From: cgzones@googlemail.com (cgzones) Date: Tue, 3 Jan 2017 15:20:27 +0100 Subject: [refpolicy] sddm policy help needed In-Reply-To: <55aa408b-c20c-b3ec-0818-d97f9482f55f@gmail.com> References: <55aa408b-c20c-b3ec-0818-d97f9482f55f@gmail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Thanks for your feedback! I thinkit it is finally working: The updated default_context looks like: system_r:sddm_helper_t user_r:user_t user_r:sddm_greeter_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t system_r:sddm_greeter_t pam_selinux got patched like attached and the the sddm-greeter pam configuration is set to (/etc/pam.d/sddm-greeter) session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open select_default_context=2 How this works: sddm-helper spawns the sddm-greeter with the pam service sddm-greeter. There the select_default_context=2 statement ensures that not the first default context returned from SELinux is used but in this case the second one. The first context is in this case for a login with sddm as user_u user_t, the second one sddm_greeter_t. The user processes are spawned by sddm-helper with the pam service sddm, so over there the default first context user_t is chosen. 2017-01-02 22:25 GMT+01:00 Dominick Grift : > On 01/02/2017 10:13 PM, cgzones wrote: >> My experience with pam authentification is very limited. >> These three files are present: > > Looks like a pam misconfiguration. However since i am not familiar with > sddm, its hard to tell what exactly the issue is. > > I would encourage you to play with these configurations files (make > backups though) > > You seem to have three instances where pam_selinux is used. Ideally you > should be able to get rid of two of the three > > I think the only valid manual transition is on the xsessions executable > file. The others (kwallet and greeter) probably shouldnt be used > > I would try commenting out the pam_selinux entries (one at the time) > then test to see which antrpoint avc denials you get. Like i said, i > suspect that the only entrypoint should be on xsessions, so see if you > can make that happen by playing with the pam_selinux entries in the > files below > >> >> root at desktopdebian:~# cat /etc/pam.d/sddm >> #%PAM-1.0 >> >> # Block login if they are globally disabled >> auth requisite pam_nologin.so >> auth required pam_succeed_if.so user != root quiet_success >> >> # auth sufficient pam_succeed_if.so user ingroup nopasswdlogin >> @include common-auth >> # gnome_keyring breaks QProcess >> -auth optional pam_gnome_keyring.so >> -auth optional pam_kwallet5.so >> >> @include common-account >> >> # SELinux needs to be the first session rule. This ensures that any >> # lingering context has been cleared. Without this it is possible that a >> # module could execute code in the wrong domain. >> session [success=ok ignore=ignore module_unknown=ignore default=bad] >> pam_selinux.so close >> # Create a new session keyring. >> session optional pam_keyinit.so force revoke >> session required pam_limits.so >> session required pam_loginuid.so >> session required pam_systemd.so >> @include common-session >> # SELinux needs to intervene at login time to ensure that the process starts >> # in the proper default security context. Only sessions which are intended >> # to run in the user's context should be run after this. >> session [success=ok ignore=ignore module_unknown=ignore default=bad] >> pam_selinux.so open >> -session optional pam_gnome_keyring.so auto_start >> -session optional pam_kwallet5.so auto_start >> >> @include common-password >> >> # From the pam_env man page >> # Since setting of PAM environment variables can have side effects to >> other modules, this module should be the last one on the stack. >> >> # Load environment from /etc/environment >> session required pam_env.so >> >> # Load environment from /etc/default/locale >> session required pam_env.so envfile=/etc/default/locale >> >> >> >> root at desktopdebian:~# cat /etc/pam.d/sddm-autologin >> #%PAM-1.0 >> >> # Block login if they are globally disabled >> auth requisite pam_nologin.so >> auth required pam_permit.so >> >> @include common-account >> >> # SELinux needs to be the first session rule. This ensures that any >> # lingering context has been cleared. Without this it is possible that a >> # module could execute code in the wrong domain. >> session [success=ok ignore=ignore module_unknown=ignore default=bad] >> pam_selinux.so close >> # Create a new session keyring. >> session optional pam_keyinit.so force revoke >> session required pam_limits.so >> session required pam_loginuid.so >> session required pam_systemd.so >> @include common-session >> # SELinux needs to intervene at login time to ensure that the process starts >> # in the proper default security context. Only sessions which are intended >> # to run in the user's context should be run after this. >> session [success=ok ignore=ignore module_unknown=ignore default=bad] >> pam_selinux.so open >> >> @include common-password >> >> # From the pam_env man page >> # Since setting of PAM environment variables can have side effects to >> other modules, this module should be the last one on the stack. >> >> # Load environment from /etc/environment >> session required pam_env.so >> >> # Load environment from /etc/default/locale >> session required pam_env.so envfile=/etc/default/locale >> >> >> >> root at desktopdebian:~# cat /etc/pam.d/sddm-greeter >> #%PAM-1.0 >> >> auth required pam_permit.so >> >> @include common-account >> >> # SELinux needs to be the first session rule. This ensures that any >> # lingering context has been cleared. Without this it is possible that a >> # module could execute code in the wrong domain. >> session [success=ok ignore=ignore module_unknown=ignore default=bad] >> pam_selinux.so close >> # Create a new session keyring. >> session optional pam_keyinit.so force revoke >> session required pam_limits.so >> session required pam_loginuid.so >> session required pam_systemd.so >> @include common-session >> # SELinux needs to intervene at login time to ensure that the process starts >> # in the proper default security context. Only sessions which are intended >> # to run in the user's context should be run after this. >> session [success=ok ignore=ignore module_unknown=ignore default=bad] >> pam_selinux.so open >> >> @include common-password >> >> # From the pam_env man page >> # Since setting of PAM environment variables can have side effects to >> other modules, this module should be the last one on the stack. >> >> # Load environment from /etc/environment >> session required pam_env.so >> >> # Load environment from /etc/default/locale >> session required pam_env.so envfile=/etc/default/locale >> >> 2017-01-02 21:47 GMT+01:00 Dominick Grift : >>> On 01/02/2017 09:30 PM, cgzones wrote: >>>> The problem is how to transition into the desired destination contexts: >>>> With the user context >>>> system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0 >>>> I get the follow up for the sddm-greeter process >>>> >>>> type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) : >>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>> /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start >>>> /usr/bin/s >>>> type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0 >>>> name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755 >>>> ouid=root ogid=root rdev=00:00 >>>> obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp >>>> e=NORMAL >>>> type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm >>>> type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64 >>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0 >>>> a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd >>>> m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm >>>> fsgid=sddm tty=(none) ses=9 comm=sddm-helper >>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper >>>> subj=system_u:system_r:sddm_helper_t:s0 k >>>> ey=(null) >>>> type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied { >>>> entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter >>>> dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext >>>> =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0 >>>> >>>> and for a normal user login >>>> >>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) : >>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>>> /usr/bin/s >>>> type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0 >>>> name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755 >>>> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 >>>> nametype=NORMAL >>>> type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/ >>>> type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64 >>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620 >>>> a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid >>>> =christian uid=christian gid=christian euid=christian suid=christian >>>> fsuid=christian egid=christian sgid=christian fsgid=christian >>>> tty=(none) ses=5 comm=sddm-helper >>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm >>>> -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>>> type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied { >>>> entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5 >>>> dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0 >>>> tcontext=sy >>>> stem_u:object_r:bin_t:s0 tclass=file permissive=0 >>>> ---- >>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) : >>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>>> /usr/bin/s >>>> type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh >>>> inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00 >>>> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL >>>> type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian >>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64 >>>> syscall=execve success=no exit=EACCES(Permission denied) >>>> a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0 >>>> items=1 ppid=162 >>>> 7 pid=1628 auid=christian uid=christian gid=christian euid=christian >>>> suid=christian fsuid=christian egid=christian sgid=christian >>>> fsgid=christian tty=(none) ses=5 comm=sddm-helper >>>> exe=/usr/lib/x86_64-linu >>>> x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>>> type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied { >>>> entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0" >>>> ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob >>>> ject_r:shell_exec_t:s0 tclass=file permissive=0 >>>> ---- >>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) : >>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>>> /usr/bin/s >>>> type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0 >>>> name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755 >>>> ouid=root ogid=root rdev=00:00 >>>> obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype= >>>> NORMAL >>>> type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian >>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64 >>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60 >>>> a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr >>>> istian