From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 08 Nov 2017 15:28:51 +0100 Subject: [refpolicy] Refpolicy and gdm/gnome? In-Reply-To: References: Message-ID: <576658E8-55F3-4F22-A1A1-D858B558EA9D@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello! I am running gnome-shell (wm module) with both the original xdm from Xorg and with gdm from Gnome but *without systemd* and I have not been experiencing problems since a long time ago, when I submitted patches for the wm module. Why don't you start trying out X without systemd and with the simpler xdm? In my opinion systemd just adds unneeded complexity and requires non-trivial security permissions! Regards, Guido Il 08 novembre 2017 04:04:15 CET, David Sugar via refpolicy ha scritto: >I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy and >trying to start GDM/Gnome. While in permissive I'm seeing a bunch of >denials related to xdm_t (enforcing the greeter never starts). I'm >happy to go through and fix these things to get stuff working. I just >want to make sure that before I begin adding additional rules to allow >the items I'm seeing that I'm not just missing something (a boolean set >incorrectly or a missing module or something else?). I was kind of >assuming that this would just work but maybe that isn't the case. > >Here are the denials I'm seeing. Any thoughts? > >#============= colord_t ============== >allow colord_t systemd_sessions_var_run_t:file { getattr open read }; >allow colord_t xdm_t:dir search; >allow colord_t xdm_t:file { getattr open read }; > >#============= init_t ============== >allow init_t xdm_t:dbus send_msg; > >#============= initrc_t ============== >allow initrc_t xdm_t:dbus send_msg; >allow initrc_t xdm_t:process getsched; > >#============= systemd_locale_t ============== >allow systemd_locale_t xdm_t:dbus send_msg; > >#============= systemd_logind_t ============== >allow systemd_logind_t crond_t:dbus send_msg; >allow systemd_logind_t crond_t:dir search; >allow systemd_logind_t crond_t:file { getattr open read }; >allow systemd_logind_t init_t:service stop; >allow systemd_logind_t init_var_run_t:service { start status }; >allow systemd_logind_t tmpfs_t:dir { remove_name write }; > >#!!!! The file '/run/user/42' is mislabeled on your system. >#!!!! Fix with $ restorecon -R -v /run/user/42 >allow systemd_logind_t user_runtime_root_t:dir mounton; >allow systemd_logind_t user_tmpfs_t:dir { remove_name rmdir write }; >allow systemd_logind_t user_tmpfs_t:file unlink; >allow systemd_logind_t xdm_tmpfs_t:dir { getattr open read remove_name >rmdir write }; >allow systemd_logind_t xdm_tmpfs_t:file unlink; >allow systemd_logind_t xdm_tmpfs_t:sock_file unlink; > >#============= systemd_sessions_t ============== > >#!!!! The file '/run/systemd/journal/socket' is mislabeled on your >system. >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket >allow systemd_sessions_t kernel_t:unix_dgram_socket sendto; > >#============= xdm_t ============== >allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read }; >allow xdm_t init_t:dbus send_msg; >allow xdm_t init_t:system status; >allow xdm_t initrc_t:dbus send_msg; > >#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your >system. >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout >allow xdm_t kernel_t:unix_stream_socket connectto; >allow xdm_t self:capability net_admin; >allow xdm_t self:netlink_kobject_uevent_socket { bind create getattr >read setopt }; >allow xdm_t self:netlink_selinux_socket { bind create }; >allow xdm_t self:process setcap; >allow xdm_t sound_device_t:chr_file { ioctl open read write }; >allow xdm_t staff_t:key { link search write }; >allow xdm_t sysctl_crypto_t:dir search; >allow xdm_t sysctl_crypto_t:file { getattr open read }; >allow xdm_t sysctl_vm_overcommit_t:file { open read }; >allow xdm_t sysctl_vm_t:dir search; >allow xdm_t systemd_locale_t:dbus send_msg; >allow xdm_t systemd_logind_var_run_t:dir read; >allow xdm_t systemd_logind_var_run_t:fifo_file write; >allow xdm_t systemd_machined_var_run_t:dir read; >allow xdm_t systemd_sessions_var_run_t:dir { open read }; >allow xdm_t systemd_sessions_var_run_t:file { getattr open read }; >allow xdm_t udev_var_run_t:file { getattr open read }; > >#!!!! This avc can be allowed using the boolean >'allow_polyinstantiation' >allow xdm_t user_home_dir_t:dir create; >allow xdm_t user_home_dir_t:file { append create open read setattr >write }; >allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open read >}; >allow xdm_t xdm_tmp_t:file execute; >allow xdm_t xkb_var_lib_t:dir search; >allow xdm_t xkb_var_lib_t:file { getattr open read }; > >#============= xserver_t ============== >allow xserver_t self:capability sys_ptrace; >allow xserver_t staff_t:file { open read }; >allow xserver_t staff_t:lnk_file read; >allow xserver_t xdm_t:file { open read }; >allow xserver_t xdm_t:lnk_file read; > > >Thanks, >Dave Syugar >dsugar at tresys.com >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy