* [refpolicy] sddm policy help needed
@ 2017-01-02 12:38 cgzones
2017-01-02 12:54 ` Dominick Grift
0 siblings, 1 reply; 8+ messages in thread
From: cgzones @ 2017-01-02 12:38 UTC (permalink / raw)
To: refpolicy
Hi list,
I am trying to write a policy module for sddm (Simple Desktop Display Manager).
Currently with the patches over here
https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch
https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch
I am able to login into the correct user contexts and the sddm
processes have proper contexts:
root at desktopdebian:~# ps -efZ | grep sddm
system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ?
00:00:00 /usr/bin/sddm
system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7
00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth
/var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none
-noreset -displ
ayfd 18 vt7
system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ?
00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket
/tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start
/usr/b
in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
/usr/share/sddm/themes/breeze --user sddm --greeter
system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ?
00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme
/usr/share/sddm/themes/breeze
system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ?
00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040
--binary-syntax --close-stderr
system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ?
00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7
--session
root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2
00:00:00 grep sddm
The problem is the sddm-greeter (sddm_greeter_t) process:
This process is responsible for the graphic login window and is
started by sddm-helper (sddm_helper_t).
But it is not created via fork->exec->setuid/setgid (which can be
handled by an SELinux process transition), instead it is spawned via
pam_start (at least I think so).
So the process gets its context via pam authentication and the SELinux
user login mapping gets involved.
That's the reason for this default_contexts entry:
system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t
unconfined_r:unconfined_t system_r:sddm_greeter_t
sddm-helper is also spawning the user processes, so I only get the
correct sddm-greeter context with the system_r target
(user_r:sddm_greeter_t would collide with the for user login needed
target context user_r:user_t).
To reach the system_r:sddm_greeter_t target, I need to add the SELinux
login mapping for the user sddm by hand:
semamage login -a -s system_u sddm
That's quite cumbersome and leads to the next problem:
The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display
Manager:/var/lib/sddm:/bin/false
and so genhomedircon creates home dir contexts for sddm and I must not
relabel the directory /var/lib/sddm or any parent directory with the
recursive flag
root at desktopdebian:~# matchpathcon /var/lib/sddm
/var/lib/sddm system_u:object_r:user_home_dir_t:s0
Am I missing something or can these problems be fixed by reworking my
patches or are upstream patches needed (sddm / SELinux userland)?
Best regards and many thanks in advance,
Christian G?ttsche
^ permalink raw reply [flat|nested] 8+ messages in thread* [refpolicy] sddm policy help needed 2017-01-02 12:38 [refpolicy] sddm policy help needed cgzones @ 2017-01-02 12:54 ` Dominick Grift 2017-01-02 20:30 ` cgzones 0 siblings, 1 reply; 8+ messages in thread From: Dominick Grift @ 2017-01-02 12:54 UTC (permalink / raw) To: refpolicy On 01/02/2017 01:38 PM, cgzones via refpolicy wrote: > Hi list, > I am trying to write a policy module for sddm (Simple Desktop Display Manager). > Currently with the patches over here > https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch > https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch > I am able to login into the correct user contexts and the sddm > processes have proper contexts: > > root at desktopdebian:~# ps -efZ | grep sddm > system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ? > 00:00:00 /usr/bin/sddm > system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7 > 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth > /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none > -noreset -displ > ayfd 18 vt7 > system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ? > 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket > /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start > /usr/b > in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme > /usr/share/sddm/themes/breeze --user sddm --greeter > system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ? > 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme > /usr/share/sddm/themes/breeze > system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ? > 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040 > --binary-syntax --close-stderr > system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ? > 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 > --session > root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2 > 00:00:00 grep sddm > > The problem is the sddm-greeter (sddm_greeter_t) process: > This process is responsible for the graphic login window and is > started by sddm-helper (sddm_helper_t). > But it is not created via fork->exec->setuid/setgid (which can be > handled by an SELinux process transition), instead it is spawned via > pam_start (at least I think so). > So the process gets its context via pam authentication and the SELinux > user login mapping gets involved. > That's the reason for this default_contexts entry: > > system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t > unconfined_r:unconfined_t system_r:sddm_greeter_t I would probably try transitioning to $1_sddm_t Example: system_r:sddm_helper_t user_r:user_sddm_t Then from there see where this gets me If sddm_helper_t is what sets up the login users context, then you have to transition to a domain that can be used to transition to a login shell domain (hence the prefix in user_sddm_t) That should provide some flexibility. > > sddm-helper is also spawning the user processes, so I only get the > correct sddm-greeter context with the system_r target > (user_r:sddm_greeter_t would collide with the for user login needed > target context user_r:user_t). > To reach the system_r:sddm_greeter_t target, I need to add the SELinux > login mapping for the user sddm by hand: > semamage login -a -s system_u sddm > That's quite cumbersome and leads to the next problem: > The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display > Manager:/var/lib/sddm:/bin/false > and so genhomedircon creates home dir contexts for sddm and I must not > relabel the directory /var/lib/sddm or any parent directory with the > recursive flag > > root at desktopdebian:~# matchpathcon /var/lib/sddm > /var/lib/sddm system_u:object_r:user_home_dir_t:s0 > > Am I missing something or can these problems be fixed by reworking my > patches or are upstream patches needed (sddm / SELinux userland)? > > Best regards and many thanks in advance, > Christian G?ttsche > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170102/9a430c8d/attachment.bin ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] sddm policy help needed 2017-01-02 12:54 ` Dominick Grift @ 2017-01-02 20:30 ` cgzones 2017-01-02 20:47 ` Dominick Grift 0 siblings, 1 reply; 8+ messages in thread From: cgzones @ 2017-01-02 20:30 UTC (permalink / raw) To: refpolicy The problem is how to transition into the desired destination contexts: With the user context system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0 I get the follow up for the sddm-greeter process type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) : proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start /usr/bin/s type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0 name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp e=NORMAL type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0 a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm fsgid=sddm tty=(none) ses=9 comm=sddm-helper exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 k ey=(null) type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied { entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0 and for a normal user login type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) : proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start /usr/bin/s type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0 name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/ type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620 a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid =christian uid=christian gid=christian euid=christian suid=christian fsuid=christian egid=christian sgid=christian fsgid=christian tty=(none) ses=5 comm=sddm-helper exe=/usr/lib/x86_64-linux-gnu/sddm/sddm -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied { entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5 dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0 tcontext=sy stem_u:object_r:bin_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) : proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start /usr/bin/s type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0 items=1 ppid=162 7 pid=1628 auid=christian uid=christian gid=christian euid=christian suid=christian fsuid=christian egid=christian sgid=christian fsgid=christian tty=(none) ses=5 comm=sddm-helper exe=/usr/lib/x86_64-linu x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied { entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0" ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob ject_r:shell_exec_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) : proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start /usr/bin/s type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0 name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype= NORMAL type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60 a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr istian uid=christian gid=christian euid=christian suid=christian fsuid=christian egid=christian sgid=christian fsgid=christian tty=(none) ses=5 comm=sddm-helper exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel per subj=system_u:system_r:sddm_helper_t:s0 key=(null) type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied { entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0 tcontext=sy stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0 How do I transition the context in the first case into sddm_greeter_t and in the second case into user_t? 