uid=christian gid=christian euid=christian suid=christian >>>> fsuid=christian egid=christian sgid=christian fsgid=christian >>>> tty=(none) ses=5 comm=sddm-helper >>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel >>>> per subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>>> type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied { >>>> entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession >>>> dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0 >>>> tcontext=sy >>>> stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0 >>>> >>>> How do I transition the context in the first case into sddm_greeter_t >>>> and in the second case into user_t? >>> >>> Hard to tell... could be an issue with your pam configuration >>> How many sddm pam configuration files are there in /etc/pam.d? >>> Which one of those have pam_selinux entries? >>> >>>> >>>> >>>> 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy >>>> : >>>>> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote: >>>>>> Hi list, >>>>>> I am trying to write a policy module for sddm (Simple Desktop Display Manager). >>>>>> Currently with the patches over here >>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch >>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch >>>>>> I am able to login into the correct user contexts and the sddm >>>>>> processes have proper contexts: >>>>>> >>>>>> root at desktopdebian:~# ps -efZ | grep sddm >>>>>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ? >>>>>> 00:00:00 /usr/bin/sddm >>>>>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7 >>>>>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth >>>>>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none >>>>>> -noreset -displ >>>>>> ayfd 18 vt7 >>>>>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ? >>>>>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>>>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start >>>>>> /usr/b >>>>>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>>>>> /usr/share/sddm/themes/breeze --user sddm --greeter >>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ? >>>>>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>>>>> /usr/share/sddm/themes/breeze >>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ? >>>>>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040 >>>>>> --binary-syntax --close-stderr >>>>>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ? >>>>>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 >>>>>> --session >>>>>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2 >>>>>> 00:00:00 grep sddm >>>>>> >>>>>> The problem is the sddm-greeter (sddm_greeter_t) process: >>>>>> This process is responsible for the graphic login window and is >>>>>> started by sddm-helper (sddm_helper_t). >>>>>> But it is not created via fork->exec->setuid/setgid (which can be >>>>>> handled by an SELinux process transition), instead it is spawned via >>>>>> pam_start (at least I think so). >>>>>> So the process gets its context via pam authentication and the SELinux >>>>>> user login mapping gets involved. >>>>>> That's the reason for this default_contexts entry: >>>>>> >>>>>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t >>>>>> unconfined_r:unconfined_t system_r:sddm_greeter_t >>>>> >>>>> I would probably try transitioning to $1_sddm_t >>>>> >>>>> Example: >>>>> >>>>> system_r:sddm_helper_t user_r:user_sddm_t >>>>> >>>>> Then from there see where this gets me >>>>> >>>>> If sddm_helper_t is what sets up the login users context, then you have >>>>> to transition to a domain that can be used to transition to a login >>>>> shell domain (hence the prefix in user_sddm_t) >>>>> >>>>> That should provide some flexibility. >>>>> >>>>>> >>>>>> sddm-helper is also spawning the user processes, so I only get the >>>>>> correct sddm-greeter context with the system_r target >>>>>> (user_r:sddm_greeter_t would collide with the for user login needed >>>>>> target context user_r:user_t). >>>>>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux >>>>>> login mapping for the user sddm by hand: >>>>>> semamage login -a -s system_u sddm >>>>>> That's quite cumbersome and leads to the next problem: >>>>>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display >>>>>> Manager:/var/lib/sddm:/bin/false >>>>>> and so genhomedircon creates home dir contexts for sddm and I must not >>>>>> relabel the directory /var/lib/sddm or any parent directory with the >>>>>> recursive flag >>>>>> >>>>>> root at desktopdebian:~# matchpathcon /var/lib/sddm >>>>>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0 >>>>>> >>>>>> Am I missing something or can these problems be fixed by reworking my >>>>>> patches or are upstream patches needed (sddm / SELinux userland)? >>>>>> >>>>>> Best regards and many thanks in advance, >>>>>> Christian G?ttsche >>>>>> _______________________________________________ >>>>>> refpolicy mailing list >>>>>> refpolicy at oss.tresys.com >>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>>>> >>>>> >>>>> >>>>> -- >>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>>>> Dominick Grift >>>>> >>>>> >>>>> _______________________________________________ >>>>> refpolicy mailing list >>>>> refpolicy at oss.tresys.com >>>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>>> >>> >>> >>> -- >>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>> Dominick Grift >>> > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-pam-fix.patch Type: text/x-patch Size: 4734 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170103/4995335f/attachment.bin