From: dac.override@gmail.com (Dominick Grift) Date: Tue, 3 Jan 2017 16:33:47 +0100 Subject: [refpolicy] sddm policy help needed In-Reply-To: References: <55aa408b-c20c-b3ec-0818-d97f9482f55f@gmail.com> Message-ID: <38ab53a7-41d7-bba7-5df6-e8593f92828d@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/03/2017 03:20 PM, cgzones wrote: > Thanks for your feedback! > > I thinkit it is finally working: > > The updated default_context looks like: > > system_r:sddm_helper_t user_r:user_t user_r:sddm_greeter_t > staff_r:staff_t sysadm_r:sysadm_t > unconfined_r:unconfined_t system_r:sddm_greeter_t > > pam_selinux got patched like attached and the the sddm-greeter pam > configuration is set to (/etc/pam.d/sddm-greeter) > > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so open select_default_context=2 > > How this works: > sddm-helper spawns the sddm-greeter with the pam service sddm-greeter. > There the select_default_context=2 statement ensures that not the > first default context returned from SELinux is used but in this case > the second one. > The first context is in this case for a login with sddm as user_u > user_t, the second one sddm_greeter_t. > > The user processes are spawned by sddm-helper with the pam service > sddm, so over there the default first context user_t is chosen. > Thats a nice but ugly hack. Glad you got it "working" > 2017-01-02 22:25 GMT+01:00 Dominick Grift : >> On 01/02/2017 10:13 PM, cgzones wrote: >>> My experience with pam authentification is very limited. >>> These three files are present: >> >> Looks like a pam misconfiguration. However since i am not familiar with >> sddm, its hard to tell what exactly the issue is. >> >> I would encourage you to play with these configurations files (make >> backups though) >> >> You seem to have three instances where pam_selinux is used. Ideally you >> should be able to get rid of two of the three >> >> I think the only valid manual transition is on the xsessions executable >> file. The others (kwallet and greeter) probably shouldnt be used >> >> I would try commenting out the pam_selinux entries (one at the time) >> then test to see which antrpoint avc denials you get. Like i said, i >> suspect that the only entrypoint should be on xsessions, so see if you >> can make that happen by playing with the pam_selinux entries in the >> files below >> >>> >>> root at desktopdebian:~# cat /etc/pam.d/sddm >>> #%PAM-1.0 >>> >>> # Block login if they are globally disabled >>> auth requisite pam_nologin.so >>> auth required pam_succeed_if.so user != root quiet_success >>> >>> # auth sufficient pam_succeed_if.so user ingroup nopasswdlogin >>> @include common-auth >>> # gnome_keyring breaks QProcess >>> -auth optional pam_gnome_keyring.so >>> -auth optional pam_kwallet5.so >>> >>> @include common-account >>> >>> # SELinux needs to be the first session rule. This ensures that any >>> # lingering context has been cleared. Without this it is possible that a >>> # module could execute code in the wrong domain. >>> session [success=ok ignore=ignore module_unknown=ignore default=bad] >>> pam_selinux.so close >>> # Create a new session keyring. >>> session optional pam_keyinit.so force revoke >>> session required pam_limits.so >>> session required pam_loginuid.so >>> session required pam_systemd.so >>> @include common-session >>> # SELinux needs to intervene at login time to ensure that the process starts >>> # in the proper default security context. Only sessions which are intended >>> # to run in the user's context should be run after this. >>> session [success=ok ignore=ignore module_unknown=ignore default=bad] >>> pam_selinux.so open >>> -session optional pam_gnome_keyring.so auto_start >>> -session optional pam_kwallet5.so auto_start >>> >>> @include common-password >>> >>> # From the pam_env man page >>> # Since setting of PAM environment variables can have side effects to >>> other modules, this module should be the last one on the stack. >>> >>> # Load environment from /etc/environment >>> session required pam_env.so >>> >>> # Load environment from /etc/default/locale >>> session required pam_env.so envfile=/etc/default/locale >>> >>> >>> >>> root at desktopdebian:~# cat /etc/pam.d/sddm-autologin >>> #%PAM-1.0 >>> >>> # Block login if they are globally disabled >>> auth requisite pam_nologin.so >>> auth required pam_permit.so >>> >>> @include common-account >>> >>> # SELinux needs to be the first session rule. This ensures that any >>> # lingering context has been cleared. Without this it is possible that a >>> # module could execute code in the wrong domain. >>> session [success=ok ignore=ignore module_unknown=ignore default=bad] >>> pam_selinux.so close >>> # Create a new session keyring. >>> session optional pam_keyinit.so force revoke >>> session required pam_limits.so >>> session required pam_loginuid.so >>> session required pam_systemd.so >>> @include common-session >>> # SELinux needs to intervene at login time to ensure that the process starts >>> # in the proper default security context. Only sessions which are intended >>> # to run in the user's context should be run after this. >>> session [success=ok ignore=ignore module_unknown=ignore default=bad] >>> pam_selinux.so open >>> >>> @include common-password >>> >>> # From the pam_env man page >>> # Since setting of PAM environment variables can have side effects to >>> other modules, this module should be the last one on the stack. >>> >>> # Load environment from /etc/environment >>> session required pam_env.so >>> >>> # Load environment from /etc/default/locale >>> session required pam_env.so envfile=/etc/default/locale >>> >>> >>> >>> root at desktopdebian:~# cat /etc/pam.d/sddm-greeter >>> #%PAM-1.0 >>> >>> auth required pam_permit.so >>> >>> @include common-account >>> >>> # SELinux needs to be the first session rule. This ensures that any >>> # lingering context has been cleared. Without this it is possible that a >>> # module could execute code in the wrong domain. >>> session [success=ok ignore=ignore module_unknown=ignore default=bad] >>> pam_selinux.so close >>> # Create a new session keyring. >>> session optional pam_keyinit.so force revoke >>> session required pam_limits.so >>> session required pam_loginuid.so >>> session required pam_systemd.so >>> @include common-session >>> # SELinux needs to intervene at login time to ensure that the process starts >>> # in the proper default security context. Only sessions which are intended >>> # to run in the user's context should be run after this. >>> session [success=ok ignore=ignore module_unknown=ignore default=bad] >>> pam_selinux.so open >>> >>> @include common-password >>> >>> # From the pam_env man page >>> # Since setting of PAM environment variables can have side effects to >>> other modules, this module should be the last one on the stack. >>> >>> # Load environment from /etc/environment >>> session required pam_env.so >>> >>> # Load environment from /etc/default/locale >>> session required pam_env.so envfile=/etc/default/locale >>> >>> 2017-01-02 21:47 GMT+01:00 Dominick Grift : >>>> On 01/02/2017 09:30 PM, cgzones wrote: >>>>> The problem is how to transition into the desired destination contexts: >>>>> With the user context >>>>> system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0 >>>>> I get the follow up for the sddm-greeter process >>>>> >>>>> type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) : >>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>>> /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start >>>>> /usr/bin/s >>>>> type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0 >>>>> name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755 >>>>> ouid=root ogid=root rdev=00:00 >>>>> obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp >>>>> e=NORMAL >>>>> type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm >>>>> type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64 >>>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0 >>>>> a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd >>>>> m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm >>>>> fsgid=sddm tty=(none) ses=9 comm=sddm-helper >>>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper >>>>> subj=system_u:system_r:sddm_helper_t:s0 k >>>>> ey=(null) >>>>> type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied { >>>>> entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter >>>>> dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext >>>>> =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0 >>>>> >>>>> and for a normal user login >>>>> >>>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) : >>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>>>> /usr/bin/s >>>>> type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0 >>>>> name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755 >>>>> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 >>>>> nametype=NORMAL >>>>> type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/ >>>>> type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64 >>>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620 >>>>> a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid >>>>> =christian uid=christian gid=christian euid=christian suid=christian >>>>> fsuid=christian egid=christian sgid=christian fsgid=christian >>>>> tty=(none) ses=5 comm=sddm-helper >>>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm >>>>> -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>>>> type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied { >>>>> entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5 >>>>> dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0 >>>>> tcontext=sy >>>>> stem_u:object_r:bin_t:s0 tclass=file permissive=0 >>>>> ---- >>>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) : >>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>>>> /usr/bin/s >>>>> type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh >>>>> inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00 >>>>> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL >>>>> type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian >>>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64 >>>>> syscall=execve success=no exit=EACCES(Permission denied) >>>>> a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0 >>>>> items=1 ppid=162 >>>>> 7 pid=1628 auid=christian uid=christian gid=christian euid=christian >>>>> suid=christian fsuid=christian egid=christian sgid=christian >>>>> fsgid=christian tty=(none) ses=5 comm=sddm-helper >>>>> exe=/usr/lib/x86_64-linu >>>>> x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>>>> type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied { >>>>> entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0" >>>>> ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob >>>>> ject_r:shell_exec_t:s0 tclass=file permissive=0 >>>>> ---- >>>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) : >>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>>>> /usr/bin/s >>>>> type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0 >>>>> name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755 >>>>> ouid=root ogid=root rdev=00:00 >>>>> obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype= >>>>> NORMAL >>>>> type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian >>>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64 >>>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60 >>>>> a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr >>>>> istian uid=christian gid=christian euid=christian suid=christian >>>>> fsuid=christian egid=christian sgid=christian fsgid=christian >>>>> tty=(none) ses=5 comm=sddm-helper >>>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel >>>>> per subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>>>> type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied { >>>>> entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession >>>>> dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0 >>>>> tcontext=sy >>>>> stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0 >>>>> >>>>> How do I transition the context in the first case into sddm_greeter_t >>>>> and in the second case into user_t? >>>> >>>> Hard to tell... could be an issue with your pam configuration >>>> How many sddm pam configuration files are there in /etc/pam.d? >>>> Which one of those have pam_selinux entries? >>>> >>>>> >>>>> >>>>> 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy >>>>> : >>>>>> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote: >>>>>>> Hi list, >>>>>>> I am trying to write a policy module for sddm (Simple Desktop Display Manager). >>>>>>> Currently with the patches over here >>>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch >>>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch >>>>>>> I am able to login into the correct user contexts and the sddm >>>>>>> processes have proper contexts: >>>>>>> >>>>>>> root at desktopdebian:~# ps -efZ | grep sddm >>>>>>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ? >>>>>>> 00:00:00 /usr/bin/sddm >>>>>>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7 >>>>>>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth >>>>>>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none >>>>>>> -noreset -displ >>>>>>> ayfd 18 vt7 >>>>>>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ? >>>>>>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>>>>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start >>>>>>> /usr/b >>>>>>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>>>>>> /usr/share/sddm/themes/breeze --user sddm --greeter >>>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ? >>>>>>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>>>>>> /usr/share/sddm/themes/breeze >>>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ? >>>>>>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040 >>>>>>> --binary-syntax --close-stderr >>>>>>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ? >>>>>>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 >>>>>>> --session >>>>>>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2 >>>>>>> 00:00:00 grep sddm >>>>>>> >>>>>>> The problem is the sddm-greeter (sddm_greeter_t) process: >>>>>>> This process is responsible for the graphic login window and is >>>>>>> started by sddm-helper (sddm_helper_t). >>>>>>> But it is not created via fork->exec->setuid/setgid (which can be >>>>>>> handled by an SELinux process transition), instead it is spawned via >>>>>>> pam_start (at least I think so). >>>>>>> So the process gets its context via pam authentication and the SELinux >>>>>>> user login mapping gets involved. >>>>>>> That's the reason for this default_contexts entry: >>>>>>> >>>>>>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t >>>>>>> unconfined_r:unconfined_t system_r:sddm_greeter_t >>>>>> >>>>>> I would probably try transitioning to $1_sddm_t >>>>>> >>>>>> Example: >>>>>> >>>>>> system_r:sddm_helper_t user_r:user_sddm_t >>>>>> >>>>>> Then from there see where this gets me >>>>>> >>>>>> If sddm_helper_t is what sets up the login users context, then you have >>>>>> to transition to a domain that can be used to transition to a login >>>>>> shell domain (hence the prefix in user_sddm_t) >>>>>> >>>>>> That should provide some flexibility. >>>>>> >>>>>>> >>>>>>> sddm-helper is also spawning the user processes, so I only get the >>>>>>> correct sddm-greeter context with the system_r target >>>>>>> (user_r:sddm_greeter_t would collide with the for user login needed >>>>>>> target context user_r:user_t). >>>>>>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux >>>>>>> login mapping for the user sddm by hand: >>>>>>> semamage login -a -s system_u sddm >>>>>>> That's quite cumbersome and leads to the next problem: >>>>>>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display >>>>>>> Manager:/var/lib/sddm:/bin/false >>>>>>> and so genhomedircon creates home dir contexts for sddm and I must not >>>>>>> relabel the directory /var/lib/sddm or any parent directory with the >>>>>>> recursive flag >>>>>>> >>>>>>> root at desktopdebian:~# matchpathcon /var/lib/sddm >>>>>>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0 >>>>>>> >>>>>>> Am I missing something or can these problems be fixed by reworking my >>>>>>> patches or are upstream patches needed (sddm / SELinux userland)? >>>>>>> >>>>>>> Best regards and many thanks in advance, >>>>>>> Christian G?ttsche >>>>>>> _______________________________________________ >>>>>>> refpolicy mailing list >>>>>>> refpolicy at oss.tresys.com >>>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>>>>> Dominick Grift >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> refpolicy mailing list >>>>>> refpolicy at oss.tresys.com >>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>>>> >>>> >>>> >>>> -- >>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>>> Dominick Grift >>>> >> >> >> -- >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >> Dominick Grift >> -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170103/53960db8/attachment-0001.bin