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy <refpolicy@oss.tresys.com>: > On 01/02/2017 01:38 PM, cgzones via refpolicy wrote: >> Hi list, >> I am trying to write a policy module for sddm (Simple Desktop Display Manager). >> Currently with the patches over here >> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch >> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch >> I am able to login into the correct user contexts and the sddm >> processes have proper contexts: >> >> root at desktopdebian:~# ps -efZ | grep sddm >> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ? >> 00:00:00 /usr/bin/sddm >> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7 >> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth >> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none >> -noreset -displ >> ayfd 18 vt7 >> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ? >> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start >> /usr/b >> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >> /usr/share/sddm/themes/breeze --user sddm --greeter >> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ? >> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >> /usr/share/sddm/themes/breeze >> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ? >> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040 >> --binary-syntax --close-stderr >> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ? >> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 >> --session >> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2 >> 00:00:00 grep sddm >> >> The problem is the sddm-greeter (sddm_greeter_t) process: >> This process is responsible for the graphic login window and is >> started by sddm-helper (sddm_helper_t). >> But it is not created via fork->exec->setuid/setgid (which can be >> handled by an SELinux process transition), instead it is spawned via >> pam_start (at least I think so). >> So the process gets its context via pam authentication and the SELinux >> user login mapping gets involved. >> That's the reason for this default_contexts entry: >> >> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t >> unconfined_r:unconfined_t system_r:sddm_greeter_t > > I would probably try transitioning to $1_sddm_t > > Example: > > system_r:sddm_helper_t user_r:user_sddm_t > > Then from there see where this gets me > > If sddm_helper_t is what sets up the login users context, then you have > to transition to a domain that can be used to transition to a login > shell domain (hence the prefix in user_sddm_t) > > That should provide some flexibility. > >> >> sddm-helper is also spawning the user processes, so I only get the >> correct sddm-greeter context with the system_r target >> (user_r:sddm_greeter_t would collide with the for user login needed >> target context user_r:user_t). >> To reach the system_r:sddm_greeter_t target, I need to add the SELinux >> login mapping for the user sddm by hand: >> semamage login -a -s system_u sddm >> That's quite cumbersome and leads to the next problem: >> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display >> Manager:/var/lib/sddm:/bin/false >> and so genhomedircon creates home dir contexts for sddm and I must not >> relabel the directory /var/lib/sddm or any parent directory with the >> recursive flag >> >> root at desktopdebian:~# matchpathcon /var/lib/sddm >> /var/lib/sddm system_u:object_r:user_home_dir_t:s0 >> >> Am I missing something or can these problems be fixed by reworking my >> patches or are upstream patches needed (sddm / SELinux userland)? >> >> Best regards and many thanks in advance, >> Christian G?ttsche >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >> > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] sddm policy help needed 2017-01-02 20:30 ` cgzones @ 2017-01-02 20:47 ` Dominick Grift 2017-01-02 21:13 ` cgzones 0 siblings, 1 reply; 8+ messages in thread From: Dominick Grift @ 2017-01-02 20:47 UTC (permalink / raw) To: refpolicy On 01/02/2017 09:30 PM, cgzones wrote: > The problem is how to transition into the desired destination contexts: > With the user context > system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0 > I get the follow up for the sddm-greeter process > > type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) : > proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket > /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start > /usr/bin/s > type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0 > name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755 > ouid=root ogid=root rdev=00:00 > obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp > e=NORMAL > type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm > type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64 > syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0 > a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd > m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm > fsgid=sddm tty=(none) ses=9 comm=sddm-helper > exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper > subj=system_u:system_r:sddm_helper_t:s0 k > ey=(null) > type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied { > entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter > dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext > =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0 > > and for a normal user login > > type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) : > proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket > /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start > /usr/bin/s > type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0 > name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755 > ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 > nametype=NORMAL > type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/ > type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64 > syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620 > a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid > =christian uid=christian gid=christian euid=christian suid=christian > fsuid=christian egid=christian sgid=christian fsgid=christian > tty=(none) ses=5 comm=sddm-helper > exe=/usr/lib/x86_64-linux-gnu/sddm/sddm > -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) > type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied { > entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5 > dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0 > tcontext=sy > stem_u:object_r:bin_t:s0 tclass=file permissive=0 > ---- > type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) : > proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket > /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start > /usr/bin/s > type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh > inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00 > obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL > type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian > type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64 > syscall=execve success=no exit=EACCES(Permission denied) > a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0 > items=1 ppid=162 > 7 pid=1628 auid=christian uid=christian gid=christian euid=christian > suid=christian fsuid=christian egid=christian sgid=christian > fsgid=christian tty=(none) ses=5 comm=sddm-helper > exe=/usr/lib/x86_64-linu > x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) > type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied { > entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0" > ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob > ject_r:shell_exec_t:s0 tclass=file permissive=0 > ---- > type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) : > proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket > /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start > /usr/bin/s > type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0 > name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755 > ouid=root ogid=root rdev=00:00 > obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype= > NORMAL > type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian > type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64 > syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60 > a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr > istian uid=christian gid=christian euid=christian suid=christian > fsuid=christian egid=christian sgid=christian fsgid=christian > tty=(none) ses=5 comm=sddm-helper > exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel > per subj=system_u:system_r:sddm_helper_t:s0 key=(null) > type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied { > entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession > dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0 > tcontext=sy > stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0 > > How do I transition the context in the first case into sddm_greeter_t > and in the second case into user_t? Hard to tell... could be an issue with your pam configuration How many sddm pam configuration files are there in /etc/pam.d? Which one of those have pam_selinux entries? > > > 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy > <refpolicy@oss.tresys.com>: >> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote: >>> Hi list, >>> I am trying to write a policy module for sddm (Simple Desktop Display Manager). >>> Currently with the patches over here >>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch >>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch >>> I am able to login into the correct user contexts and the sddm >>> processes have proper contexts: >>> >>> root at desktopdebian:~# ps -efZ | grep sddm >>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ? >>> 00:00:00 /usr/bin/sddm >>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7 >>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth >>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none >>> -noreset -displ >>> ayfd 18 vt7 >>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ? >>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start >>> /usr/b >>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>> /usr/share/sddm/themes/breeze --user sddm --greeter >>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ? >>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>> /usr/share/sddm/themes/breeze >>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ? >>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040 >>> --binary-syntax --close-stderr >>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ? >>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 >>> --session >>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2 >>> 00:00:00 grep sddm >>> >>> The problem is the sddm-greeter (sddm_greeter_t) process: >>> This process is responsible for the graphic login window and is >>> started by sddm-helper (sddm_helper_t). >>> But it is not created via fork->exec->setuid/setgid (which can be >>> handled by an SELinux process transition), instead it is spawned via >>> pam_start (at least I think so). >>> So the process gets its context via pam authentication and the SELinux >>> user login mapping gets involved. >>> That's the reason for this default_contexts entry: >>> >>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t >>> unconfined_r:unconfined_t system_r:sddm_greeter_t >> >> I would probably try transitioning to $1_sddm_t >> >> Example: >> >> system_r:sddm_helper_t user_r:user_sddm_t >> >> Then from there see where this gets me >> >> If sddm_helper_t is what sets up the login users context, then you have >> to transition to a domain that can be used to transition to a login >> shell domain (hence the prefix in user_sddm_t) >> >> That should provide some flexibility. >> >>> >>> sddm-helper is also spawning the user processes, so I only get the >>> correct sddm-greeter context with the system_r target >>> (user_r:sddm_greeter_t would collide with the for user login needed >>> target context user_r:user_t). >>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux >>> login mapping for the user sddm by hand: >>> semamage login -a -s system_u sddm >>> That's quite cumbersome and leads to the next problem: >>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display >>> Manager:/var/lib/sddm:/bin/false >>> and so genhomedircon creates home dir contexts for sddm and I must not >>> relabel the directory /var/lib/sddm or any parent directory with the >>> recursive flag >>> >>> root at desktopdebian:~# matchpathcon /var/lib/sddm >>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0 >>> >>> Am I missing something or can these problems be fixed by reworking my >>> patches or are upstream patches needed (sddm / SELinux userland)? >>> >>> Best regards and many thanks in advance, >>> Christian G?ttsche >>> _______________________________________________ >>> refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy >>> >> >> >> -- >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >> Dominick Grift >> >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >> -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170102/60360e4e/attachment-0001.bin ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] sddm policy help needed 2017-01-02 20:47 ` Dominick Grift @ 2017-01-02 21:13 ` cgzones 2017-01-02 21:25 ` Dominick Grift 0 siblings, 1 reply; 8+ messages in thread From: cgzones @ 2017-01-02 21:13 UTC (permalink / raw) To: refpolicy My experience with pam authentification is very limited. These three files are present: root at desktopdebian:~# cat /etc/pam.d/sddm #%PAM-1.0 # Block login if they are globally disabled auth requisite pam_nologin.so auth required pam_succeed_if.so user != root quiet_success # auth sufficient pam_succeed_if.so user ingroup nopasswdlogin @include common-auth # gnome_keyring breaks QProcess -auth optional pam_gnome_keyring.so -auth optional pam_kwallet5.so @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Create a new session keyring. session optional pam_keyinit.so force revoke session required pam_limits.so session required pam_loginuid.so session required pam_systemd.so @include common-session # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -session optional pam_gnome_keyring.so auto_start -session optional pam_kwallet5.so auto_start @include common-password # From the pam_env man page # Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack. # Load environment from /etc/environment session required pam_env.so # Load environment from /etc/default/locale session required pam_env.so envfile=/etc/default/locale root at desktopdebian:~# cat /etc/pam.d/sddm-autologin #%PAM-1.0 # Block login if they are globally disabled auth requisite pam_nologin.so auth required pam_permit.so @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Create a new session keyring. session optional pam_keyinit.so force revoke session required pam_limits.so session required pam_loginuid.so session required pam_systemd.so @include common-session # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password # From the pam_env man page # Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack. # Load environment from /etc/environment session required pam_env.so # Load environment from /etc/default/locale session required pam_env.so envfile=/etc/default/locale root at desktopdebian:~# cat /etc/pam.d/sddm-greeter #%PAM-1.0 auth required pam_permit.so @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Create a new session keyring. session optional pam_keyinit.so force revoke session required pam_limits.so session required pam_loginuid.so session required pam_systemd.so @include common-session # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open @include common-password # From the pam_env man page # Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack. # Load environment from /etc/environment session required pam_env.so # Load environment from /etc/default/locale session required pam_env.so envfile=/etc/default/locale 2017-01-02 21:47 GMT+01:00 Dominick Grift <dac.override@gmail.com>: > On 01/02/2017 09:30 PM, cgzones wrote: >> The problem is how to transition into the desired destination contexts: >> With the user context >> system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0 >> I get the follow up for the sddm-greeter process >> >> type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) : >> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >> /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start >> /usr/bin/s >> type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0 >> name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755 >> ouid=root ogid=root rdev=00:00 >> obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp >> e=NORMAL >> type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm >> type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64 >> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0 >> a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd >> m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm >> fsgid=sddm tty=(none) ses=9 comm=sddm-helper >> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper >> subj=system_u:system_r:sddm_helper_t:s0 k >> ey=(null) >> type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied { >> entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter >> dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext >> =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0 >> >> and for a normal user login >> >> type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) : >> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >> /usr/bin/s >> type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0 >> name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755 >> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 >> nametype=NORMAL >> type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/ >> type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64 >> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620 >> a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid >> =christian uid=christian gid=christian euid=christian suid=christian >> fsuid=christian egid=christian sgid=christian fsgid=christian >> tty=(none) ses=5 comm=sddm-helper >> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm >> -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) >> type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied { >> entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5 >> dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0 >> tcontext=sy >> stem_u:object_r:bin_t:s0 tclass=file permissive=0 >> ---- >> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) : >> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >> /usr/bin/s >> type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh >> inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00 >> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL >> type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian >> type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64 >> syscall=execve success=no exit=EACCES(Permission denied) >> a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0 >> items=1 ppid=162 >> 7 pid=1628 auid=christian uid=christian gid=christian euid=christian >> suid=christian fsuid=christian egid=christian sgid=christian >> fsgid=christian tty=(none) ses=5 comm=sddm-helper >> exe=/usr/lib/x86_64-linu >> x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) >> type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied { >> entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0" >> ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob >> ject_r:shell_exec_t:s0 tclass=file permissive=0 >> ---- >> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) : >> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >> /usr/bin/s >> type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0 >> name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755 >> ouid=root ogid=root rdev=00:00 >> obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype= >> NORMAL >> type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian >> type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64 >> syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60 >> a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr >> istian uid=christian gid=christian euid=christian suid=christian >> fsuid=christian egid=christian sgid=christian fsgid=christian >> tty=(none) ses=5 comm=sddm-helper >> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel >> per subj=system_u:system_r:sddm_helper_t:s0 key=(null) >> type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied { >> entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession >> dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0 >> tcontext=sy >> stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0 >> >> How do I transition the context in the first case into sddm_greeter_t >> and in the second case into user_t? > > Hard to tell... could be an issue with your pam configuration > How many sddm pam configuration files are there in /etc/pam.d? > Which one of those have pam_selinux entries? > >> >> >> 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy >> <refpolicy@oss.tresys.com>: >>> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote: >>>> Hi list, >>>> I am trying to write a policy module for sddm (Simple Desktop Display Manager). >>>> Currently with the patches over here >>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch >>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch >>>> I am able to login into the correct user contexts and the sddm >>>> processes have proper contexts: >>>> >>>> root at desktopdebian:~# ps -efZ | grep sddm >>>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ? >>>> 00:00:00 /usr/bin/sddm >>>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7 >>>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth >>>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none >>>> -noreset -displ >>>> ayfd 18 vt7 >>>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ? >>>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start >>>> /usr/b >>>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>>> /usr/share/sddm/themes/breeze --user sddm --greeter >>>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ? >>>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>>> /usr/share/sddm/themes/breeze >>>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ? >>>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040 >>>> --binary-syntax --close-stderr >>>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ? >>>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 >>>> --session >>>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2 >>>> 00:00:00 grep sddm >>>> >>>> The problem is the sddm-greeter (sddm_greeter_t) process: >>>> This process is responsible for the graphic login window and is >>>> started by sddm-helper (sddm_helper_t). >>>> But it is not created via fork->exec->setuid/setgid (which can be >>>> handled by an SELinux process transition), instead it is spawned via >>>> pam_start (at least I think so). >>>> So the process gets its context via pam authentication and the SELinux >>>> user login mapping gets involved. >>>> That's the reason for this default_contexts entry: >>>> >>>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t >>>> unconfined_r:unconfined_t system_r:sddm_greeter_t >>> >>> I would probably try transitioning to $1_sddm_t >>> >>> Example: >>> >>> system_r:sddm_helper_t user_r:user_sddm_t >>> >>> Then from there see where this gets me >>> >>> If sddm_helper_t is what sets up the login users context, then you have >>> to transition to a domain that can be used to transition to a login >>> shell domain (hence the prefix in user_sddm_t) >>> >>> That should provide some flexibility. >>> >>>> >>>> sddm-helper is also spawning the user processes, so I only get the >>>> correct sddm-greeter context with the system_r target >>>> (user_r:sddm_greeter_t would collide with the for user login needed >>>> target context user_r:user_t). >>>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux >>>> login mapping for the user sddm by hand: >>>> semamage login -a -s system_u sddm >>>> That's quite cumbersome and leads to the next problem: >>>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display >>>> Manager:/var/lib/sddm:/bin/false >>>> and so genhomedircon creates home dir contexts for sddm and I must not >>>> relabel the directory /var/lib/sddm or any parent directory with the >>>> recursive flag >>>> >>>> root at desktopdebian:~# matchpathcon /var/lib/sddm >>>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0 >>>> >>>> Am I missing something or can these problems be fixed by reworking my >>>> patches or are upstream patches needed (sddm / SELinux userland)? >>>> >>>> Best regards and many thanks in advance, >>>> Christian G?ttsche >>>> _______________________________________________ >>>> refpolicy mailing list >>>> refpolicy at oss.tresys.com >>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>> >>> >>> >>> -- >>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>> Dominick Grift >>> >>> >>> _______________________________________________ >>> refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy >>> > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift > ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] sddm policy help needed 2017-01-02 21:13 ` cgzones @ 2017-01-02 21:25 ` Dominick Grift 2017-01-03 14:20 ` cgzones 0 siblings, 1 reply; 8+ messages in thread From: Dominick Grift @ 2017-01-02 21:25 UTC (permalink / raw) To: refpolicy On 01/02/2017 10:13 PM, cgzones wrote: > My experience with pam authentification is very limited. > These three files are present: Looks like a pam misconfiguration. However since i am not familiar with sddm, its hard to tell what exactly the issue is. I would encourage you to play with these configurations files (make backups though) You seem to have three instances where pam_selinux is used. Ideally you should be able to get rid of two of the three I think the only valid manual transition is on the xsessions executable file. The others (kwallet and greeter) probably shouldnt be used I would try commenting out the pam_selinux entries (one at the time) then test to see which antrpoint avc denials you get. Like i said, i suspect that the only entrypoint should be on xsessions, so see if you can make that happen by playing with the pam_selinux entries in the files below > > root at desktopdebian:~# cat /etc/pam.d/sddm > #%PAM-1.0 > > # Block login if they are globally disabled > auth requisite pam_nologin.so > auth required pam_succeed_if.so user != root quiet_success > > # auth sufficient pam_succeed_if.so user ingroup nopasswdlogin > @include common-auth > # gnome_keyring breaks QProcess > -auth optional pam_gnome_keyring.so > -auth optional pam_kwallet5.so > > @include common-account > > # SELinux needs to be the first session rule. This ensures that any > # lingering context has been cleared. Without this it is possible that a > # module could execute code in the wrong domain. > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so close > # Create a new session keyring. > session optional pam_keyinit.so force revoke > session required pam_limits.so > session required pam_loginuid.so > session required pam_systemd.so > @include common-session > # SELinux needs to intervene at login time to ensure that the process starts > # in the proper default security context. Only sessions which are intended > # to run in the user's context should be run after this. > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so open > -session optional pam_gnome_keyring.so auto_start > -session optional pam_kwallet5.so auto_start > > @include common-password > > # From the pam_env man page > # Since setting of PAM environment variables can have side effects to > other modules, this module should be the last one on the stack. > > # Load environment from /etc/environment > session required pam_env.so > > # Load environment from /etc/default/locale > session required pam_env.so envfile=/etc/default/locale > > > > root at desktopdebian:~# cat /etc/pam.d/sddm-autologin > #%PAM-1.0 > > # Block login if they are globally disabled > auth requisite pam_nologin.so > auth required pam_permit.so > > @include common-account > > # SELinux needs to be the first session rule. This ensures that any > # lingering context has been cleared. Without this it is possible that a > # module could execute code in the wrong domain. > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so close > # Create a new session keyring. > session optional pam_keyinit.so force revoke > session required pam_limits.so > session required pam_loginuid.so > session required pam_systemd.so > @include common-session > # SELinux needs to intervene at login time to ensure that the process starts > # in the proper default security context. Only sessions which are intended > # to run in the user's context should be run after this. > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so open > > @include common-password > > # From the pam_env man page > # Since setting of PAM environment variables can have side effects to > other modules, this module should be the last one on the stack. > > # Load environment from /etc/environment > session required pam_env.so > > # Load environment from /etc/default/locale > session required pam_env.so envfile=/etc/default/locale > > > > root at desktopdebian:~# cat /etc/pam.d/sddm-greeter > #%PAM-1.0 > > auth required pam_permit.so > > @include common-account > > # SELinux needs to be the first session rule. This ensures that any > # lingering context has been cleared. Without this it is possible that a > # module could execute code in the wrong domain. > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so close > # Create a new session keyring. > session optional pam_keyinit.so force revoke > session required pam_limits.so > session required pam_loginuid.so > session required pam_systemd.so > @include common-session > # SELinux needs to intervene at login time to ensure that the process starts > # in the proper default security context. Only sessions which are intended > # to run in the user's context should be run after this. > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so open > > @include common-password > > # From the pam_env man page > # Since setting of PAM environment variables can have side effects to > other modules, this module should be the last one on the stack. > > # Load environment from /etc/environment > session required pam_env.so > > # Load environment from /etc/default/locale > session required pam_env.so envfile=/etc/default/locale > > 2017-01-02 21:47 GMT+01:00 Dominick Grift <dac.override@gmail.com>: >> On 01/02/2017 09:30 PM, cgzones wrote: >>> The problem is how to transition into the desired destination contexts: >>> With the user context >>> system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0 >>> I get the follow up for the sddm-greeter process >>> >>> type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) : >>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>> /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start >>> /usr/bin/s >>> type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0 >>> name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755 >>> ouid=root ogid=root rdev=00:00 >>> obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp >>> e=NORMAL >>> type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm >>> type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64 >>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0 >>> a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd >>> m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm >>> fsgid=sddm tty=(none) ses=9 comm=sddm-helper >>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper >>> subj=system_u:system_r:sddm_helper_t:s0 k >>> ey=(null) >>> type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied { >>> entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter >>> dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext >>> =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0 >>> >>> and for a normal user login >>> >>> type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) : >>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>> /usr/bin/s >>> type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0 >>> name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755 >>> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 >>> nametype=NORMAL >>> type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/ >>> type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64 >>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620 >>> a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid >>> =christian uid=christian gid=christian euid=christian suid=christian >>> fsuid=christian egid=christian sgid=christian fsgid=christian >>> tty=(none) ses=5 comm=sddm-helper >>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm >>> -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>> type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied { >>> entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5 >>> dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0 >>> tcontext=sy >>> stem_u:object_r:bin_t:s0 tclass=file permissive=0 >>> ---- >>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) : >>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>> /usr/bin/s >>> type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh >>> inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00 >>> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL >>> type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian >>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64 >>> syscall=execve success=no exit=EACCES(Permission denied) >>> a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0 >>> items=1 ppid=162 >>> 7 pid=1628 auid=christian uid=christian gid=christian euid=christian >>> suid=christian fsuid=christian egid=christian sgid=christian >>> fsgid=christian tty=(none) ses=5 comm=sddm-helper >>> exe=/usr/lib/x86_64-linu >>> x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>> type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied { >>> entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0" >>> ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob >>> ject_r:shell_exec_t:s0 tclass=file permissive=0 >>> ---- >>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) : >>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>> /usr/bin/s >>> type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0 >>> name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755 >>> ouid=root ogid=root rdev=00:00 >>> obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype= >>> NORMAL >>> type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian >>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64 >>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60 >>> a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr >>> istian uid=christian gid=christian euid=christian suid=christian >>> fsuid=christian egid=christian sgid=christian fsgid=christian >>> tty=(none) ses=5 comm=sddm-helper >>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel >>> per subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>> type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied { >>> entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession >>> dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0 >>> tcontext=sy >>> stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0 >>> >>> How do I transition the context in the first case into sddm_greeter_t >>> and in the second case into user_t? >> >> Hard to tell... could be an issue with your pam configuration >> How many sddm pam configuration files are there in /etc/pam.d? >> Which one of those have pam_selinux entries? >> >>> >>> >>> 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy >>> <refpolicy@oss.tresys.com>: >>>> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote: >>>>> Hi list, >>>>> I am trying to write a policy module for sddm (Simple Desktop Display Manager). >>>>> Currently with the patches over here >>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch >>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch >>>>> I am able to login into the correct user contexts and the sddm >>>>> processes have proper contexts: >>>>> >>>>> root at desktopdebian:~# ps -efZ | grep sddm >>>>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ? >>>>> 00:00:00 /usr/bin/sddm >>>>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7 >>>>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth >>>>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none >>>>> -noreset -displ >>>>> ayfd 18 vt7 >>>>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ? >>>>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start >>>>> /usr/b >>>>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>>>> /usr/share/sddm/themes/breeze --user sddm --greeter >>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ? >>>>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>>>> /usr/share/sddm/themes/breeze >>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ? >>>>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040 >>>>> --binary-syntax --close-stderr >>>>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ? >>>>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 >>>>> --session >>>>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2 >>>>> 00:00:00 grep sddm >>>>> >>>>> The problem is the sddm-greeter (sddm_greeter_t) process: >>>>> This process is responsible for the graphic login window and is >>>>> started by sddm-helper (sddm_helper_t). >>>>> But it is not created via fork->exec->setuid/setgid (which can be >>>>> handled by an SELinux process transition), instead it is spawned via >>>>> pam_start (at least I think so). >>>>> So the process gets its context via pam authentication and the SELinux >>>>> user login mapping gets involved. >>>>> That's the reason for this default_contexts entry: >>>>> >>>>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t >>>>> unconfined_r:unconfined_t system_r:sddm_greeter_t >>>> >>>> I would probably try transitioning to $1_sddm_t >>>> >>>> Example: >>>> >>>> system_r:sddm_helper_t user_r:user_sddm_t >>>> >>>> Then from there see where this gets me >>>> >>>> If sddm_helper_t is what sets up the login users context, then you have >>>> to transition to a domain that can be used to transition to a login >>>> shell domain (hence the prefix in user_sddm_t) >>>> >>>> That should provide some flexibility. >>>> >>>>> >>>>> sddm-helper is also spawning the user processes, so I only get the >>>>> correct sddm-greeter context with the system_r target >>>>> (user_r:sddm_greeter_t would collide with the for user login needed >>>>> target context user_r:user_t). >>>>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux >>>>> login mapping for the user sddm by hand: >>>>> semamage login -a -s system_u sddm >>>>> That's quite cumbersome and leads to the next problem: >>>>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display >>>>> Manager:/var/lib/sddm:/bin/false >>>>> and so genhomedircon creates home dir contexts for sddm and I must not >>>>> relabel the directory /var/lib/sddm or any parent directory with the >>>>> recursive flag >>>>> >>>>> root at desktopdebian:~# matchpathcon /var/lib/sddm >>>>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0 >>>>> >>>>> Am I missing something or can these problems be fixed by reworking my >>>>> patches or are upstream patches needed (sddm / SELinux userland)? >>>>> >>>>> Best regards and many thanks in advance, >>>>> Christian G?ttsche >>>>> _______________________________________________ >>>>> refpolicy mailing list >>>>> refpolicy at oss.tresys.com >>>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>>> >>>> >>>> >>>> -- >>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>>> Dominick Grift >>>> >>>> >>>> _______________________________________________ >>>> refpolicy mailing list >>>> refpolicy at oss.tresys.com >>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>> >> >> >> -- >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >> Dominick Grift >> -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170102/1bd9e14a/attachment-0001.bin ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] sddm policy help needed 2017-01-02 21:25 ` Dominick Grift @ 2017-01-03 14:20 ` cgzones 2017-01-03 15:33 ` Dominick Grift 0 siblings, 1 reply; 8+ messages in thread From: cgzones @ 2017-01-03 14:20 UTC (permalink / raw) To: refpolicy Thanks for your feedback! I thinkit it is finally working: The updated default_context looks like: system_r:sddm_helper_t user_r:user_t user_r:sddm_greeter_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t system_r:sddm_greeter_t pam_selinux got patched like attached and the the sddm-greeter pam configuration is set to (/etc/pam.d/sddm-greeter) session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open select_default_context=2 How this works: sddm-helper spawns the sddm-greeter with the pam service sddm-greeter. There the select_default_context=2 statement ensures that not the first default context returned from SELinux is used but in this case the second one. The first context is in this case for a login with sddm as user_u user_t, the second one sddm_greeter_t. The user processes are spawned by sddm-helper with the pam service sddm, so over there the default first context user_t is chosen. 