From: Russell Coker <russell@coker.com.au>
To: Dominick Grift <dominick.grift@defensec.nl>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: sddm issue and patch not for inclusion
Date: Fri, 29 Jan 2021 01:00:26 +1100 [thread overview]
Message-ID: <1944791.8TnJqL1ZiL@liv> (raw)
In-Reply-To: <ypjlzh0ti98s.fsf@defensec.nl>
On Thursday, 28 January 2021 10:36:19 PM AEDT Dominick Grift wrote:
> >> In Debian/Unstable (which will soon be frozen and become the next stable
> >> release) the sddm X login program (the one that's generally recommended
> >> and specifically known to generally work well with SE Linux) uses PAM to
> >> start a session for the "greeter" (the program that asks for a password
> >> before a new session is started).
> >>
> >> With the policy currently in Debian that means the sddm user matches
> >> "__default__" and gets unconfined_u:unconfined_r:unconfined_t, not what
> >> is desirable for a program that takes input from unauthenticated users.
> >>
> >> role xdm_r;
> >> role xdm_r types xdm_t;
> >> allow system_r xdm_r;
> >> allow xdm_t xdm_tmpfs_t:file execmod;
> >
> > that looks like a bug or at least bad code
That's a design decision. One could make a convincing argument that it's a
good decision.
> >> corecmd_bin_entry_type(xdm_t)
>
> Also wondering what or which bin_t file or files this applies to and if
> it instead is not possible to give these a private type
/usr/bin/sddm-greeter. Yes I can give it a private type, might be a good idea
in any case.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
next prev parent reply other threads:[~2021-01-28 14:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-28 11:26 sddm issue and patch not for inclusion Russell Coker
2021-01-28 11:33 ` Dominick Grift
2021-01-28 11:36 ` Dominick Grift
2021-01-28 14:00 ` Russell Coker [this message]
2021-01-28 14:08 ` Dominick Grift
2021-01-28 14:12 ` Russell Coker
2021-01-28 14:32 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1944791.8TnJqL1ZiL@liv \
--to=russell@coker.com.au \
--cc=dominick.grift@defensec.nl \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).