All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dominick Grift <dominick.grift@defensec.nl>
To: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] new sddm pam patch
Date: Mon, 25 Apr 2022 18:57:42 +0200	[thread overview]
Message-ID: <875ymx5ce1.fsf@defensec.nl> (raw)


These desktop managers have a pam stack and that includes
/etc/pam.d/systemd-user which provides the user with a systemd --user
instance

If you do not add a seuser for these DM-users then their systemd --user
instance ends up with system_u:system_r:init_t:s0 (the context of pid1
which creates these systemd --user instances)

One possible solution would be if we could add clauses to pam config
files like for example:

if ! (user sddm) {
session ... pam_selinux.so ...
}

But not sure if something like that is even possible, and even if it was
possible, some parts of the DE need selinux in the pam stack (for
logging in the user)

But yes the main issue is the pam_selinux call in the pam_systemd
stack. Ideally we maintain some kind of compatibility with systems that
have pam_systemd and ones that do not

The alternative way is indeed to create a seuser so that we can tell
pam_selinux explicitly to stay is system_r:xdm_t:s0 (so the systemd
--user instance for the DE user will run in xdm_t and so all the
transitions will be the same whether the DE starts it via systemd --user
or manually starts it.

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift

             reply	other threads:[~2022-04-25 17:04 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-25 16:57 Dominick Grift [this message]
  -- strict thread matches above, loose matches on Subject: below --
2022-02-17  6:53 [PATCH] new sddm pam patch Russell Coker
2022-02-17 13:48 ` Chris PeBenito
2022-03-27 11:42   ` Russell Coker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=875ymx5ce1.fsf@defensec.nl \
    --to=dominick.grift@defensec.nl \
    --cc=da3ba04d-9e76-677a-b1b2-2b65f9dc3892@ieee.org \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.