2017-01-02 22:25 GMT+01:00 Dominick Grift <dac.override@gmail.com>: > On 01/02/2017 10:13 PM, cgzones wrote: >> My experience with pam authentification is very limited. >> These three files are present: > > Looks like a pam misconfiguration. However since i am not familiar with > sddm, its hard to tell what exactly the issue is. > > I would encourage you to play with these configurations files (make > backups though) > > You seem to have three instances where pam_selinux is used. Ideally you > should be able to get rid of two of the three > > I think the only valid manual transition is on the xsessions executable > file. The others (kwallet and greeter) probably shouldnt be used > > I would try commenting out the pam_selinux entries (one at the time) > then test to see which antrpoint avc denials you get. Like i said, i > suspect that the only entrypoint should be on xsessions, so see if you > can make that happen by playing with the pam_selinux entries in the > files below > >> >> root at desktopdebian:~# cat /etc/pam.d/sddm >> #%PAM-1.0 >> >> # Block login if they are globally disabled >> auth requisite pam_nologin.so >> auth required pam_succeed_if.so user != root quiet_success >> >> # auth sufficient pam_succeed_if.so user ingroup nopasswdlogin >> @include common-auth >> # gnome_keyring breaks QProcess >> -auth optional pam_gnome_keyring.so >> -auth optional pam_kwallet5.so >> >> @include common-account >> >> # SELinux needs to be the first session rule. This ensures that any >> # lingering context has been cleared. Without this it is possible that a >> # module could execute code in the wrong domain. >> session [success=ok ignore=ignore module_unknown=ignore default=bad] >> pam_selinux.so close >> # Create a new session keyring. >> session optional pam_keyinit.so force revoke >> session required pam_limits.so >> session required pam_loginuid.so >> session required pam_systemd.so >> @include common-session >> # SELinux needs to intervene at login time to ensure that the process starts >> # in the proper default security context. Only sessions which are intended >> # to run in the user's context should be run after this. >> session [success=ok ignore=ignore module_unknown=ignore default=bad] >> pam_selinux.so open >> -session optional pam_gnome_keyring.so auto_start >> -session optional pam_kwallet5.so auto_start >> >> @include common-password >> >> # From the pam_env man page >> # Since setting of PAM environment variables can have side effects to >> other modules, this module should be the last one on the stack. >> >> # Load environment from /etc/environment >> session required pam_env.so >> >> # Load environment from /etc/default/locale >> session required pam_env.so envfile=/etc/default/locale >> >> >> >> root at desktopdebian:~# cat /etc/pam.d/sddm-autologin >> #%PAM-1.0 >> >> # Block login if they are globally disabled >> auth requisite pam_nologin.so >> auth required pam_permit.so >> >> @include common-account >> >> # SELinux needs to be the first session rule. This ensures that any >> # lingering context has been cleared. Without this it is possible that a >> # module could execute code in the wrong domain. >> session [success=ok ignore=ignore module_unknown=ignore default=bad] >> pam_selinux.so close >> # Create a new session keyring. >> session optional pam_keyinit.so force revoke >> session required pam_limits.so >> session required pam_loginuid.so >> session required pam_systemd.so >> @include common-session >> # SELinux needs to intervene at login time to ensure that the process starts >> # in the proper default security context. Only sessions which are intended >> # to run in the user's context should be run after this. >> session [success=ok ignore=ignore module_unknown=ignore default=bad] >> pam_selinux.so open >> >> @include common-password >> >> # From the pam_env man page >> # Since setting of PAM environment variables can have side effects to >> other modules, this module should be the last one on the stack. >> >> # Load environment from /etc/environment >> session required pam_env.so >> >> # Load environment from /etc/default/locale >> session required pam_env.so envfile=/etc/default/locale >> >> >> >> root at desktopdebian:~# cat /etc/pam.d/sddm-greeter >> #%PAM-1.0 >> >> auth required pam_permit.so >> >> @include common-account >> >> # SELinux needs to be the first session rule. This ensures that any >> # lingering context has been cleared. Without this it is possible that a >> # module could execute code in the wrong domain. >> session [success=ok ignore=ignore module_unknown=ignore default=bad] >> pam_selinux.so close >> # Create a new session keyring. >> session optional pam_keyinit.so force revoke >> session required pam_limits.so >> session required pam_loginuid.so >> session required pam_systemd.so >> @include common-session >> # SELinux needs to intervene at login time to ensure that the process starts >> # in the proper default security context. Only sessions which are intended >> # to run in the user's context should be run after this. >> session [success=ok ignore=ignore module_unknown=ignore default=bad] >> pam_selinux.so open >> >> @include common-password >> >> # From the pam_env man page >> # Since setting of PAM environment variables can have side effects to >> other modules, this module should be the last one on the stack. >> >> # Load environment from /etc/environment >> session required pam_env.so >> >> # Load environment from /etc/default/locale >> session required pam_env.so envfile=/etc/default/locale >> >> 2017-01-02 21:47 GMT+01:00 Dominick Grift <dac.override@gmail.com>: >>> On 01/02/2017 09:30 PM, cgzones wrote: >>>> The problem is how to transition into the desired destination contexts: >>>> With the user context >>>> system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0 >>>> I get the follow up for the sddm-greeter process >>>> >>>> type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) : >>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>> /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start >>>> /usr/bin/s >>>> type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0 >>>> name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755 >>>> ouid=root ogid=root rdev=00:00 >>>> obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp >>>> e=NORMAL >>>> type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm >>>> type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64 >>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0 >>>> a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd >>>> m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm >>>> fsgid=sddm tty=(none) ses=9 comm=sddm-helper >>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper >>>> subj=system_u:system_r:sddm_helper_t:s0 k >>>> ey=(null) >>>> type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied { >>>> entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter >>>> dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext >>>> =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0 >>>> >>>> and for a normal user login >>>> >>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) : >>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>>> /usr/bin/s >>>> type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0 >>>> name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755 >>>> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 >>>> nametype=NORMAL >>>> type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/ >>>> type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64 >>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620 >>>> a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid >>>> =christian uid=christian gid=christian euid=christian suid=christian >>>> fsuid=christian egid=christian sgid=christian fsgid=christian >>>> tty=(none) ses=5 comm=sddm-helper >>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm >>>> -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>>> type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied { >>>> entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5 >>>> dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0 >>>> tcontext=sy >>>> stem_u:object_r:bin_t:s0 tclass=file permissive=0 >>>> ---- >>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) : >>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>>> /usr/bin/s >>>> type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh >>>> inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00 >>>> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL >>>> type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian >>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64 >>>> syscall=execve success=no exit=EACCES(Permission denied) >>>> a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0 >>>> items=1 ppid=162 >>>> 7 pid=1628 auid=christian uid=christian gid=christian euid=christian >>>> suid=christian fsuid=christian egid=christian sgid=christian >>>> fsgid=christian tty=(none) ses=5 comm=sddm-helper >>>> exe=/usr/lib/x86_64-linu >>>> x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>>> type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied { >>>> entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0" >>>> ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob >>>> ject_r:shell_exec_t:s0 tclass=file permissive=0 >>>> ---- >>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) : >>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>>> /usr/bin/s >>>> type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0 >>>> name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755 >>>> ouid=root ogid=root rdev=00:00 >>>> obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype= >>>> NORMAL >>>> type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian >>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64 >>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60 >>>> a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr >>>> istian uid=christian gid=christian euid=christian suid=christian >>>> fsuid=christian egid=christian sgid=christian fsgid=christian >>>> tty=(none) ses=5 comm=sddm-helper >>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel >>>> per subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>>> type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied { >>>> entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession >>>> dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0 >>>> tcontext=sy >>>> stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0 >>>> >>>> How do I transition the context in the