From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 08 Nov 2017 15:28:51 +0100
Subject: [refpolicy] Refpolicy and gdm/gnome?
In-Reply-To: <CO1PR15MB1032F98F7BE5F4DAE573010AB9560@CO1PR15MB1032.namprd15.prod.outlook.com>
References: <CO1PR15MB1032F98F7BE5F4DAE573010AB9560@CO1PR15MB1032.namprd15.prod.outlook.com>
Message-ID: <576658E8-55F3-4F22-A1A1-D858B558EA9D@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello! 

I am running gnome-shell (wm module) with both the original xdm from Xorg and with gdm from Gnome but *without systemd* and I have not been experiencing problems since a long time ago, when I submitted patches for the wm module.

Why don't you start trying out X without systemd and with the simpler xdm?

In my opinion systemd just adds unneeded complexity and requires non-trivial security permissions! 

Regards, 

Guido 

Il 08 novembre 2017 04:04:15 CET, David Sugar via refpolicy <refpolicy@oss.tresys.com> ha scritto:
>I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy and
>trying to start GDM/Gnome.  While in permissive I'm seeing a bunch of
>denials related to xdm_t (enforcing the greeter never starts).  I'm
>happy to go through and fix these things to get stuff working.  I just
>want to make sure that before I begin adding additional rules to allow
>the items I'm seeing that I'm not just missing something (a boolean set
>incorrectly or a missing module or something else?).  I was kind of
>assuming that this would just work but maybe that isn't the case.
>
>Here are the denials I'm seeing.  Any thoughts?
>
>#============= colord_t ==============
>allow colord_t systemd_sessions_var_run_t:file { getattr open read };
>allow colord_t xdm_t:dir search;
>allow colord_t xdm_t:file { getattr open read };
>
>#============= init_t ==============
>allow init_t xdm_t:dbus send_msg;
>
>#============= initrc_t ==============
>allow initrc_t xdm_t:dbus send_msg;
>allow initrc_t xdm_t:process getsched;
>
>#============= systemd_locale_t ==============
>allow systemd_locale_t xdm_t:dbus send_msg;
>
>#============= systemd_logind_t ==============
>allow systemd_logind_t crond_t:dbus send_msg;
>allow systemd_logind_t crond_t:dir search;
>allow systemd_logind_t crond_t:file { getattr open read };
>allow systemd_logind_t init_t:service stop;
>allow systemd_logind_t init_var_run_t:service { start status };
>allow systemd_logind_t tmpfs_t:dir { remove_name write };
>
>#!!!! The file '/run/user/42' is mislabeled on your system.  
>#!!!! Fix with $ restorecon -R -v /run/user/42
>allow systemd_logind_t user_runtime_root_t:dir mounton;
>allow systemd_logind_t user_tmpfs_t:dir { remove_name rmdir write };
>allow systemd_logind_t user_tmpfs_t:file unlink;
>allow systemd_logind_t xdm_tmpfs_t:dir { getattr open read remove_name
>rmdir write };
>allow systemd_logind_t xdm_tmpfs_t:file unlink;
>allow systemd_logind_t xdm_tmpfs_t:sock_file unlink;
>
>#============= systemd_sessions_t ==============
>
>#!!!! The file '/run/systemd/journal/socket' is mislabeled on your
>system.  
>#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket
>allow systemd_sessions_t kernel_t:unix_dgram_socket sendto;
>
>#============= xdm_t ==============
>allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
>allow xdm_t init_t:dbus send_msg;
>allow xdm_t init_t:system status;
>allow xdm_t initrc_t:dbus send_msg;
>
>#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your
>system.  
>#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout
>allow xdm_t kernel_t:unix_stream_socket connectto;
>allow xdm_t self:capability net_admin;
>allow xdm_t self:netlink_kobject_uevent_socket { bind create getattr
>read setopt };
>allow xdm_t self:netlink_selinux_socket { bind create };
>allow xdm_t self:process setcap;
>allow xdm_t sound_device_t:chr_file { ioctl open read write };
>allow xdm_t staff_t:key { link search write };
>allow xdm_t sysctl_crypto_t:dir search;
>allow xdm_t sysctl_crypto_t:file { getattr open read };
>allow xdm_t sysctl_vm_overcommit_t:file { open read };
>allow xdm_t sysctl_vm_t:dir search;
>allow xdm_t systemd_locale_t:dbus send_msg;
>allow xdm_t systemd_logind_var_run_t:dir read;
>allow xdm_t systemd_logind_var_run_t:fifo_file write;
>allow xdm_t systemd_machined_var_run_t:dir read;
>allow xdm_t systemd_sessions_var_run_t:dir { open read };
>allow xdm_t systemd_sessions_var_run_t:file { getattr open read };
>allow xdm_t udev_var_run_t:file { getattr open read };
>
>#!!!! This avc can be allowed using the boolean
>'allow_polyinstantiation'
>allow xdm_t user_home_dir_t:dir create;
>allow xdm_t user_home_dir_t:file { append create open read setattr
>write };
>allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open read
>};
>allow xdm_t xdm_tmp_t:file execute;
>allow xdm_t xkb_var_lib_t:dir search;
>allow xdm_t xkb_var_lib_t:file { getattr open read };
>
>#============= xserver_t ==============
>allow xserver_t self:capability sys_ptrace;
>allow xserver_t staff_t:file { open read };
>allow xserver_t staff_t:lnk_file read;
>allow xserver_t xdm_t:file { open read };
>allow xserver_t xdm_t:lnk_file read;
>
>
>Thanks,
>Dave Syugar
>dsugar at tresys.com
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy