* [refpolicy] sddm policy help needed
@ 2017-01-02 12:38 cgzones
2017-01-02 12:54 ` Dominick Grift
0 siblings, 1 reply; 8+ messages in thread
From: cgzones @ 2017-01-02 12:38 UTC (permalink / raw)
To: refpolicy
Hi list,
I am trying to write a policy module for sddm (Simple Desktop Display Manager).
Currently with the patches over here
https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch
https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch
I am able to login into the correct user contexts and the sddm
processes have proper contexts:
root at desktopdebian:~# ps -efZ | grep sddm
system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ?
00:00:00 /usr/bin/sddm
system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7
00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth
/var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none
-noreset -displ
ayfd 18 vt7
system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ?
00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
/tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start
/usr/b
in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
/usr/share/sddm/themes/breeze --user sddm --greeter
system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ?
00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
/usr/share/sddm/themes/breeze
system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ?
00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040
--binary-syntax --close-stderr
system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ?
00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7
--session
root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2
00:00:00 grep sddm
The problem is the sddm-greeter (sddm_greeter_t) process:
This process is responsible for the graphic login window and is
started by sddm-helper (sddm_helper_t).
But it is not created via fork->exec->setuid/setgid (which can be
handled by an SELinux process transition), instead it is spawned via
pam_start (at least I think so).
So the process gets its context via pam authentication and the SELinux
user login mapping gets involved.
That's the reason for this default_contexts entry:
system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
unconfined_r:unconfined_t system_r:sddm_greeter_t
sddm-helper is also spawning the user processes, so I only get the
correct sddm-greeter context with the system_r target
(user_r:sddm_greeter_t would collide with the for user login needed
target context user_r:user_t).
To reach the system_r:sddm_greeter_t target, I need to add the SELinux
login mapping for the user sddm by hand:
semamage login -a -s system_u sddm
That's quite cumbersome and leads to the next problem:
The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display
Manager:/var/lib/sddm:/bin/false
and so genhomedircon creates home dir contexts for sddm and I must not
relabel the directory /var/lib/sddm or any parent directory with the
recursive flag
root at desktopdebian:~# matchpathcon /var/lib/sddm
/var/lib/sddm system_u:object_r:user_home_dir_t:s0
Am I missing something or can these problems be fixed by reworking my
patches or are upstream patches needed (sddm / SELinux userland)?
Best regards and many thanks in advance,
Christian G?ttsche
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] sddm policy help needed
2017-01-02 12:38 [refpolicy] sddm policy help needed cgzones
@ 2017-01-02 12:54 ` Dominick Grift
2017-01-02 20:30 ` cgzones
0 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2017-01-02 12:54 UTC (permalink / raw)
To: refpolicy
On 01/02/2017 01:38 PM, cgzones via refpolicy wrote:
> Hi list,
> I am trying to write a policy module for sddm (Simple Desktop Display Manager).
> Currently with the patches over here
> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch
> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch
> I am able to login into the correct user contexts and the sddm
> processes have proper contexts:
>
> root at desktopdebian:~# ps -efZ | grep sddm
> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ?
> 00:00:00 /usr/bin/sddm
> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7
> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth
> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none
> -noreset -displ
> ayfd 18 vt7
> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ?
> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start
> /usr/b
> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
> /usr/share/sddm/themes/breeze --user sddm --greeter
> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ?
> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
> /usr/share/sddm/themes/breeze
> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ?
> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040
> --binary-syntax --close-stderr
> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ?
> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7
> --session
> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2
> 00:00:00 grep sddm
>
> The problem is the sddm-greeter (sddm_greeter_t) process:
> This process is responsible for the graphic login window and is
> started by sddm-helper (sddm_helper_t).
> But it is not created via fork->exec->setuid/setgid (which can be
> handled by an SELinux process transition), instead it is spawned via
> pam_start (at least I think so).
> So the process gets its context via pam authentication and the SELinux
> user login mapping gets involved.
> That's the reason for this default_contexts entry:
>
> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
> unconfined_r:unconfined_t system_r:sddm_greeter_t
I would probably try transitioning to $1_sddm_t
Example:
system_r:sddm_helper_t user_r:user_sddm_t
Then from there see where this gets me
If sddm_helper_t is what sets up the login users context, then you have
to transition to a domain that can be used to transition to a login
shell domain (hence the prefix in user_sddm_t)
That should provide some flexibility.
>
> sddm-helper is also spawning the user processes, so I only get the
> correct sddm-greeter context with the system_r target
> (user_r:sddm_greeter_t would collide with the for user login needed
> target context user_r:user_t).
> To reach the system_r:sddm_greeter_t target, I need to add the SELinux
> login mapping for the user sddm by hand:
> semamage login -a -s system_u sddm
> That's quite cumbersome and leads to the next problem:
> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display
> Manager:/var/lib/sddm:/bin/false
> and so genhomedircon creates home dir contexts for sddm and I must not
> relabel the directory /var/lib/sddm or any parent directory with the
> recursive flag
>
> root at desktopdebian:~# matchpathcon /var/lib/sddm
> /var/lib/sddm system_u:object_r:user_home_dir_t:s0
>
> Am I missing something or can these problems be fixed by reworking my
> patches or are upstream patches needed (sddm / SELinux userland)?
>
> Best regards and many thanks in advance,
> Christian G?ttsche
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170102/9a430c8d/attachment.bin
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] sddm policy help needed
2017-01-02 12:54 ` Dominick Grift
@ 2017-01-02 20:30 ` cgzones
2017-01-02 20:47 ` Dominick Grift
0 siblings, 1 reply; 8+ messages in thread
From: cgzones @ 2017-01-02 20:30 UTC (permalink / raw)
To: refpolicy
The problem is how to transition into the desired destination contexts:
With the user context
system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0
I get the follow up for the sddm-greeter process
type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) :
proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
/tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start
/usr/bin/s
type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0
name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp
e=NORMAL
type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm
type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64
syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0
a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd
m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm
fsgid=sddm tty=(none) ses=9 comm=sddm-helper
exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper
subj=system_u:system_r:sddm_helper_t:s0 k
ey=(null)
type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied {
entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter
dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext
=system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0
and for a normal user login
type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) :
proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
/tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
/usr/bin/s
type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0
name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
nametype=NORMAL
type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/
type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64
syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620
a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid
=christian uid=christian gid=christian euid=christian suid=christian
fsuid=christian egid=christian sgid=christian fsgid=christian
tty=(none) ses=5 comm=sddm-helper
exe=/usr/lib/x86_64-linux-gnu/sddm/sddm
-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied {
entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5
dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0
tcontext=sy
stem_u:object_r:bin_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) :
proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
/tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
/usr/bin/s
type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh
inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian
type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64
syscall=execve success=no exit=EACCES(Permission denied)
a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0
items=1 ppid=162
7 pid=1628 auid=christian uid=christian gid=christian euid=christian
suid=christian fsuid=christian egid=christian sgid=christian
fsgid=christian tty=(none) ses=5 comm=sddm-helper
exe=/usr/lib/x86_64-linu
x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied {
entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0"
ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob
ject_r:shell_exec_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) :
proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
/tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
/usr/bin/s
type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0
name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype=
NORMAL
type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian
type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64
syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60
a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr
istian uid=christian gid=christian euid=christian suid=christian
fsuid=christian egid=christian sgid=christian fsgid=christian
tty=(none) ses=5 comm=sddm-helper
exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel
per subj=system_u:system_r:sddm_helper_t:s0 key=(null)
type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied {
entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession
dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0
tcontext=sy
stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0
How do I transition the context in the first case into sddm_greeter_t
and in the second case into user_t?
2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy
<refpolicy@oss.tresys.com>:
> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote:
>> Hi list,
>> I am trying to write a policy module for sddm (Simple Desktop Display Manager).
>> Currently with the patches over here
>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch
>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch
>> I am able to login into the correct user contexts and the sddm
>> processes have proper contexts:
>>
>> root at desktopdebian:~# ps -efZ | grep sddm
>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ?
