf7b@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 01/02/2017 09:30 PM, cgzones wrote:
> The problem is how to transition into the desired destination contexts:
> With the user context
> system_r:sddm_helper_t:s0       user_r:user_sddm_t:s0
> I get the follow up for the sddm-greeter process
> 
> type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) :
> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
> /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start
> /usr/bin/s
> type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0
> name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755
> ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp
> e=NORMAL
> type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm
> type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64
> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0
> a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd
> m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm
> fsgid=sddm tty=(none) ses=9 comm=sddm-helper
> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper
> subj=system_u:system_r:sddm_helper_t:s0 k
> ey=(null)
> type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc:  denied  {
> entrypoint } for  pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter
> dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext
> =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0
> 
> and for a normal user login
> 
> type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) :
> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
> /usr/bin/s
> type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0
> name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
> nametype=NORMAL
> type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/
> type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64
> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620
> a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid
> =christian uid=christian gid=christian euid=christian suid=christian
> fsuid=christian egid=christian sgid=christian fsgid=christian
> tty=(none) ses=5 comm=sddm-helper
> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm
> -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
> type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc:  denied  {
> entrypoint } for  pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5
> dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0
> tcontext=sy
> stem_u:object_r:bin_t:s0 tclass=file permissive=0
> ----
> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) :
> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
> /usr/bin/s
> type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh
> inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
> type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian
> type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64
> syscall=execve success=no exit=EACCES(Permission denied)
> a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0
> items=1 ppid=162
> 7 pid=1628 auid=christian uid=christian gid=christian euid=christian
> suid=christian fsuid=christian egid=christian sgid=christian
> fsgid=christian tty=(none) ses=5 comm=sddm-helper
> exe=/usr/lib/x86_64-linu
> x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
> type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc:  denied  {
> entrypoint } for  pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0"
> ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob
> ject_r:shell_exec_t:s0 tclass=file permissive=0
> ----
> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) :
> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
> /usr/bin/s
> type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0
> name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755
> ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype=
> NORMAL
> type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian
> type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64
> syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60
> a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr
> istian uid=christian gid=christian euid=christian suid=christian
> fsuid=christian egid=christian sgid=christian fsgid=christian
> tty=(none) ses=5 comm=sddm-helper
> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel
> per subj=system_u:system_r:sddm_helper_t:s0 key=(null)
> type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc:  denied  {
> entrypoint } for  pid=1627 comm=sddm-helper path=/etc/sddm/Xsession
> dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0
> tcontext=sy
> stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0
> 
> How do I transition the context in the first case into sddm_greeter_t
> and in the second case into user_t?

Hard to tell... could be an issue with your pam configuration
How many sddm pam configuration files are there in /etc/pam.d?
Which one of those have pam_selinux entries?

> 
> 
> 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy
> <refpolicy@oss.tresys.com>:
>> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote:
>>> Hi list,
>>> I am trying to write a policy module for sddm (Simple Desktop Display Manager).
>>> Currently with the patches over here
>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch
>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch
>>> I am able to login into the correct user contexts and the sddm
>>> processes have proper contexts:
>>>
>>> root at desktopdebian:~# ps -efZ | grep sddm
>>> system_u:system_r:sddm_t:s0     root      4232     1  0 13:09 ?
>>> 00:00:00 /usr/bin/sddm
>>> system_u:system_r:xserver_t:s0  root      4235  4232  1 13:09 tty7
>>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth
>>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none
>>> -noreset -displ
>>> ayfd 18 vt7
>>> system_u:system_r:sddm_helper_t:s0 root   4250  4232  0 13:09 ?
>>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start
>>> /usr/b
>>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>> /usr/share/sddm/themes/breeze --user sddm --greeter
>>> system_u:system_r:sddm_greeter_t:s0 sddm  4255  4250  1 13:09 ?
>>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>> /usr/share/sddm/themes/breeze
>>> system_u:system_r:sddm_greeter_t:s0 sddm  4267     1  0 13:09 ?
>>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040
>>> --binary-syntax --close-stderr
>>> system_u:system_r:sddm_dbusd_t:s0 sddm    4268     1  0 13:09 ?
>>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7
>>> --session
>>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300  0 13:10 tty2
>>> 00:00:00 grep sddm
>>>
>>> The problem is the sddm-greeter (sddm_greeter_t) process:
>>> This process is responsible for the graphic login window and is
>>> started by sddm-helper (sddm_helper_t).
>>> But it is not created via fork->exec->setuid/setgid (which can be
>>> handled by an SELinux process transition), instead it is spawned via
>>> pam_start (at least I think so).
>>> So the process gets its context via pam authentication and the SELinux
>>> user login mapping gets involved.
>>> That's the reason for this default_contexts entry:
>>>
>>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
>>> unconfined_r:unconfined_t system_r:sddm_greeter_t
>>
>> I would probably try transitioning to $1_sddm_t
>>
>> Example:
>>
>> system_r:sddm_helper_t user_r:user_sddm_t
>>
>> Then from there see where this gets me
>>
>> If sddm_helper_t is what sets up the login users context, then you have
>> to transition to a domain that can be used to transition to a login
>> shell domain (hence the prefix in user_sddm_t)
>>
>> That should provide some flexibility.
>>
>>>
>>> sddm-helper is also spawning the user processes, so I only get the
>>> correct sddm-greeter context with the system_r target
>>> (user_r:sddm_greeter_t would collide with the for user login needed
>>> target context user_r:user_t).
>>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux
>>> login mapping for the user sddm by hand:
>>> semamage login -a -s system_u sddm
>>> That's quite cumbersome and leads to the next problem:
>>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display
>>> Manager:/var/lib/sddm:/bin/false
>>> and so genhomedircon creates home dir contexts for sddm and I must not
>>> relabel the directory /var/lib/sddm or any parent directory with the
>>> recursive flag
>>>
>>> root at desktopdebian:~# matchpathcon /var/lib/sddm
>>> /var/lib/sddm   system_u:object_r:user_home_dir_t:s0
>>>
>>> Am I missing something or can these problems be fixed by reworking my
>>> patches or are upstream patches needed (sddm / SELinux userland)?
>>>
>>> Best regards and many thanks in advance,
>>>       Christian G?ttsche
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>>
>>
>> --
>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>> Dominick Grift
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170102/60360e4e/attachment-0001.bin