From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] sddm policy help needed
Date: Mon, 2 Jan 2017 22:25:35 +0100 [thread overview]
Message-ID: <55aa408b-c20c-b3ec-0818-d97f9482f55f@gmail.com> (raw)
In-Reply-To: <CAJ2a_Ddji3sVriF-K+p-=ZuEk6VNPHHycjc5qUWX5u_4+qve9w@mail.gmail.com>
On 01/02/2017 10:13 PM, cgzones wrote:
> My experience with pam authentification is very limited.
> These three files are present:
Looks like a pam misconfiguration. However since i am not familiar with
sddm, its hard to tell what exactly the issue is.
I would encourage you to play with these configurations files (make
backups though)
You seem to have three instances where pam_selinux is used. Ideally you
should be able to get rid of two of the three
I think the only valid manual transition is on the xsessions executable
file. The others (kwallet and greeter) probably shouldnt be used
I would try commenting out the pam_selinux entries (one at the time)
then test to see which antrpoint avc denials you get. Like i said, i
suspect that the only entrypoint should be on xsessions, so see if you
can make that happen by playing with the pam_selinux entries in the
files below
>
> root at desktopdebian:~# cat /etc/pam.d/sddm
> #%PAM-1.0
>
> # Block login if they are globally disabled
> auth requisite pam_nologin.so
> auth required pam_succeed_if.so user != root quiet_success
>
> # auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
> @include common-auth
> # gnome_keyring breaks QProcess
> -auth optional pam_gnome_keyring.so
> -auth optional pam_kwallet5.so
>
> @include common-account
>
> # SELinux needs to be the first session rule. This ensures that any
> # lingering context has been cleared. Without this it is possible that a
> # module could execute code in the wrong domain.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so close
> # Create a new session keyring.
> session optional pam_keyinit.so force revoke
> session required pam_limits.so
> session required pam_loginuid.so
> session required pam_systemd.so
> @include common-session
> # SELinux needs to intervene at login time to ensure that the process starts
> # in the proper default security context. Only sessions which are intended
> # to run in the user's context should be run after this.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so open
> -session optional pam_gnome_keyring.so auto_start
> -session optional pam_kwallet5.so auto_start
>
> @include common-password
>
> # From the pam_env man page
> # Since setting of PAM environment variables can have side effects to
> other modules, this module should be the last one on the stack.
>
> # Load environment from /etc/environment
> session required pam_env.so
>
> # Load environment from /etc/default/locale
> session required pam_env.so envfile=/etc/default/locale
>
>
>
> root at desktopdebian:~# cat /etc/pam.d/sddm-autologin
> #%PAM-1.0
>
> # Block login if they are globally disabled
> auth requisite pam_nologin.so
> auth required pam_permit.so
>
> @include common-account
>
> # SELinux needs to be the first session rule. This ensures that any
> # lingering context has been cleared. Without this it is possible that a
> # module could execute code in the wrong domain.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so close
> # Create a new session keyring.
> session optional pam_keyinit.so force revoke
> session required pam_limits.so
> session required pam_loginuid.so
> session required pam_systemd.so
> @include common-session
> # SELinux needs to intervene at login time to ensure that the process starts
> # in the proper default security context. Only sessions which are intended
> # to run in the user's context should be run after this.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so open
>
> @include common-password
>
> # From the pam_env man page
> # Since setting of PAM environment variables can have side effects to
> other modules, this module should be the last one on the stack.
>
> # Load environment from /etc/environment
> session required pam_env.so
>
> # Load environment from /etc/default/locale
> session required pam_env.so envfile=/etc/default/locale
>
>
>
> root at desktopdebian:~# cat /etc/pam.d/sddm-greeter
> #%PAM-1.0
>
> auth required pam_permit.so
>
> @include common-account
>
> # SELinux needs to be the first session rule. This ensures that any
> # lingering context has been cleared. Without this it is possible that a
> # module could execute code in the wrong domain.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so close
> # Create a new session keyring.