>> 00:00:00 /usr/bin/sddm
>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7
>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth
>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none
>> -noreset -displ
>> ayfd 18 vt7
>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ?
>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start
>> /usr/b
>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>> /usr/share/sddm/themes/breeze --user sddm --greeter
>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ?
>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>> /usr/share/sddm/themes/breeze
>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ?
>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040
>> --binary-syntax --close-stderr
>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ?
>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7
>> --session
>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2
>> 00:00:00 grep sddm
>>
>> The problem is the sddm-greeter (sddm_greeter_t) process:
>> This process is responsible for the graphic login window and is
>> started by sddm-helper (sddm_helper_t).
>> But it is not created via fork->exec->setuid/setgid (which can be
>> handled by an SELinux process transition), instead it is spawned via
>> pam_start (at least I think so).
>> So the process gets its context via pam authentication and the SELinux
>> user login mapping gets involved.
>> That's the reason for this default_contexts entry:
>>
>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
>> unconfined_r:unconfined_t system_r:sddm_greeter_t
>
> I would probably try transitioning to $1_sddm_t
>
> Example:
>
> system_r:sddm_helper_t user_r:user_sddm_t
>
> Then from there see where this gets me
>
> If sddm_helper_t is what sets up the login users context, then you have
> to transition to a domain that can be used to transition to a login
> shell domain (hence the prefix in user_sddm_t)
>
> That should provide some flexibility.
>
>>
>> sddm-helper is also spawning the user processes, so I only get the
>> correct sddm-greeter context with the system_r target
>> (user_r:sddm_greeter_t would collide with the for user login needed
>> target context user_r:user_t).
>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux
>> login mapping for the user sddm by hand:
>> semamage login -a -s system_u sddm
>> That's quite cumbersome and leads to the next problem:
>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display
>> Manager:/var/lib/sddm:/bin/false
>> and so genhomedircon creates home dir contexts for sddm and I must not
>> relabel the directory /var/lib/sddm or any parent directory with the
>> recursive flag
>>
>> root at desktopdebian:~# matchpathcon /var/lib/sddm
>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0
>>
>> Am I missing something or can these problems be fixed by reworking my
>> patches or are upstream patches needed (sddm / SELinux userland)?
>>
>> Best regards and many thanks in advance,
>> Christian G?ttsche
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] sddm policy help needed
2017-01-02 20:30 ` cgzones
@ 2017-01-02 20:47 ` Dominick Grift
2017-01-02 21:13 ` cgzones
0 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2017-01-02 20:47 UTC (permalink / raw)
To: refpolicy
On 01/02/2017 09:30 PM, cgzones wrote:
> The problem is how to transition into the desired destination contexts:
> With the user context
> system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0
> I get the follow up for the sddm-greeter process
>
> type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) :
> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
> /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start
> /usr/bin/s
> type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0
> name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755
> ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp
> e=NORMAL
> type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm
> type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64
> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0
> a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd
> m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm
> fsgid=sddm tty=(none) ses=9 comm=sddm-helper
> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper
> subj=system_u:system_r:sddm_helper_t:s0 k
> ey=(null)
> type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied {
> entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter
> dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext
> =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0
>
> and for a normal user login
>
> type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) :
> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
> /usr/bin/s
> type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0
> name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
> nametype=NORMAL
> type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/
> type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64
> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620
> a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid
> =christian uid=christian gid=christian euid=christian suid=christian
> fsuid=christian egid=christian sgid=christian fsgid=christian
> tty=(none) ses=5 comm=sddm-helper
> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm
> -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
> type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied {
> entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5
> dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0
> tcontext=sy
> stem_u:object_r:bin_t:s0 tclass=file permissive=0
> ----
> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) :
> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
> /usr/bin/s
> type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh
> inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
> type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian
> type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64
> syscall=execve success=no exit=EACCES(Permission denied)
> a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0
> items=1 ppid=162
> 7 pid=1628 auid=christian uid=christian gid=christian euid=christian
> suid=christian fsuid=christian egid=christian sgid=christian
> fsgid=christian tty=(none) ses=5 comm=sddm-helper
> exe=/usr/lib/x86_64-linu
> x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
> type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied {
> entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0"
> ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob
> ject_r:shell_exec_t:s0 tclass=file permissive=0
> ----
> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) :
> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
> /usr/bin/s
> type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0
> name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755
> ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype=
> NORMAL
> type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian
> type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64
> syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60
> a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr
> istian uid=christian gid=christian euid=christian suid=christian
> fsuid=christian egid=christian sgid=christian fsgid=christian
> tty=(none) ses=5 comm=sddm-helper
> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel
> per subj=system_u:system_r:sddm_helper_t:s0 key=(null)
> type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied {
> entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession
> dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0
> tcontext=sy
> stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0
>
> How do I transition the context in the first case into sddm_greeter_t
> and in the second case into user_t?
Hard to tell... could be an issue with your pam configuration
How many sddm pam configuration files are there in /etc/pam.d?
Which one of those have pam_selinux entries?
>
>
> 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy
> <refpolicy@oss.tresys.com>:
>> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote:
>>> Hi list,
>>> I am trying to write a policy module for sddm (Simple Desktop Display Manager).
>>> Currently with the patches over here
>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch
>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch
>>> I am able to login into the correct user contexts and the sddm
>>> processes have proper contexts:
>>>
>>> root at desktopdebian:~# ps -efZ | grep sddm
>>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ?
>>> 00:00:00 /usr/bin/sddm
>>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7
>>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth
>>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none
>>> -noreset -displ
>>> ayfd 18 vt7
>>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ?
>>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start
>>> /usr/b
>>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>> /usr/share/sddm/themes/breeze --user sddm --greeter
>>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ?
>>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>> /usr/share/sddm/themes/breeze
>>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ?
>>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040
>>> --binary-syntax --close-stderr
>>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ?
>>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7
>>> --session
>>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2
>>> 00:00:00 grep sddm
>>>
>>> The problem is the sddm-greeter (sddm_greeter_t) process:
>>> This process is responsible for the graphic login window and is
>>> started by sddm-helper (sddm_helper_t).
>>> But it is not created via fork->exec->setuid/setgid (which can be
>>> handled by an SELinux process transition), instead it is spawned via
>>> pam_start (at least I think so).
>>> So the process gets its context via pam authentication and the SELinux
>>> user login mapping gets involved.
>>> That's the reason for this default_contexts entry:
>>>
>>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
>>> unconfined_r:unconfined_t system_r:sddm_greeter_t
>>
>> I would probably try transitioning to $1_sddm_t
>>
>> Example:
>>
>> system_r:sddm_helper_t user_r:user_sddm_t
>>
>> Then from there see where this gets me
>>
>> If sddm_helper_t is what sets up the login users context, then you have
>> to transition to a domain that can be used to transition to a login
>> shell domain (hence the prefix in user_sddm_t)
>>
>> That should provide some flexibility.
>>
>>>
>>> sddm-helper is also spawning the user processes, so I only get the
>>> correct sddm-greeter context with the system_r target
>>> (user_r:sddm_greeter_t would collide with the for user login needed
>>> target context user_r:user_t).
>>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux
>>> login mapping for the user sddm by hand:
>>> semamage login -a -s system_u sddm
>>> That's quite cumbersome and leads to the next problem:
>>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display
>>> Manager:/var/lib/sddm:/bin/false
>>> and so genhomedircon creates home dir contexts for sddm and I must not
>>> relabel the directory /var/lib/sddm or any parent directory with the
>>> recursive flag
>>>
>>> root at desktopdebian:~# matchpathcon /var/lib/sddm
>>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0
>>>
>>> Am I missing something or can these problems be fixed by reworking my
>>> patches or are upstream patches needed (sddm / SELinux userland)?
>>>
>>> Best regards and many thanks in advance,
>>> Christian G?ttsche
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>>
>>
>> --
>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>> Dominick Grift
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170102/60360e4e/attachment-0001.bin
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] sddm policy help needed
2017-01-02 20:47 ` Dominick Grift
@ 2017-01-02 21:13 ` cgzones
2017-01-02 21:25 ` Dominick Grift
0 siblings, 1 reply; 8+ messages in thread
From: cgzones @ 2017-01-02 21:13 UTC (permalink / raw)
To: refpolicy
My experience with pam authentification is very limited.
These three files are present:
root at desktopdebian:~# cat /etc/pam.d/sddm
#%PAM-1.0
# Block login if they are globally disabled
auth requisite pam_nologin.so
auth required pam_succeed_if.so user != root quiet_success
# auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
# gnome_keyring breaks QProcess
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet5.so
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
# Create a new session keyring.
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_loginuid.so
session required pam_systemd.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet5.so auto_start
@include common-password
# From the pam_env man page
# Since setting of PAM environment variables can have side effects to
other modules, this module should be the last one on the stack.
# Load environment from /etc/environment
session required pam_env.so
# Load environment from /etc/default/locale
session required pam_env.so envfile=/etc/default/locale
root at desktopdebian:~# cat /etc/pam.d/sddm-autologin
#%PAM-1.0
# Block login if they are globally disabled
auth requisite pam_nologin.so
auth required pam_permit.so
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
# Create a new session keyring.
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_loginuid.so
session required pam_systemd.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
@include common-password
# From the pam_env man page
# Since setting of PAM environment variables can have side effects to
other modules, this module should be the last one on the stack.
# Load environment from /etc/environment
session required pam_env.so
# Load environment from /etc/default/locale
session required pam_env.so envfile=/etc/default/locale
root at desktopdebian:~# cat /etc/pam.d/sddm-greeter
#%PAM-1.0
auth required pam_permit.so
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
# Create a new session keyring.
session optional pam_keyinit.so force revoke
session required pam_limits.so
session required pam_loginuid.so
session required pam_systemd.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
@include common-password
# From the pam_env man page
# Since setting of PAM environment variables can have side effects to
other modules, this module should be the last one on the stack.
# Load environment from /etc/environment
session required pam_env.so
# Load environment from /etc/default/locale
session required pam_env.so envfile=/etc/default/locale
2017-01-02 21:47 GMT+01:00 Dominick Grift <dac.override@gmail.com>:
> On 01/02/2017 09:30 PM, cgzones wrote:
>> The problem is how to transition into the desired destination contexts:
>> With the user context
>> system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0
>> I get the follow up for the sddm-greeter process
>>
>> type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) :
>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>> /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start
>> /usr/bin/s
>> type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0
>> name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755
>> ouid=root ogid=root rdev=00:00
>> obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp
>> e=NORMAL
>> type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm
>> type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64
>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0
>> a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd
>> m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm
>> fsgid=sddm tty=(none) ses=9 comm=sddm-helper
>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper
>> subj=system_u:system_r:sddm_helper_t:s0 k
>> ey=(null)
>> type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied {
>> entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter
>> dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext
>> =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0
>>
>> and for a normal user login
>>
>> type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) :
>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>> /usr/bin/s
>> type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0
>> name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755
>> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
>> nametype=NORMAL
>> type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/
>> type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64
>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620
>> a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid
>> =christian uid=christian gid=christian euid=christian suid=christian
>> fsuid=christian egid=christian sgid=christian fsgid=christian
>> tty=(none) ses=5 comm=sddm-helper
>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm
>> -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>> type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied {
>> entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5
>> dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0
>> tcontext=sy
>> stem_u:object_r:bin_t:s0 tclass=file permissive=0
>> ----
>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) :
>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>> /usr/bin/s
>> type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh
>> inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00
>> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
>> type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian
>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64
>> syscall=execve success=no exit=EACCES(Permission denied)
>> a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0
>> items=1 ppid=162
>> 7 pid=1628 auid=christian uid=christian gid=christian euid=christian
>> suid=christian fsuid=christian egid=christian sgid=christian
>> fsgid=christian tty=(none) ses=5 comm=sddm-helper
>> exe=/usr/lib/x86_64-linu
>> x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>> type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied {
>> entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0"
>> ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob
>> ject_r:shell_exec_t:s0 tclass=file permissive=0
>> ----
>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) :
>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>> /usr/bin/s
>> type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0
>> name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755
>> ouid=root ogid=root rdev=00:00
>> obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype=
>> NORMAL
>> type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian
>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64
>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60
>> a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr
>> istian uid=christian gid=christian euid=christian suid=christian
>> fsuid=christian egid=christian sgid=christian fsgid=christian
>> tty=(none) ses=5 comm=sddm-helper
>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel
>> per subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>> type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied {
>> entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession
>> dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0
>> tcontext=sy
>> stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0
>>
>> How do I transition the context in the first case into sddm_greeter_t
>> and in the second case into user_t?
>
> Hard to tell... could be an issue with your pam configuration
> How many sddm pam configuration files are there in /etc/pam.d?
> Which one of those have pam_selinux entries?
>
>>
>>
>> 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy
>> <refpolicy@oss.tresys.com>:
>>> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote:
>>>> Hi list,
>>>> I am trying to write a policy module for sddm (Simple Desktop Display Manager).
>>>> Currently with the patches over here
>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch
>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch
>>>> I am able to login into the correct user contexts and the sddm
>>>> processes have proper contexts:
>>>>
>>>> root at desktopdebian:~# ps -efZ | grep sddm
>>>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ?
>>>> 00:00:00 /usr/bin/sddm
>>>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7
>>>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth
>>>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none
>>>> -noreset -displ
>>>> ayfd 18 vt7
>>>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ?
>>>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start
>>>> /usr/b
>>>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>>> /usr/share/sddm/themes/breeze --user sddm --greeter
>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ?
>>>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>>> /usr/share/sddm/themes/breeze
>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ?
>>>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040
>>>> --binary-syntax --close-stderr
>>>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ?
>>>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7
>>>> --session
>>>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2
>>>> 00:00:00 grep sddm
>>>>
>>>> The problem is the sddm-greeter (sddm_greeter_t) process:
>>>> This process is responsible for the graphic login window and is
>>>> started by sddm-helper (sddm_helper_t).
>>>> But it is not created via fork->exec->setuid/setgid (which can be
>>>> handled by an SELinux process transition), instead it is spawned via
>>>> pam_start (at least I think so).
>>>> So the process gets its context via pam authentication and the SELinux
>>>> user login mapping gets involved.
>>>> That's the reason for this default_contexts entry:
>>>>
>>>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
>>>> unconfined_r:unconfined_t system_r:sddm_greeter_t
>>>
>>> I would probably try transitioning to $1_sddm_t
>>>
>>> Example:
>>>
>>> system_r:sddm_helper_t user_r:user_sddm_t
>>>
>>> Then from there see where this gets me
>>>
>>> If sddm_helper_t is what sets up the login users context, then you have
>>> to transition to a domain that can be used to transition to a login
>>> shell domain (hence the prefix in user_sddm_t)
>>>
>>> That should provide some flexibility.
>>>
>>>>
>>>> sddm-helper is also spawning the user processes, so I only get the
>>>> correct sddm-greeter context with the system_r target
>>>> (user_r:sddm_greeter_t would collide with the for user login needed
>>>> target context user_r:user_t).
>>>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux
>>>> login mapping for the user sddm by hand:
>>>> semamage login -a -s system_u sddm
>>>> That's quite cumbersome and leads to the next problem:
>>>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display
>>>> Manager:/var/lib/sddm:/bin/false
>>>> and so genhomedircon creates home dir contexts for sddm and I must not
>>>> relabel the directory /var/lib/sddm or any parent directory with the
>>>> recursive flag
>>>>
>>>> root at desktopdebian:~# matchpathcon /var/lib/sddm
>>>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0
>>>>
>>>> Am I missing something or can these problems be fixed by reworking my
>>>> patches or are upstream patches needed (sddm / SELinux userland)?
>>>>
>>>> Best regards and many thanks in advance,
>>>> Christian G?ttsche
>>>> _______________________________________________
>>>> refpolicy mailing list
>>>> refpolicy at oss.tresys.com
>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>>
>>>
>>>
>>> --
>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>> Dominick Grift
>>>
>>>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] sddm policy help needed
2017-01-02 21:13 ` cgzones
@ 2017-01-02 21:25 ` Dominick Grift
2017-01-03 14:20 ` cgzones
0 siblings, 1 reply; 8+ messages in thread
From: Dominick Grift @ 2017-01-02 21:25 UTC (permalink / raw)
To: refpolicy
On 01/02/2017 10:13 PM, cgzones wrote:
> My experience with pam authentification is very limited.
> These three files are present:
Looks like a pam misconfiguration. However since i am not familiar with
sddm, its hard to tell what exactly the issue is.
I would encourage you to play with these configurations files (make
backups though)
You seem to have three instances where pam_selinux is used. Ideally you
should be able to get rid of two of the three
I think the only valid manual transition is on the xsessions executable
file. The others (kwallet and greeter) probably shouldnt be used
I would try commenting out the pam_selinux entries (one at the time)
then test to see which antrpoint avc denials you get. Like i said, i
suspect that the only entrypoint should be on xsessions, so see if you
can make that happen by playing with the pam_selinux entries in the
files below
>
> root at desktopdebian:~# cat /etc/pam.d/sddm
> #%PAM-1.0
>
> # Block login if they are globally disabled
> auth requisite pam_nologin.so
> auth required pam_succeed_if.so user != root quiet_success
>
> # auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
> @include common-auth
> # gnome_keyring breaks QProcess
> -auth optional pam_gnome_keyring.so
> -auth optional pam_kwallet5.so
>
> @include common-account
>
> # SELinux needs to be the first session rule. This ensures that any
> # lingering context has been cleared. Without this it is possible that a
> # module could execute code in the wrong domain.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so close
> # Create a new session keyring.
> session optional pam_keyinit.so force revoke
> session required pam_limits.so
> session required pam_loginuid.so
> session required pam_systemd.so
> @include common-session
> # SELinux needs to intervene at login time to ensure that the process starts
> # in the proper default security context. Only sessions which are intended
> # to run in the user's context should be run after this.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so open
> -session optional pam_gnome_keyring.so auto_start
> -session optional pam_kwallet5.so auto_start
>
> @include common-password
>
> # From the pam_env man page
> # Since setting of PAM environment variables can have side effects to
> other modules, this module should be the last one on the stack.
>
> # Load environment from /etc/environment
> session required pam_env.so
>
> # Load environment from /etc/default/locale
> session required pam_env.so envfile=/etc/default/locale
>
>
>
> root at desktopdebian:~# cat /etc/pam.d/sddm-autologin
> #%PAM-1.0
>
> # Block login if they are globally disabled
> auth requisite pam_nologin.so
> auth required pam_permit.so
>
> @include common-account
>
> # SELinux needs to be the first session rule. This ensures that any
> # lingering context has been cleared. Without this it is possible that a
> # module could execute code in the wrong domain.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so close
> # Create a new session keyring.
> session optional pam_keyinit.so force revoke
> session required pam_limits.so
> session required pam_loginuid.so
> session required pam_systemd.so
> @include common-session
> # SELinux needs to intervene at login time to ensure that the process starts
> # in the proper default security context. Only sessions which are intended
> # to run in the user's context should be run after this.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so open
>
> @include common-password
>
> # From the pam_env man page
> # Since setting of PAM environment variables can have side effects to
> other modules, this module should be the last one on the stack.
>
> # Load environment from /etc/environment
> session required pam_env.so
>
> # Load environment from /etc/default/locale
> session required pam_env.so envfile=/etc/default/locale
>
>
>
> root at desktopdebian:~# cat /etc/pam.d/sddm-greeter
> #%PAM-1.0
>
> auth required pam_permit.so
>
> @include common-account
>
> # SELinux needs to be the first session rule. This ensures that any
> # lingering context has been cleared. Without this it is possible that a
> # module could execute code in the wrong domain.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so close
> # Create a new session keyring.
> session optional pam_keyinit.so force revoke
> session required pam_limits.so
> session required pam_loginuid.so
> session required pam_systemd.so
> @include common-session
> # SELinux needs to intervene at login time to ensure that the process starts
> # in the proper default security context. Only sessions which are intended
> # to run in the user's context should be run after this.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so open
>
> @include common-password
>
> # From the pam_env man page
> # Since setting of PAM environment variables can have side effects to
> other modules, this module should be the last one on the stack.
>
> # Load environment from /etc/environment
> session required pam_env.so
>
> # Load environment from /etc/default/locale
> session required pam_env.so envfile=/etc/default/locale
>
> 2017-01-02 21:47 GMT+01:00 Dominick Grift <dac.override@gmail.com>:
>> On 01/02/2017 09:30 PM, cgzones wrote:
>>> The problem is how to transition into the desired destination contexts:
>>> With the user context
>>> system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0
>>> I get the follow up for the sddm-greeter process
>>>
>>> type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) :
>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>> /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start
>>> /usr/bin/s
>>> type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0
>>> name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755
>>> ouid=root ogid=root rdev=00:00
>>> obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp
>>> e=NORMAL
>>> type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm
>>> type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64
>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0
>>> a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd
>>> m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm
>>> fsgid=sddm tty=(none) ses=9 comm=sddm-helper
>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper
>>> subj=system_u:system_r:sddm_helper_t:s0 k
>>> ey=(null)
>>> type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied {
>>> entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter
>>> dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext
>>> =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0
>>>
>>> and for a normal user login
>>>
>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) :
>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>>> /usr/bin/s
>>> type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0
>>> name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755
>>> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
>>> nametype=NORMAL
>>> type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/
>>> type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64
>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620
>>> a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid
>>> =christian uid=christian gid=christian euid=christian suid=christian
>>> fsuid=christian egid=christian sgid=christian fsgid=christian
>>> tty=(none) ses=5 comm=sddm-helper
>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm
>>> -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>>> type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied {
>>> entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5
>>> dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0
>>> tcontext=sy
>>> stem_u:object_r:bin_t:s0 tclass=file permissive=0
>>> ----
>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) :
>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>>> /usr/bin/s
>>> type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh
>>> inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00
>>> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
>>> type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian
>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64
>>> syscall=execve success=no exit=EACCES(Permission denied)
>>> a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0
>>> items=1 ppid=162
>>> 7 pid=1628 auid=christian uid=christian gid=christian euid=christian
>>> suid=christian fsuid=christian egid=christian sgid=christian
>>> fsgid=christian tty=(none) ses=5 comm=sddm-helper
>>> exe=/usr/lib/x86_64-linu
>>> x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>>> type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied {
>>> entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0"
>>> ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob
>>> ject_r:shell_exec_t:s0 tclass=file permissive=0
>>> ----
>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) :
>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>>> /usr/bin/s
>>> type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0
>>> name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755
>>> ouid=root ogid=root rdev=00:00
>>> obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype=
>>> NORMAL
>>> type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian
>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64
>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60
>>> a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr
>>> istian uid=christian gid=christian euid=christian suid=christian
>>> fsuid=christian egid=christian sgid=christian fsgid=christian
>>> tty=(none) ses=5 comm=sddm-helper
>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel
>>> per subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>>> type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied {
>>> entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession
>>> dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0
>>> tcontext=sy
>>> stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0
>>>
>>> How do I transition the context in the first case into sddm_greeter_t
>>> and in the second case into user_t?
>>
>> Hard to tell... could be an issue with your pam configuration
>> How many sddm pam configuration files are there in /etc/pam.d?
>> Which one of those have pam_selinux entries?
>>
>>>
>>>
>>> 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy
>>> <refpolicy@oss.tresys.com>:
>>>> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote:
>>>>> Hi list,
>>>>> I am trying to write a policy module for sddm (Simple Desktop Display Manager).
>>>>> Currently with the patches over here
>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch
>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch
>>>>> I am able to login into the correct user contexts and the sddm
>>>>> processes have proper contexts:
>>>>>
>>>>> root at desktopdebian:~# ps -efZ | grep sddm
>>>>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ?
>>>>> 00:00:00 /usr/bin/sddm
>>>>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7
>>>>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth
>>>>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none
>>>>> -noreset -displ
>>>>> ayfd 18 vt7
>>>>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ?
>>>>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>>>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start
>>>>> /usr/b
>>>>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>>>> /usr/share/sddm/themes/breeze --user sddm --greeter
>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ?
>>>>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>>>> /usr/share/sddm/themes/breeze
>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ?
>>>>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040
>>>>> --binary-syntax --close-stderr
>>>>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ?
>>>>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7
>>>>> --session
>>>>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2
>>>>> 00:00:00 grep sddm
>>>>>
>>>>> The problem is the sddm-greeter (sddm_greeter_t) process:
>>>>> This process is responsible for the graphic login window and is
>>>>> started by sddm-helper (sddm_helper_t).
>>>>> But it is not created via fork->exec->setuid/setgid (which can be
>>>>> handled by an SELinux process transition), instead it is spawned via
>>>>> pam_start (at least I think so).
>>>>> So the process gets its context via pam authentication and the SELinux
>>>>> user login mapping gets involved.
>>>>> That's the reason for this default_contexts entry:
>>>>>
>>>>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
>>>>> unconfined_r:unconfined_t system_r:sddm_greeter_t
>>>>
>>>> I would probably try transitioning to $1_sddm_t
>>>>
>>>> Example:
>>>>
>>>> system_r:sddm_helper_t user_r:user_sddm_t
>>>>
>>>> Then from there see where this gets me
>>>>
>>>> If sddm_helper_t is what sets up the login users context, then you have
>>>> to transition to a domain that can be used to transition to a login
>>>> shell domain (hence the prefix in user_sddm_t)
>>>>
>>>> That should provide some flexibility.
>>>>
>>>>>
>>>>> sddm-helper is also spawning the user processes, so I only get the
>>>>> correct sddm-greeter context with the system_r target
>>>>> (user_r:sddm_greeter_t would collide with the for user login needed
>>>>> target context user_r:user_t).
>>>>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux
>>>>> login mapping for the user sddm by hand:
>>>>> semamage login -a -s system_u sddm
>>>>> That's quite cumbersome and leads to the next problem:
>>>>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display
>>>>> Manager:/var/lib/sddm:/bin/false
>>>>> and so genhomedircon creates home dir contexts for sddm and I must not
>>>>> relabel the directory /var/lib/sddm or any parent directory with the
>>>>> recursive flag
>>>>>
>>>>> root at desktopdebian:~# matchpathcon /var/lib/sddm
>>>>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0
>>>>>
>>>>> Am I missing something or can these problems be fixed by reworking my
>>>>> patches or are upstream patches needed (sddm / SELinux userland)?
>>>>>
>>>>> Best regards and many thanks in advance,
>>>>> Christian G?ttsche
>>>>> _______________________________________________
>>>>> refpolicy mailing list
>>>>> refpolicy at oss.tresys.com
>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>>>
>>>>
>>>>
>>>> --
>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>>> Dominick Grift
>>>>
>>>>
>>>> _______________________________________________
>>>> refpolicy mailing list
>>>> refpolicy at oss.tresys.com
>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>>
>>
>>
>> --
>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>> Dominick Grift
>>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170102/1bd9e14a/attachment-0001.bin
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] sddm policy help needed
2017-01-02 21:25 ` Dominick Grift
@ 2017-01-03 14:20 ` cgzones
2017-01-03 15:33 ` Dominick Grift
0 siblings, 1 reply; 8+ messages in thread
From: cgzones @ 2017-01-03 14:20 UTC (permalink / raw)
To: refpolicy
Thanks for your feedback!
I thinkit it is finally working:
The updated default_context looks like:
system_r:sddm_helper_t user_r:user_t user_r:sddm_greeter_t
staff_r:staff_t sysadm_r:sysadm_t
unconfined_r:unconfined_t system_r:sddm_greeter_t
pam_selinux got patched like attached and the the sddm-greeter pam
configuration is set to (/etc/pam.d/sddm-greeter)
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open select_default_context=2
How this works:
sddm-helper spawns the sddm-greeter with the pam service sddm-greeter.
There the select_default_context=2 statement ensures that not the
first default context returned from SELinux is used but in this case
the second one.
The first context is in this case for a login with sddm as user_u
user_t, the second one sddm_greeter_t.
The user processes are spawned by sddm-helper with the pam service
sddm, so over there the default first context user_t is chosen.
2017-01-02 22:25 GMT+01:00 Dominick Grift <dac.override@gmail.com>:
> On 01/02/2017 10:13 PM, cgzones wrote:
>> My experience with pam authentification is very limited.
>> These three files are present:
>
> Looks like a pam misconfiguration. However since i am not familiar with
> sddm, its hard to tell what exactly the issue is.
>
> I would encourage you to play with these configurations files (make
> backups though)
>
> You seem to have three instances where pam_selinux is used. Ideally you
> should be able to get rid of two of the three
>
> I think the only valid manual transition is on the xsessions executable
> file. The others (kwallet and greeter) probably shouldnt be used
>
> I would try commenting out the pam_selinux entries (one at the time)
> then test to see which antrpoint avc denials you get. Like i said, i
> suspect that the only entrypoint should be on xsessions, so see if you
> can make that happen by playing with the pam_selinux entries in the
> files below
>
>>
>> root at desktopdebian:~# cat /etc/pam.d/sddm
>> #%PAM-1.0
>>
>> # Block login if they are globally disabled
>> auth requisite pam_nologin.so
>> auth required pam_succeed_if.so user != root quiet_success
>>
>> # auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
>> @include common-auth
>> # gnome_keyring breaks QProcess
>> -auth optional pam_gnome_keyring.so
>> -auth optional pam_kwallet5.so
>>
>> @include common-account
>>
>> # SELinux needs to be the first session rule. This ensures that any
>> # lingering context has been cleared. Without this it is possible that a
>> # module could execute code in the wrong domain.
>> session [success=ok ignore=ignore module_unknown=ignore default=bad]
>> pam_selinux.so close
>> # Create a new session keyring.
>> session optional pam_keyinit.so force revoke
>> session required pam_limits.so
>> session required pam_loginuid.so
>> session required pam_systemd.so
>> @include common-session
>> # SELinux needs to intervene at login time to ensure that the process starts
>> # in the proper default security context. Only sessions which are intended
>> # to run in the user's context should be run after this.
>> session [success=ok ignore=ignore module_unknown=ignore default=bad]
>> pam_selinux.so open
>> -session optional pam_gnome_keyring.so auto_start
>> -session optional pam_kwallet5.so auto_start
>>
>> @include common-password
>>
>> # From the pam_env man page
>> # Since setting of PAM environment variables can have side effects to
>> other modules, this module should be the last one on the stack.
>>
>> # Load environment from /etc/environment
>> session required pam_env.so
>>
>> # Load environment from /etc/default/locale
>> session required pam_env.so envfile=/etc/default/locale
>>
>>
>>
>> root at desktopdebian:~# cat /etc/pam.d/sddm-autologin
>> #%PAM-1.0
>>
>> # Block login if they are globally disabled
>> auth requisite pam_nologin.so
>> auth required pam_permit.so
>>
>> @include common-account
>>
>> # SELinux needs to be the first session rule. This ensures that any
>> # lingering context has been cleared. Without this it is possible that a
>> # module could execute code in the wrong domain.
>> session [success=ok ignore=ignore module_unknown=ignore default=bad]
>> pam_selinux.so close
>> # Create a new session keyring.
>> session optional pam_keyinit.so force revoke
>> session required pam_limits.so
>> session required pam_loginuid.so
>> session required pam_systemd.so
>> @include common-session
>> # SELinux needs to intervene at login time to ensure that the process starts
>> # in the proper default security context. Only sessions which are intended
>> # to run in the user's context should be run after this.
>> session [success=ok ignore=ignore module_unknown=ignore default=bad]
>> pam_selinux.so open
>>
>> @include common-password
>>
>> # From the pam_env man page
>> # Since setting of PAM environment variables can have side effects to
>> other modules, this module should be the last one on the stack.
>>
>> # Load environment from /etc/environment
>> session required pam_env.so
>>
>> # Load environment from /etc/default/locale
>> session required pam_env.so envfile=/etc/default/locale
>>
>>
>>
>> root at desktopdebian:~# cat /etc/pam.d/sddm-greeter
>> #%PAM-1.0
>>
>> auth required pam_permit.so
>>
>> @include common-account
>>
>> # SELinux needs to be the first session rule. This ensures that any
>> # lingering context has been cleared. Without this it is possible that a
>> # module could execute code in the wrong domain.
>> session [success=ok ignore=ignore module_unknown=ignore default=bad]
>> pam_selinux.so close
>> # Create a new session keyring.
>> session optional pam_keyinit.so force revoke
>> session required pam_limits.so
>> session required pam_loginuid.so
>> session required pam_systemd.so
>> @include common-session
>> # SELinux needs to intervene at login time to ensure that the process starts
>> # in the proper default security context. Only sessions which are intended
>> # to run in the user's context should be run after this.
>> session [success=ok ignore=ignore module_unknown=ignore default=bad]
>> pam_selinux.so open
>>
>> @include common-password
>>
>> # From the pam_env man page
>> # Since setting of PAM environment variables can have side effects to
>> other modules, this module should be the last one on the stack.
>>
>> # Load environment from /etc/environment
>> session required pam_env.so
>>
>> # Load environment from /etc/default/locale
>> session required pam_env.so envfile=/etc/default/locale
>>
>> 2017-01-02 21:47 GMT+01:00 Dominick Grift <dac.override@gmail.com>:
>>> On 01/02/2017 09:30 PM, cgzones wrote:
>>>> The problem is how to transition into the desired destination contexts:
>>>> With the user context
>>>> system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0
>>>> I get the follow up for the sddm-greeter process
>>>>
>>>> type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) :
>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>>> /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start
>>>> /usr/bin/s
>>>> type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0
>>>> name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755
>>>> ouid=root ogid=root rdev=00:00
>>>> obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp
>>>> e=NORMAL
>>>> type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm
>>>> type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64
>>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0
>>>> a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd
>>>> m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm
>>>> fsgid=sddm tty=(none) ses=9 comm=sddm-helper
>>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper
>>>> subj=system_u:system_r:sddm_helper_t:s0 k
>>>> ey=(null)
>>>> type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied {
>>>> entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter
>>>> dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext
>>>> =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0
>>>>
>>>> and for a normal user login
>>>>
>>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) :
>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>>>> /usr/bin/s
>>>> type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0
>>>> name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755
>>>> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
>>>> nametype=NORMAL
>>>> type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/
>>>> type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64
>>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620
>>>> a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid
>>>> =christian uid=christian gid=christian euid=christian suid=christian
>>>> fsuid=christian egid=christian sgid=christian fsgid=christian
>>>> tty=(none) ses=5 comm=sddm-helper
>>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm
>>>> -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>>>> type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied {
>>>> entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5
>>>> dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0
>>>> tcontext=sy
>>>> stem_u:object_r:bin_t:s0 tclass=file permissive=0
>>>> ----
>>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) :
>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>>>> /usr/bin/s
>>>> type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh
>>>> inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00
>>>> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
>>>> type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian
>>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64
>>>> syscall=execve success=no exit=EACCES(Permission denied)
>>>> a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0
>>>> items=1 ppid=162
>>>> 7 pid=1628 auid=christian uid=christian gid=christian euid=christian
>>>> suid=christian fsuid=christian egid=christian sgid=christian
>>>> fsgid=christian tty=(none) ses=5 comm=sddm-helper
>>>> exe=/usr/lib/x86_64-linu
>>>> x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>>>> type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied {
>>>> entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0"
>>>> ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob
>>>> ject_r:shell_exec_t:s0 tclass=file permissive=0
>>>> ----
>>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) :
>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>>>> /usr/bin/s
>>>> type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0
>>>> name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755
>>>> ouid=root ogid=root rdev=00:00
>>>> obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype=
>>>> NORMAL
>>>> type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian
>>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64
>>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60
>>>> a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr
>>>> istian uid=christian gid=christian euid=christian suid=christian
>>>> fsuid=christian egid=christian sgid=christian fsgid=christian
>>>> tty=(none) ses=5 comm=sddm-helper
>>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel
>>>> per subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>>>> type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied {
>>>> entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession
>>>> dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0
>>>> tcontext=sy
>>>> stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0
>>>>
>>>> How do I transition the context in the first case into sddm_greeter_t
>>>> and in the second case into user_t?
>>>
>>> Hard to tell... could be an issue with your pam configuration
>>> How many sddm pam configuration files are there in /etc/pam.d?
>>> Which one of those have pam_selinux entries?
>>>
>>>>
>>>>
>>>> 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy
>>>> <refpolicy@oss.tresys.com>:
>>>>> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote:
>>>>>> Hi list,
>>>>>> I am trying to write a policy module for sddm (Simple Desktop Display Manager).
>>>>>> Currently with the patches over here
>>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch
>>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch
>>>>>> I am able to login into the correct user contexts and the sddm
>>>>>> processes have proper contexts:
>>>>>>
>>>>>> root at desktopdebian:~# ps -efZ | grep sddm
>>>>>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ?
>>>>>> 00:00:00 /usr/bin/sddm
>>>>>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7
>>>>>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth
>>>>>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none
>>>>>> -noreset -displ
>>>>>> ayfd 18 vt7
>>>>>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ?
>>>>>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>>>>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start
>>>>>> /usr/b
>>>>>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>>>>> /usr/share/sddm/themes/breeze --user sddm --greeter
>>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ?
>>>>>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>>>>> /usr/share/sddm/themes/breeze
>>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ?
>>>>>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040
>>>>>> --binary-syntax --close-stderr
>>>>>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ?
>>>>>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7
>>>>>> --session
>>>>>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2
>>>>>> 00:00:00 grep sddm
>>>>>>
>>>>>> The problem is the sddm-greeter (sddm_greeter_t) process:
>>>>>> This process is responsible for the graphic login window and is
>>>>>> started by sddm-helper (sddm_helper_t).
>>>>>> But it is not created via fork->exec->setuid/setgid (which can be
>>>>>> handled by an SELinux process transition), instead it is spawned via
>>>>>> pam_start (at least I think so).
>>>>>> So the process gets its context via pam authentication and the SELinux
>>>>>> user login mapping gets involved.
>>>>>> That's the reason for this default_contexts entry:
>>>>>>
>>>>>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
>>>>>> unconfined_r:unconfined_t system_r:sddm_greeter_t
>>>>>
>>>>> I would probably try transitioning to $1_sddm_t
>>>>>
>>>>> Example:
>>>>>
>>>>> system_r:sddm_helper_t user_r:user_sddm_t
>>>>>
>>>>> Then from there see where this gets me
>>>>>
>>>>> If sddm_helper_t is what sets up the login users context, then you have
>>>>> to transition to a domain that can be used to transition to a login
>>>>> shell domain (hence the prefix in user_sddm_t)
>>>>>
>>>>> That should provide some flexibility.
>>>>>
>>>>>>
>>>>>> sddm-helper is also spawning the user processes, so I only get the
>>>>>> correct sddm-greeter context with the system_r target
>>>>>> (user_r:sddm_greeter_t would collide with the for user login needed
>>>>>> target context user_r:user_t).