first case into sddm_greeter_t >>>> and in the second case into user_t? >>> >>> Hard to tell... could be an issue with your pam configuration >>> How many sddm pam configuration files are there in /etc/pam.d? >>> Which one of those have pam_selinux entries? >>> >>>> >>>> >>>> 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy >>>> <refpolicy@oss.tresys.com>: >>>>> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote: >>>>>> Hi list, >>>>>> I am trying to write a policy module for sddm (Simple Desktop Display Manager). >>>>>> Currently with the patches over here >>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch >>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch >>>>>> I am able to login into the correct user contexts and the sddm >>>>>> processes have proper contexts: >>>>>> >>>>>> root at desktopdebian:~# ps -efZ | grep sddm >>>>>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ? >>>>>> 00:00:00 /usr/bin/sddm >>>>>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7 >>>>>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth >>>>>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none >>>>>> -noreset -displ >>>>>> ayfd 18 vt7 >>>>>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ? >>>>>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>>>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start >>>>>> /usr/b >>>>>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>>>>> /usr/share/sddm/themes/breeze --user sddm --greeter >>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ? >>>>>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>>>>> /usr/share/sddm/themes/breeze >>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ? >>>>>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040 >>>>>> --binary-syntax --close-stderr >>>>>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ? >>>>>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 >>>>>> --session >>>>>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2 >>>>>> 00:00:00 grep sddm >>>>>> >>>>>> The problem is the sddm-greeter (sddm_greeter_t) process: >>>>>> This process is responsible for the graphic login window and is >>>>>> started by sddm-helper (sddm_helper_t). >>>>>> But it is not created via fork->exec->setuid/setgid (which can be >>>>>> handled by an SELinux process transition), instead it is spawned via >>>>>> pam_start (at least I think so). >>>>>> So the process gets its context via pam authentication and the SELinux >>>>>> user login mapping gets involved. >>>>>> That's the reason for this default_contexts entry: >>>>>> >>>>>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t >>>>>> unconfined_r:unconfined_t system_r:sddm_greeter_t >>>>> >>>>> I would probably try transitioning to $1_sddm_t >>>>> >>>>> Example: >>>>> >>>>> system_r:sddm_helper_t user_r:user_sddm_t >>>>> >>>>> Then from there see where this gets me >>>>> >>>>> If sddm_helper_t is what sets up the login users context, then you have >>>>> to transition to a domain that can be used to transition to a login >>>>> shell domain (hence the prefix in user_sddm_t) >>>>> >>>>> That should provide some flexibility. >>>>> >>>>>> >>>>>> sddm-helper is also spawning the user processes, so I only get the >>>>>> correct sddm-greeter context with the system_r target >>>>>> (user_r:sddm_greeter_t would collide with the for user login needed >>>>>> target context user_r:user_t). >>>>>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux >>>>>> login mapping for the user sddm by hand: >>>>>> semamage login -a -s system_u sddm >>>>>> That's quite cumbersome and leads to the next problem: >>>>>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display >>>>>> Manager:/var/lib/sddm:/bin/false >>>>>> and so genhomedircon creates home dir contexts for sddm and I must not >>>>>> relabel the directory /var/lib/sddm or any parent directory with the >>>>>> recursive flag >>>>>> >>>>>> root at desktopdebian:~# matchpathcon /var/lib/sddm >>>>>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0 >>>>>> >>>>>> Am I missing something or can these problems be fixed by reworking my >>>>>> patches or are upstream patches needed (sddm / SELinux userland)? >>>>>> >>>>>> Best regards and many thanks in advance, >>>>>> Christian G?ttsche >>>>>> _______________________________________________ >>>>>> refpolicy mailing list >>>>>> refpolicy at oss.tresys.com >>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>>>> >>>>> >>>>> >>>>> -- >>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>>>> Dominick Grift >>>>> >>>>> >>>>> _______________________________________________ >>>>> refpolicy mailing list >>>>> refpolicy at oss.tresys.com >>>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>>> >>> >>> >>> -- >>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>> Dominick Grift >>> > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-pam-fix.patch Type: text/x-patch Size: 4734 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170103/4995335f/attachment.bin ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] sddm policy help needed 2017-01-03 14:20 ` cgzones @ 2017-01-03 15:33 ` Dominick Grift 0 siblings, 0 replies; 8+ messages in thread From: Dominick Grift @ 2017-01-03 15:33 UTC (permalink / raw) To: refpolicy On 01/03/2017 03:20 PM, cgzones wrote: > Thanks for your feedback! > > I thinkit it is finally working: > > The updated default_context looks like: > > system_r:sddm_helper_t user_r:user_t user_r:sddm_greeter_t > staff_r:staff_t sysadm_r:sysadm_t > unconfined_r:unconfined_t system_r:sddm_greeter_t > > pam_selinux got patched like attached and the the sddm-greeter pam > configuration is set to (/etc/pam.d/sddm-greeter) > > session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so open select_default_context=2 > > How this works: > sddm-helper spawns the sddm-greeter with the pam service sddm-greeter. > There the select_default_context=2 statement ensures that not the > first default context returned from SELinux is used but in this case > the second one. > The first context is in this case for a login with sddm as user_u > user_t, the second one sddm_greeter_t. > > The user processes are spawned by sddm-helper with the pam service > sddm, so over there the default first context user_t is chosen. > Thats a nice but ugly hack. Glad you got it "working" > 2017-01-02 22:25 GMT+01:00 Dominick Grift <dac.override@gmail.com>: >> On 01/02/2017 10:13 PM, cgzones wrote: >>> My experience with pam authentification is very limited. >>> These three files are present: >> >> Looks like a pam misconfiguration. However since i am not familiar with >> sddm, its hard to tell what exactly the issue is. >> >> I would encourage you to play with these configurations files (make >> backups though) >> >> You seem to have three instances where pam_selinux is used. Ideally you >> should be able to get rid of two of the three >> >> I think the only valid manual transition is on the xsessions executable >> file. The others (kwallet and greeter) probably shouldnt be used >> >> I would try commenting out the pam_selinux entries (one at the time) >> then test to see which antrpoint avc denials you get. Like i said, i >> suspect that the only entrypoint should be on xsessions, so see if you >> can make that happen by playing with the pam_selinux entries in the >> files below >> >>> >>> root at desktopdebian:~# cat /etc/pam.d/sddm >>> #%PAM-1.0 >>> >>> # Block login if they are globally disabled >>> auth requisite pam_nologin.so >>> auth required pam_succeed_if.so user != root quiet_success >>> >>> # auth sufficient pam_succeed_if.so user ingroup nopasswdlogin >>> @include common-auth >>> # gnome_keyring breaks QProcess >>> -auth optional pam_gnome_keyring.so >>> -auth optional pam_kwallet5.so >>> >>> @include common-account >>> >>> # SELinux needs to be the first session rule. This ensures that any >>> # lingering context has been cleared. Without this it is possible that a >>> # module could execute code in the wrong domain. >>> session [success=ok ignore=ignore module_unknown=ignore default=bad] >>> pam_selinux.so close >>> # Create a new session keyring. >>> session optional pam_keyinit.so force revoke >>> session required pam_limits.so >>> session required pam_loginuid.so >>> session required pam_systemd.so >>> @include common-session >>> # SELinux needs to intervene at login time to ensure that the process starts >>> # in the proper default security context. Only sessions which are intended >>> # to run in the user's context should be run after this. >>> session [success=ok ignore=ignore module_unknown=ignore default=bad] >>> pam_selinux.so open >>> -session optional pam_gnome_keyring.so auto_start >>> -session optional pam_kwallet5.so auto_start >>> >>> @include common-password >>> >>> # From the pam_env man page >>> # Since setting of PAM environment variables can have side effects to >>> other modules, this module should be the last one on the stack. >>> >>> # Load environment from /etc/environment >>> session required pam_env.so >>> >>> # Load environment from /etc/default/locale >>> session required pam_env.so envfile=/etc/default/locale >>> >>> >>> >>> root at desktopdebian:~# cat /etc/pam.d/sddm-autologin >>> #%PAM-1.0 >>> >>> # Block login if they are globally disabled >>> auth requisite pam_nologin.so >>> auth required pam_permit.so >>> >>> @include common-account >>> >>> # SELinux needs to be the first session rule. This ensures that any >>> # lingering context has been cleared. Without this it is possible that a >>> # module could execute code in the wrong domain. >>> session [success=ok ignore=ignore module_unknown=ignore default=bad] >>> pam_selinux.so close >>> # Create a new session keyring. >>> session optional pam_keyinit.so force revoke >>> session required pam_limits.so >>> session required pam_loginuid.so >>> session required pam_systemd.so >>> @include common-session >>> # SELinux needs to intervene at login time to ensure that the process starts >>> # in the proper default security context. Only sessions which are intended >>> # to run in the user's context should be run after this. >>> session [success=ok ignore=ignore module_unknown=ignore default=bad] >>> pam_selinux.so open >>> >>> @include common-password >>> >>> # From the pam_env man page >>> # Since setting of PAM environment variables can have side effects to >>> other modules, this module should be the last one on the stack. >>> >>> # Load environment from /etc/environment >>> session required pam_env.so >>> >>> # Load