> session optional pam_keyinit.so force revoke
> session required pam_limits.so
> session required pam_loginuid.so
> session required pam_systemd.so
> @include common-session
> # SELinux needs to intervene at login time to ensure that the process starts
> # in the proper default security context. Only sessions which are intended
> # to run in the user's context should be run after this.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so open
>
> @include common-password
>
> # From the pam_env man page
> # Since setting of PAM environment variables can have side effects to
> other modules, this module should be the last one on the stack.
>
> # Load environment from /etc/environment
> session required pam_env.so
>
> # Load environment from /etc/default/locale
> session required pam_env.so envfile=/etc/default/locale
>
> 2017-01-02 21:47 GMT+01:00 Dominick Grift <dac.override@gmail.com>:
>> On 01/02/2017 09:30 PM, cgzones wrote:
>>> The problem is how to transition into the desired destination contexts:
>>> With the user context
>>> system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0
>>> I get the follow up for the sddm-greeter process
>>>
>>> type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) :
>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>> /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start
>>> /usr/bin/s
>>> type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0
>>> name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755
>>> ouid=root ogid=root rdev=00:00
>>> obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp
>>> e=NORMAL
>>> type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm
>>> type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64
>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0
>>> a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd
>>> m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm
>>> fsgid=sddm tty=(none) ses=9 comm=sddm-helper
>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper
>>> subj=system_u:system_r:sddm_helper_t:s0 k
>>> ey=(null)
>>> type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied {
>>> entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter
>>> dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext
>>> =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0
>>>
>>> and for a normal user login
>>>
>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) :
>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>>> /usr/bin/s
>>> type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0
>>> name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755
>>> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0
>>> nametype=NORMAL
>>> type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/
>>> type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64
>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620
>>> a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid
>>> =christian uid=christian gid=christian euid=christian suid=christian
>>> fsuid=christian egid=christian sgid=christian fsgid=christian
>>> tty=(none) ses=5 comm=sddm-helper
>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm
>>> -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>>> type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied {
>>> entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5
>>> dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0
>>> tcontext=sy
>>> stem_u:object_r:bin_t:s0 tclass=file permissive=0
>>> ----
>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) :
>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>>> /usr/bin/s
>>> type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh
>>> inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00
>>> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
>>> type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian
>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64
>>> syscall=execve success=no exit=EACCES(Permission denied)
>>> a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0
>>> items=1 ppid=162
>>> 7 pid=1628 auid=christian uid=christian gid=christian euid=christian
>>> suid=christian fsuid=christian egid=christian sgid=christian
>>> fsgid=christian tty=(none) ses=5 comm=sddm-helper
>>> exe=/usr/lib/x86_64-linu
>>> x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>>> type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied {
>>> entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0"
>>> ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob
>>> ject_r:shell_exec_t:s0 tclass=file permissive=0
>>> ----
>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) :
>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start
>>> /usr/bin/s
>>> type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0
>>> name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755
>>> ouid=root ogid=root rdev=00:00
>>> obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype=
>>> NORMAL
>>> type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian
>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64
>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60
>>> a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr
>>> istian uid=christian gid=christian euid=christian suid=christian
>>> fsuid=christian egid=christian sgid=christian fsgid=christian
>>> tty=(none) ses=5 comm=sddm-helper
>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel
>>> per subj=system_u:system_r:sddm_helper_t:s0 key=(null)
>>> type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied {
>>> entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession
>>> dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0
>>> tcontext=sy
>>> stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0
>>>
>>> How do I transition the context in the first case into sddm_greeter_t
>>> and in the second case into user_t?
>>
>> Hard to tell... could be an issue with your pam configuration
>> How many sddm pam configuration files are there in /etc/pam.d?
>> Which one of those have pam_selinux entries?
>>
>>>
>>>
>>> 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy
>>> <refpolicy@oss.tresys.com>:
>>>> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote:
>>>>> Hi list,
>>>>> I am trying to write a policy module for sddm (Simple Desktop Display Manager).
