From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA82BC10F14 for ; Sun, 6 Oct 2019 10:13:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A98EE20673 for ; Sun, 6 Oct 2019 10:13:44 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TRxQtnwZ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726271AbfJFKNo (ORCPT ); Sun, 6 Oct 2019 06:13:44 -0400 Received: from mail-ed1-f67.google.com ([209.85.208.67]:35381 "EHLO mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726261AbfJFKNn (ORCPT ); Sun, 6 Oct 2019 06:13:43 -0400 Received: by mail-ed1-f67.google.com with SMTP id v8so9789832eds.2 for ; Sun, 06 Oct 2019 03:13:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=H8yCyVwmZO6hkYGQYfCC26R3c2AgKnVN6BLU3YS0jf8=; b=TRxQtnwZ3jEHMvRx8SgO5MwQyKHwMyy8umEDgCSPgc80pFBcsXdgA73JMw/ssHHzD+ GAWRPHzGQcjb5sORva9ct93viQKVVTKuAhxaDBX6V2gHzBin/R6DfbOoV2CUu989UxJt aXn5oXOVr99NRJt6W0SxhaTRrtcqT2GRvW+4KT/i10R+mlfPpCUdLdCVAVgcmu5148/i PrFmnk7YRykPXyo+YMQjNksglJeno9AE09SyxvsnwKis9ZbZojBdZclWmkIR2wR3J9PO cV125Wl6NFttHaz2dq9K4gkXtPma+9AZlpFD5Tw4PFuEaFESrM0iNx7PLwHDzP8Ike60 ikbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to :references:mime-version:content-disposition:in-reply-to:user-agent; bh=H8yCyVwmZO6hkYGQYfCC26R3c2AgKnVN6BLU3YS0jf8=; b=L1DPTBOBVgrdp7JIy0yoGZRQGH8uhSq0Up6Ai5ucpCYiZIA3wBzeeV/PuHMcIDxJTj 2r7jYnFwnrkTNEFXyrgU8M2Vfo2a1aRpeeS43Xklzj4Ut4CbfY2erLYgTN/txGMM+4Jy iaqrVjFhLT2o43DNkIDF6cO/oj8yjZVMQV6cB/df0FxmSR07YRYKKOv+oTJr9df1SgZ9 4Me5KnIlDQJS7keoNAlYXKmT9QYbN86etataqRFA7Qx6jP67BwOsGAms4bYu5PWeUdcW fPyPmTJLHc8gPg2hRjwIGABt90YqGQz4XACSjV0hnCK9hIvuEKSctOYlk3Da04TpD32E eT0g== X-Gm-Message-State: APjAAAVAS/JHH+0QPAlmp9sJlbjdaYXcjBRK4roPCxJGbYAFY7NHJx6W J0HtxiamGDCqm7aIF804cME= X-Google-Smtp-Source: APXvYqzcH5SYkqXrdZUI4qcABKcJ4vSw9GhxuM1MHgeiwX7BbGOA7L5HYM3uNUCg7PlYc5/4SQqJLw== X-Received: by 2002:a17:906:9381:: with SMTP id l1mr18871351ejx.93.1570356821725; Sun, 06 Oct 2019 03:13:41 -0700 (PDT) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id i5sm2551268edv.29.2019.10.06.03.13.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 06 Oct 2019 03:13:40 -0700 (PDT) Date: Sun, 6 Oct 2019 12:13:38 +0200 From: Dominick Grift To: Laurent Bigonville , selinux-refpolicy@vger.kernel.org Subject: Re: systemd --user for GDM started as unconfined_t instead of xdm_t Message-ID: <20191006101338.GD469820@brutus.lan> Mail-Followup-To: Laurent Bigonville , selinux-refpolicy@vger.kernel.org References: <20191006094156.GB469820@brutus.lan> <20191006100125.GC469820@brutus.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="veXX9dWIonWZEC6h" Content-Disposition: inline In-Reply-To: <20191006100125.GC469820@brutus.lan> User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --veXX9dWIonWZEC6h Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 06, 2019 at 12:01:25PM +0200, Dominick Grift wrote: > On Sun, Oct 06, 2019 at 11:41:56AM +0200, Dominick Grift wrote: > > On Sun, Oct 06, 2019 at 11:22:00AM +0200, Laurent Bigonville wrote: > > > Hello, > > >=20 > > > I discovered today that the GDM own processes are started as unconfin= ed_t > > > instead of xdm_t because systemd --user process itself is started in = that > > > context. > > >=20 > > > This is probably related to: > > >=20 > > > commit da156aea1e89a6ff6025be7e50c9c8173e5a6dcf > > > Author: Chris PeBenito > > > Date:=A0=A0 Fri Apr 19 11:50:59 2019 -0400 > > >=20 > > > =A0=A0=A0 systemd: Add initial policy for systemd --user. > > >=20 > > > =A0=A0=A0 This is just a start; it does not cover all uses. > > >=20 > > > =A0=A0=A0 Signed-off-by: Chris PeBenito > > >=20 > > > Was that expected and/or wanted? > >=20 > > It just means that gdm hooks into pam, and since 1. your __default__ id= is set to unconfined_u and 2. you do not have a private id for gdm (and gn= ome-initial-setup) systemd will start gdm's systemd --user instance with un= confined_u:unconfined_r:unconfined_t. > >=20 > > One (ugly but arguable less ugly than the alternative) solution is to c= reate a "xdm_u" and allow systemd to run a systemd --user instance on behal= f of gdm with "xdm_u:system_r:xdm_t" > >=20 > > That way you can tell selinux that gdm's systemd --user instance should= never transition out of xdm_u:system_r:xdm_t > >=20 > > echo "system_r:init_t:s0 system_r:xdm_t:s0" > /etc/selinux/TYPE/context= s/users/xdm_u > >=20 > > Then all processes in the gdm session should stay in xdm_t (but some pr= ocesses will be associate with xdm_u and other with system_u). > >=20 > > You would probably also want to add to semanage.conf: > >=20 > > ignoredirs =3D /var/lib/gdm;/run/gnome-initial-setup > >=20 > > and make sure that selinux does not relabel /run/user/$(id -u gdm) >=20 > Just to clarify. The patch you reference is not responsible for the uglyn= ess that is GDM/Gnome > Without this patch, the systemd --user instance of GDM (and any other use= rs) would run in "init_t". This is obviously also not desirable. I wonder what you happen if you would (would gdm still work?): sudo systemctl mask user@$(id -u gdm).service user-runtime-dir@$(id -u gdm)= =2Eservice >=20 > >=20 > > >=20 > > > Kind regards, > > >=20 > > > Laurent Bigonville > > >=20 > >=20 > > --=20 > > Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > > https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6= B02 > > Dominick Grift >=20 >=20 >=20 > --=20 > Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 > Dominick Grift --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --veXX9dWIonWZEC6h Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl2Zvk4ACgkQJXSOVTf5 R2lMXAwAobBR+D9Mppub0VhY1LQj8IhJ3umZRlIk1pq7CzOSZODiCVAAqCaHP4Kq yD2DMxwxfKvq8o2112AEjUc4qFqDxNy/iLQZ2JvNI8D7Pob9JO6Y4Izj9zho5rKl J6zOhqhPOOvH0szGnprsso7r1tUop0z3WZaISpqGehuspl/Ex32myy4fzzwptHA0 /YIs+rFzAUF1PjxAKi2jSNDJB4ZxhstW6DCJH4DE3Niptw7kimfFK5crEftDg71W HJ6I+RDWOA3XpedC1vYxgPCBQUP5eS61z6MXP4xlnnbUxCw2zMwyTvUTbYJQlsqN IjxbKOQ9NSmSfrfAgcFCR3fHb0DJOfNqX/109D123uVv6jE8au8lqtLCbRYt0GFU UV7vMWRg/YyB2ijmDxk4N4Z9CNYwUqByqDTKP7ribEZILsgE52zCmVcKMq+1SNJU BwUQO585DV34Ekj0jwr9unH+oYDJCxuVedtLAfGmnCOvEQpM9qCl0BQSlK3lTIwo 8hNezNlc =851b -----END PGP SIGNATURE----- --veXX9dWIonWZEC6h--