>>>>>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux
>>>>>> login mapping for the user sddm by hand:
>>>>>> semamage login -a -s system_u sddm
>>>>>> That's quite cumbersome and leads to the next problem:
>>>>>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display
>>>>>> Manager:/var/lib/sddm:/bin/false
>>>>>> and so genhomedircon creates home dir contexts for sddm and I must not
>>>>>> relabel the directory /var/lib/sddm or any parent directory with the
>>>>>> recursive flag
>>>>>>
>>>>>> root at desktopdebian:~# matchpathcon /var/lib/sddm
>>>>>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0
>>>>>>
>>>>>> Am I missing something or can these problems be fixed by reworking my
>>>>>> patches or are upstream patches needed (sddm / SELinux userland)?
>>>>>>
>>>>>> Best regards and many thanks in advance,
>>>>>> Christian G?ttsche
>>>>>> _______________________________________________
>>>>>> refpolicy mailing list
>>>>>> refpolicy at oss.tresys.com
>>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>>>> Dominick Grift
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> refpolicy mailing list
>>>>> refpolicy at oss.tresys.com
>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>>>
>>>
>>>
>>> --
>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>> Dominick Grift
>>>
>
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-pam-fix.patch
Type: text/x-patch
Size: 4734 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170103/4995335f/attachment.bin
^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] sddm policy help needed
2017-01-03 14:20 ` cgzones
@ 2017-01-03 15:33 ` Dominick Grift
0 siblings, 0 replies; 8+ messages in thread
From: Dominick Grift @ 2017-01-03 15:33 UTC (permalink / raw)
To: refpolicy
On 01/03/2017 03:20 PM, cgzones wrote:
> Thanks for your feedback!
>
> I thinkit it is finally working:
>
> The updated default_context looks like:
>
> system_r:sddm_helper_t user_r:user_t user_r:sddm_greeter_t
> staff_r:staff_t sysadm_r:sysadm_t
> unconfined_r:unconfined_t system_r:sddm_greeter_t
>
> pam_selinux got patched like attached and the the sddm-greeter pam
> configuration is set to (/etc/pam.d/sddm-greeter)
>
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so open select_default_context=2
>
> How this works:
> sddm-helper spawns the sddm-greeter with the pam service sddm-greeter.
> There the select_default_context=2 statement ensures that not the
> first default context returned from SELinux is used but in this case
> the second one.
> The first context is in this case for a login with sddm as user_u
> user_t, the second one sddm_greeter_t.
>
> The user processes are spawned by sddm-helper with the pam service
> sddm, so over there the default first context user_t is chosen.
>
Thats a nice but ugly hack. Glad you got it "working"
> 2017-01-02 22:25 GMT+01:00 Dominick Grift <dac.override@gmail.com>:
>> On 01/02/2017 10:13 PM, cgzones wrote:
>>> My experience with pam authentification is very limited.
>>> These three files are present:
>>
>> Looks like a pam misconfiguration. However since i am not familiar with
>> sddm, its hard to tell what exactly the issue is.
>>
>> I would encourage you to play with these configurations files (make
>> backups though)
>>
>> You seem to have three instances where pam_selinux is used. Ideally you
>> should be able to get rid of two of the three
>>
>> I think the only valid manual transition is on the xsessions executable
>> file. The others (kwallet and greeter) probably shouldnt be used
>>
>> I would try commenting out the pam_selinux entries (one at the time)
>> then test to see which antrpoint avc denials you get. Like i said, i
>> suspect that the only entrypoint should be on xsessions, so see if you
>> can make that happen by playing with the pam_selinux entries in the
>> files below
>>
>>>
>>> root at desktopdebian:~# cat /etc/pam.d/sddm
>>> #%PAM-1.0
>>>
>>> # Block login if they are globally disabled
>>> auth requisite pam_nologin.so
>>> auth required pam_succeed_if.so user != root quiet_success
>>>
>>> # auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
>>> @include common-auth
>>> # gnome_keyring breaks QProcess
>>> -auth optional pam_gnome_keyring.so
>>> -auth optional pam_kwallet5.so
>>>
>>> @include common-account
>>>
>>> # SELinux needs to be the first session rule. This ensures that any
>>> # lingering context has been cleared. Without this it is possible that a
>>> # module could execute code in the wrong domain.
>>> session [success=ok ignore=ignore module_unknown=ignore default=bad]
>>> pam_selinux.so close
>>> # Create a new session keyring.
>>> session optional pam_keyinit.so force revoke
>>> session required pam_limits.so
>>> session required pam_loginuid.so
>>> session required pam_systemd.so
>>> @include common-session
>>> # SELinux needs to intervene at login time to ensure that the process starts
>>> # in the proper default security context. Only sessions which are intended
>>> # to run in the user's context should be run after this.
>>> session [success=ok ignore=ignore module_unknown=ignore default=bad]
>>> pam_selinux.so open
>>> -session optional pam_gnome_keyring.so auto_start
>>> -session optional pam_kwallet5.so auto_start
>>>
>>> @include common-password
>>>
>>> # From the pam_env man page
>>> # Since setting of PAM environment variables can have side effects to
>>> other modules, this module should be the last one on the stack.
>>>
>>> # Load environment from /etc/environment
>>> session required pam_env.so
>>>
>>> # Load environment from /etc/default/locale
>>> session required pam_env.so envfile=/etc/default/locale
>>>
>>>
>>>
>>> root at desktopdebian:~# cat /etc/pam.d/sddm-autologin
>>> #%PAM-1.0
>>>
>>> # Block login if they are globally disabled
>>> auth requisite pam_nologin.so
>>> auth required pam_permit.so
>>>
>>> @include common-account
>>>
>>> # SELinux needs to be the first session rule. This ensures that any
>>> # lingering context has been cleared. Without this it is possible that a
>>> # module could execute code in the wrong domain.
>>> session [success=ok ignore=ignore module_unknown=ignore default=bad]
>>> pam_selinux.so close
>>> # Create a new session keyring.
>>> session optional pam_keyinit.so force revoke
>>> session required pam_limits.so
>>> session required pam_loginuid.so
>>> session required pam_systemd.so
>>> @include common-session
>>> # SELinux needs to intervene at login time to ensure that the process starts
>>> # in the proper default security context. Only sessions which are intended
>>> # to run in the user's context should be run after this.
>>> session [success=ok ignore=ignore module_unknown=ignore default=bad]
>>> pam_selinux.so open
>>>
>>> @include common-password
>>>
>>> # From the pam_env man page
>>> # Since setting of PAM environment variables can have side effects to
>>> other modules, this module should be the last one on the stack.
>>>
>>> # Load environment from /etc/environment
>>> session required pam_env.so
>>>
>>> # Load environment from /etc/default/locale
>>> session required pam_env.so envfile=/etc/default/locale
>>>
>>>
>>>
>>> root at desktopdebian:~# cat /etc/pam.d/sddm-greeter
>>> #%PAM-1.0
>>>
>>> auth required pam_permit.so
>>>
>>> @include common-account
>>>
>>> # SELinux needs to be the first session rule. This ensures that any
>>> # lingering context has been cleared. Without this it is possible that a
>>> # module could execute code in the wrong domain.
>>> session [success=ok ignore=ignore module_unknown=ignore default=bad]
>>> pam_selinux.so close
>>> # Create a new session keyring.
>>> session optional pam_keyinit.so force revoke
>>> session required pam_limits.so
>>> session required pam_loginuid.so
>>> session required pam_systemd.so
>>> @include common-session
>>> # SELinux needs to intervene at login time to ensure that the process starts
>>> # in the proper default security context. Only sessions which are intended
>>> # to run in the user's context should be run after this.
>>> session [success=ok ignore=ignore module_unknown=ignore default=bad]
>>> pam_selinux.so open
>>>
>>> @include common-password
>>>
>>> # From the pam_env man page
>>> # Since setting of PAM environment variables can have side effects to
>>> other modules, this module should be the last one on the stack.