>>>>> Currently with the patches over here
>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch
>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch
>>>>> I am able to login into the correct user contexts and the sddm
>>>>> processes have proper contexts:
>>>>>
>>>>> root at desktopdebian:~# ps -efZ | grep sddm
>>>>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ?
>>>>> 00:00:00 /usr/bin/sddm
>>>>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7
>>>>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth
>>>>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none
>>>>> -noreset -displ
>>>>> ayfd 18 vt7
>>>>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ?
>>>>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
>>>>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start
>>>>> /usr/b
>>>>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>>>> /usr/share/sddm/themes/breeze --user sddm --greeter
>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ?
>>>>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
>>>>> /usr/share/sddm/themes/breeze
>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ?
>>>>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040
>>>>> --binary-syntax --close-stderr
>>>>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ?
>>>>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7
>>>>> --session
>>>>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2
>>>>> 00:00:00 grep sddm
>>>>>
>>>>> The problem is the sddm-greeter (sddm_greeter_t) process:
>>>>> This process is responsible for the graphic login window and is
>>>>> started by sddm-helper (sddm_helper_t).
>>>>> But it is not created via fork->exec->setuid/setgid (which can be
>>>>> handled by an SELinux process transition), instead it is spawned via
>>>>> pam_start (at least I think so).
>>>>> So the process gets its context via pam authentication and the SELinux
>>>>> user login mapping gets involved.
>>>>> That's the reason for this default_contexts entry:
>>>>>
>>>>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
>>>>> unconfined_r:unconfined_t system_r:sddm_greeter_t
>>>>
>>>> I would probably try transitioning to $1_sddm_t
>>>>
>>>> Example:
>>>>
>>>> system_r:sddm_helper_t user_r:user_sddm_t
>>>>
>>>> Then from there see where this gets me
>>>>
>>>> If sddm_helper_t is what sets up the login users context, then you have
>>>> to transition to a domain that can be used to transition to a login
>>>> shell domain (hence the prefix in user_sddm_t)
>>>>
>>>> That should provide some flexibility.
>>>>
>>>>>
>>>>> sddm-helper is also spawning the user processes, so I only get the
>>>>> correct sddm-greeter context with the system_r target
>>>>> (user_r:sddm_greeter_t would collide with the for user login needed
>>>>> target context user_r:user_t).
>>>>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux
>>>>> login mapping for the user sddm by hand:
>>>>> semamage login -a -s system_u sddm
>>>>> That's quite cumbersome and leads to the next problem:
>>>>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display
>>>>> Manager:/var/lib/sddm:/bin/false
>>>>> and so genhomedircon creates home dir contexts for sddm and I must not
>>>>> relabel the directory /var/lib/sddm or any parent directory with the
>>>>> recursive flag
>>>>>
>>>>> root at desktopdebian:~# matchpathcon /var/lib/sddm
>>>>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0
>>>>>
>>>>> Am I missing something or can these problems be fixed by reworking my
>>>>> patches or are upstream patches needed (sddm / SELinux userland)?
>>>>>
>>>>> Best regards and many thanks in advance,
>>>>> Christian G?ttsche
>>>>> _______________________________________________
>>>>> refpolicy mailing list
>>>>> refpolicy at oss.tresys.com
>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>>>
>>>>
>>>>
>>>> --
>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>>>> Dominick Grift
>>>>
>>>>
>>>> _______________________________________________
>>>> refpolicy mailing list
>>>> refpolicy at oss.tresys.com
>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>>>
>>
>>
>> --
>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
>> Dominick Grift
>>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170102/1bd9e14a/attachment-0001.bin
next prev parent reply other threads:[~2017-01-02 21:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-02 12:38 [refpolicy] sddm policy help needed cgzones
2017-01-02 12:54 ` Dominick Grift
2017-01-02 20:30 ` cgzones
2017-01-02 20:47 ` Dominick Grift
2017-01-02 21:13 ` cgzones
2017-01-02 21:25 ` Dominick Grift [this message]
2017-01-03 14:20 ` cgzones
2017-01-03 15:33 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55aa408b-c20c-b3ec-0818-d97f9482f55f@gmail.com \
--to=dac.override@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.