>>>
>>> # Load environment from /etc/environment
>>> session required pam_env.so
>>>
>>> # Load environment from /etc/default/locale
>>> session required pam_env.so envfile=/etc/default/locale
>>>
>>> 2017-01-02 21:47 GMT+01:00 Dominick Grift <dac.override@gmail.com>:
>>>> On 01/02/2017 09:30 PM, cgzones wrote:
>>>>> The problem is how to transition into the desired destination contexts:
>>>>> With the user context
>>>>> system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0
>>>>> I get the follow up for the sddm-greeter process
>>>>>
>>>>> type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) :
>>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>>>> /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start
>>>>> /usr/bin/s
>>>>> type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0
>>>>> name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755
>>>>> ouid=root ogid=root rdev=00:00
>>>>> obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp
>>>>> e=NORMAL
>>>>> type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm
>>>>> type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64
>>>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0
>>>>> a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd
>>>>> m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm
>>>>> fsgid=sddm tty=(none) ses=9 comm=sddm-helper
>>>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper
>>>>> subj=system_u:system_r:sddm_helper_t:s0 k
>>>>> ey=(null)
>>>>> type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied {
>>>>> entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter
>>>>> dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext
>>>>> =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0
>>>>>
>>>>> and for a normal user login
>>>>>
>>>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) :
>>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>>>>> /usr/bin/s
>>>>> type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0
>>>>> name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755
>>>>> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
>>>>> nametype=NORMAL
>>>>> type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/
>>>>> type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64
>>>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620
>>>>> a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid
>>>>> =christian uid=christian gid=christian euid=christian suid=christian
>>>>> fsuid=christian egid=christian sgid=christian fsgid=christian
>>>>> tty=(none) ses=5 comm=sddm-helper
>>>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm
>>>>> -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>>>>> type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied {
>>>>> entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5
>>>>> dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0
>>>>> tcontext=sy
>>>>> stem_u:object_r:bin_t:s0 tclass=file permissive=0
>>>>> ----
>>>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) :
>>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>>>>> /usr/bin/s
>>>>> type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh
>>>>> inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00
>>>>> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
>>>>> type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian
>>>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64
>>>>> syscall=execve success=no exit=EACCES(Permission denied)
>>>>> a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0
>>>>> items=1 ppid=162
>>>>> 7 pid=1628 auid=christian uid=christian gid=christian euid=christian
>>>>> suid=christian fsuid=christian egid=christian sgid=christian
>>>>> fsgid=christian tty=(none) ses=5 comm=sddm-helper
>>>>> exe=/usr/lib/x86_64-linu
>>>>> x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>>>>> type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied {
>>>>> entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0"
>>>>> ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob
>>>>> ject_r:shell_exec_t:s0 tclass=file permissive=0
>>>>> ----
>>>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) :
>>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>>>>> /usr/bin/s
>>>>> type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0
>>>>> name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755
>>>>> ouid=root ogid=root rdev=00:00
>>>>> obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype=
>>>>> NORMAL
>>>>> type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian
>>>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64
>>>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60
>>>>> a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr
>>>>> istian uid=christian gid=christian euid=christian suid=christian
>>>>> fsuid=christian egid=christian sgid=christian fsgid=christian
>>>>> tty=(none) ses=5 comm=sddm-helper
>>>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel
>>>>> per subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>>>>> type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied {
>>>>> entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession
>>>>> dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0
>>>>> tcontext=sy
>>>>> stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0
>>>>>
>>>>> How do I transition the context in the first case into sddm_greeter_t
>>>>> and in the second case into user_t?
>>>>
>>>> Hard to tell... could be an issue with your pam configuration
>>>> How many sddm pam configuration files are there in /etc/pam.d?
>>>> Which one of those have pam_selinux entries?
>>>>
>>>>>
>>>>>
>>>>> 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy
>>>>> <refpolicy@oss.tresys.com>:
>>>>>> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote:
>>>>>>> Hi list,
>>>>>>> I am trying to write a policy module for sddm (Simple Desktop Display Manager).
>>>>>>> Currently with the patches over here
>>>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch
>>>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch
>>>>>>> I am able to login into the correct user contexts and the sddm
>>>>>>> processes have proper contexts:
>>>>>>>
>>>>>>> root at desktopdebian:~# ps -efZ | grep sddm
>>>>>>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ?
>>>>>>> 00:00:00 /usr/bin/sddm
>>>>>>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7
>>>>>>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth
>>>>>>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none
>>>>>>> -noreset -displ
>>>>>>> ayfd 18 vt7
>>>>>>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ?
>>>>>>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>>>>>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start
>>>>>>> /usr/b
>>>>>>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>>>>>> /usr/share/sddm/themes/breeze --user sddm --greeter
>>>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ?
>>>>>>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>>>>>> /usr/share/sddm/themes/breeze
>>>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ?
>>>>>>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040
>>>>>>> --binary-syntax --close-stderr
>>>>>>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ?
>>>>>>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7
>>>>>>> --session
>>>>>>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2
>>>>>>> 00:00:00 grep sddm
>>>>>>>
>>>>>>> The problem is the sddm-greeter (sddm_greeter_t) process:
>>>>>>> This process is responsible for the graphic login window and is
>>>>>>> started by sddm-helper (sddm_helper_t).
>>>>>>> But it is not created via fork->exec->setuid/setgid (which can be
>>>>>>> handled by an SELinux process transition), instead it is spawned via
>>>>>>> pam_start (at least I think so).
>>>>>>> So the process gets its context via pam authentication and the SELinux
>>>>>>> user login mapping gets involved.
>>>>>>> That's the reason for this default_contexts entry:
>>>>>>>
>>>>>>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
>>>>>>> unconfined_r:unconfined_t system_r:sddm_greeter_t
>>>>>>
>>>>>> I would probably try transitioning to $1_sddm_t
>>>>>>
>>>>>> Example:
>>>>>>
>>>>>> system_r:sddm_helper_t user_r:user_sddm_t
>>>>>>
>>>>>> Then from there see where this gets me
>>>>>>
>>>>>> If sddm_helper_t is what sets up the login users context, then you have
>>>>>> to transition to a domain that can be used to transition to a login
>>>>>> shell domain (hence the prefix in user_sddm_t)
>>>>>>
>>>>>> That should provide some flexibility.
>>>>>>
>>>>>>>
>>>>>>> sddm-helper is also spawning the user processes, so I only get the
>>>>>>> correct sddm-greeter context with the system_r target
>>>>>>> (user_r:sddm_greeter_t would collide with the for user login needed
>>>>>>> target context user_r:user_t).
>>>>>>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux
>>>>>>> login mapping for the user sddm by hand:
>>>>>>> semamage login -a -s system_u sddm
>>>>>>> That's quite cumbersome and leads to the next problem:
>>>>>>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display
>>>>>>> Manager:/var/lib/sddm:/bin/false
>>>>>>> and so genhomedircon creates home dir contexts for sddm and I must not
>>>>>>> relabel the directory /var/lib/sddm or any parent directory with the
>>>>>>> recursive flag
>>>>>>>
>>>>>>> root at desktopdebian:~# matchpathcon /var/lib/sddm
>>>>>>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0
>>>>>>>
>>>>>>> Am I missing something or can these problems be fixed by reworking my
>>>>>>> patches or are upstream patches needed (sddm / SELinux userland)?
>>>>>>>
>>>>>>> Best regards and many thanks in advance,
>>>>>>> Christian G?ttsche
>>>>>>> _______________________________________________
>>>>>>> refpolicy mailing list
>>>>>>> refpolicy at oss.tresys.com
>>>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>>>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>>>>> Dominick Grift
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> refpolicy mailing list
>>>>>> refpolicy at oss.tresys.com
>>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>>>>
>>>>
>>>>
>>>> --
>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>>> Dominick Grift
>>>>
>>
>>
>> --
>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>> Dominick Grift
>>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170103/53960db8/attachment-0001.bin
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-01-03 15:33 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-02 12:38 [refpolicy] sddm policy help needed cgzones
2017-01-02 12:54 ` Dominick Grift
2017-01-02 20:30 ` cgzones
2017-01-02 20:47 ` Dominick Grift
2017-01-02 21:13 ` cgzones
2017-01-02 21:25 ` Dominick Grift
2017-01-03 14:20 ` cgzones
2017-01-03 15:33 ` Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.