environment from /etc/default/locale >>> session required pam_env.so envfile=/etc/default/locale >>> >>> >>> >>> root at desktopdebian:~# cat /etc/pam.d/sddm-greeter >>> #%PAM-1.0 >>> >>> auth required pam_permit.so >>> >>> @include common-account >>> >>> # SELinux needs to be the first session rule. This ensures that any >>> # lingering context has been cleared. Without this it is possible that a >>> # module could execute code in the wrong domain. >>> session [success=ok ignore=ignore module_unknown=ignore default=bad] >>> pam_selinux.so close >>> # Create a new session keyring. >>> session optional pam_keyinit.so force revoke >>> session required pam_limits.so >>> session required pam_loginuid.so >>> session required pam_systemd.so >>> @include common-session >>> # SELinux needs to intervene at login time to ensure that the process starts >>> # in the proper default security context. Only sessions which are intended >>> # to run in the user's context should be run after this. >>> session [success=ok ignore=ignore module_unknown=ignore default=bad] >>> pam_selinux.so open >>> >>> @include common-password >>> >>> # From the pam_env man page >>> # Since setting of PAM environment variables can have side effects to >>> other modules, this module should be the last one on the stack. >>> >>> # Load environment from /etc/environment >>> session required pam_env.so >>> >>> # Load environment from /etc/default/locale >>> session required pam_env.so envfile=/etc/default/locale >>> >>> 2017-01-02 21:47 GMT+01:00 Dominick Grift <dac.override@gmail.com>: >>>> On 01/02/2017 09:30 PM, cgzones wrote: >>>>> The problem is how to transition into the desired destination contexts: >>>>> With the user context >>>>> system_r:sddm_helper_t:s0 user_r:user_sddm_t:s0 >>>>> I get the follow up for the sddm-greeter process >>>>> >>>>> type=PROCTITLE msg=audit(01/02/17 20:12:49.147:177) : >>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>>> /tmp/sddm-auth0bae6870-9ad2-4e38-a8f5-afc646509e0a --id 2 --start >>>>> /usr/bin/s >>>>> type=PATH msg=audit(01/02/17 20:12:49.147:177) : item=0 >>>>> name=/usr/bin/sddm-greeter inode=3955487 dev=fe:00 mode=file,755 >>>>> ouid=root ogid=root rdev=00:00 >>>>> obj=system_u:object_r:sddm_greeter_exec_t:s0 nametyp >>>>> e=NORMAL >>>>> type=CWD msg=audit(01/02/17 20:12:49.147:177) : cwd=/var/lib/sddm >>>>> type=SYSCALL msg=audit(01/02/17 20:12:49.147:177) : arch=x86_64 >>>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1e4e6a0 >>>>> a1=0x1e4fd00 a2=0x1e50a10 a3=0x59a items=1 ppid=2341 pid=2347 auid=sdd >>>>> m uid=sddm gid=sddm euid=sddm suid=sddm fsuid=sddm egid=sddm sgid=sddm >>>>> fsgid=sddm tty=(none) ses=9 comm=sddm-helper >>>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper >>>>> subj=system_u:system_r:sddm_helper_t:s0 k >>>>> ey=(null) >>>>> type=AVC msg=audit(01/02/17 20:12:49.147:177) : avc: denied { >>>>> entrypoint } for pid=2347 comm=sddm-helper path=/usr/bin/sddm-greeter >>>>> dev="dm-0" ino=3955487 scontext=user_u:user_r:user_sddm_t:s0 tcontext >>>>> =system_u:object_r:sddm_greeter_exec_t:s0 tclass=file permissive=0 >>>>> >>>>> and for a normal user login >>>>> >>>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.336:127) : >>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>>>> /usr/bin/s >>>>> type=PATH msg=audit(01/02/17 21:15:39.336:127) : item=0 >>>>> name=/usr/bin/kwalletd5 inode=3934995 dev=fe:00 mode=file,755 >>>>> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 >>>>> nametype=NORMAL >>>>> type=CWD msg=audit(01/02/17 21:15:39.336:127) : cwd=/ >>>>> type=SYSCALL msg=audit(01/02/17 21:15:39.336:127) : arch=x86_64 >>>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x1501620 >>>>> a1=0x7ffdb80fb240 a2=0x1509e80 a3=0x64 items=1 ppid=1625 pid=1626 auid >>>>> =christian uid=christian gid=christian euid=christian suid=christian >>>>> fsuid=christian egid=christian sgid=christian fsgid=christian >>>>> tty=(none) ses=5 comm=sddm-helper >>>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm >>>>> -helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>>>> type=AVC msg=audit(01/02/17 21:15:39.336:127) : avc: denied { >>>>> entrypoint } for pid=1626 comm=sddm-helper path=/usr/bin/kwalletd5 >>>>> dev="dm-0" ino=3934995 scontext=user_u:user_r:user_sddm_t:s0 >>>>> tcontext=sy >>>>> stem_u:object_r:bin_t:s0 tclass=file permissive=0 >>>>> ---- >>>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:130) : >>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>>>> /usr/bin/s >>>>> type=PATH msg=audit(01/02/17 21:15:39.340:130) : item=0 name=/bin/sh >>>>> inode=4064745 dev=fe:00 mode=file,755 ouid=root ogid=root rdev=00:00 >>>>> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL >>>>> type=CWD msg=audit(01/02/17 21:15:39.340:130) : cwd=/home/christian >>>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:130) : arch=x86_64 >>>>> syscall=execve success=no exit=EACCES(Permission denied) >>>>> a0=0x7ffaefdc18b9 a1=0x7ffdb80fae30 a2=0x15088c0 a3=0x7ffdb80faed0 >>>>> items=1 ppid=162 >>>>> 7 pid=1628 auid=christian uid=christian gid=christian euid=christian >>>>> suid=christian fsuid=christian egid=christian sgid=christian >>>>> fsgid=christian tty=(none) ses=5 comm=sddm-helper >>>>> exe=/usr/lib/x86_64-linu >>>>> x-gnu/sddm/sddm-helper subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>>>> type=AVC msg=audit(01/02/17 21:15:39.340:130) : avc: denied { >>>>> entrypoint } for pid=1628 comm=sddm-helper path=/bin/bash dev="dm-0" >>>>> ino=4064745 scontext=user_u:user_r:user_sddm_t:s0 tcontext=system_u:ob >>>>> ject_r:shell_exec_t:s0 tclass=file permissive=0 >>>>> ---- >>>>> type=PROCTITLE msg=audit(01/02/17 21:15:39.340:131) : >>>>> proctitle=/usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>>> /tmp/sddm-auth986e6070-4f6b-4ba6-a39f-c0c1c2c6990f --id 1 --start >>>>> /usr/bin/s >>>>> type=PATH msg=audit(01/02/17 21:15:39.340:131) : item=0 >>>>> name=/etc/sddm/Xsession inode=3672532 dev=fe:00 mode=file,755 >>>>> ouid=root ogid=root rdev=00:00 >>>>> obj=system_u:object_r:sddm_xsession_exec_t:s0 nametype= >>>>> NORMAL >>>>> type=CWD msg=audit(01/02/17 21:15:39.340:131) : cwd=/home/christian >>>>> type=SYSCALL msg=audit(01/02/17 21:15:39.340:131) : arch=x86_64 >>>>> syscall=execve success=no exit=EACCES(Permission denied) a0=0x150ca60 >>>>> a1=0x150ca40 a2=0x150d6e0 a3=0x59a items=1 ppid=1619 pid=1627 auid=chr >>>>> istian uid=christian gid=christian euid=christian suid=christian >>>>> fsuid=christian egid=christian sgid=christian fsgid=christian >>>>> tty=(none) ses=5 comm=sddm-helper >>>>> exe=/usr/lib/x86_64-linux-gnu/sddm/sddm-hel >>>>> per subj=system_u:system_r:sddm_helper_t:s0 key=(null) >>>>> type=AVC msg=audit(01/02/17 21:15:39.340:131) : avc: denied { >>>>> entrypoint } for pid=1627 comm=sddm-helper path=/etc/sddm/Xsession >>>>> dev="dm-0" ino=3672532 scontext=user_u:user_r:user_sddm_t:s0 >>>>> tcontext=sy >>>>> stem_u:object_r:sddm_xsession_exec_t:s0 tclass=file permissive=0 >>>>> >>>>> How do I transition the context in the first case into sddm_greeter_t >>>>> and in the second case into user_t? >>>> >>>> Hard to tell... could be an issue with your pam configuration >>>> How many sddm pam configuration files are there in /etc/pam.d? >>>> Which one of those have pam_selinux entries? >>>> >>>>> >>>>> >>>>> 2017-01-02 13:54 GMT+01:00 Dominick Grift via refpolicy >>>>> <refpolicy@oss.tresys.com>: >>>>>> On 01/02/2017 01:38 PM, cgzones via refpolicy wrote: >>>>>>> Hi list, >>>>>>> I am trying to write a policy module for sddm (Simple Desktop Display Manager). >>>>>>> Currently with the patches over here >>>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0041-tryout-sddm.patch >>>>>>> https://github.com/cgzones/debian-package-refpolicy/blob/sddm/debian/patches/0043-add-sddm-module.patch >>>>>>> I am able to login into the correct user contexts and the sddm >>>>>>> processes have proper contexts: >>>>>>> >>>>>>> root at desktopdebian:~# ps -efZ | grep sddm >>>>>>> system_u:system_r:sddm_t:s0 root 4232 1 0 13:09 ? >>>>>>> 00:00:00 /usr/bin/sddm >>>>>>> system_u:system_r:xserver_t:s0 root 4235 4232 1 13:09 tty7 >>>>>>> 00:00:00 /usr/lib/xorg/Xorg -nolisten tcp -auth >>>>>>> /var/run/sddm/{7120015c-2718-4b3a-8b24-7b5c7419b120} -background none >>>>>>> -noreset -displ >>>>>>> ayfd 18 vt7 >>>>>>> system_u:system_r:sddm_helper_t:s0 root 4250 4232 0 13:09 ? >>>>>>> 00:00:00 /usr/lib/x86_64-linux-gnu/sddm/sddm-helper --socket >>>>>>> /tmp/sddm-authca9ac824-d47a-4c2a-92f3-67191cac2336 --id 2 --start >>>>>>> /usr/b >>>>>>> in/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>>>>>> /usr/share/sddm/themes/breeze --user sddm --greeter >>>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4255 4250 1 13:09 ? >>>>>>> 00:00:00 /usr/bin/sddm-greeter --socket /tmp/sddm-:0-mOnqWf --theme >>>>>>> /usr/share/sddm/themes/breeze >>>>>>> system_u:system_r:sddm_greeter_t:s0 sddm 4267 1 0 13:09 ? >>>>>>> 00:00:00 dbus-launch --autolaunch b0ac551def43465aa991e56816b44040 >>>>>>> --binary-syntax --close-stderr >>>>>>> system_u:system_r:sddm_dbusd_t:s0 sddm 4268 1 0 13:09 ? >>>>>>> 00:00:00 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 >>>>>>> --session >>>>>>> root:sysadm_r:sysadm_t:s0-s0:c0.c1023 root 4321 4300 0 13:10 tty2 >>>>>>> 00:00:00 grep sddm >>>>>>> >>>>>>> The problem is the sddm-greeter (sddm_greeter_t) process: >>>>>>> This process is responsible for the graphic login window and is >>>>>>> started by sddm-helper (sddm_helper_t). >>>>>>> But it is not created via fork->exec->setuid/setgid (which can be >>>>>>> handled by an SELinux process transition), instead it is spawned via >>>>>>> pam_start (at least I think so). >>>>>>> So the process gets its context via pam authentication and the SELinux >>>>>>> user login mapping gets involved. >>>>>>> That's the reason for this default_contexts entry: >>>>>>> >>>>>>> system_r:sddm_helper_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t >>>>>>> unconfined_r:unconfined_t system_r:sddm_greeter_t >>>>>> >>>>>> I would probably try transitioning to $1_sddm_t >>>>>> >>>>>> Example: >>>>>> >>>>>> system_r:sddm_helper_t user_r:user_sddm_t >>>>>> >>>>>> Then from there see where this gets me >>>>>> >>>>>> If sddm_helper_t is what sets up the login users context, then you have >>>>>> to transition to a domain that can be used to transition to a login >>>>>> shell domain (hence the prefix in user_sddm_t) >>>>>> >>>>>> That should provide some flexibility. >>>>>> >>>>>>> >>>>>>> sddm-helper is also spawning the user processes, so I only get the >>>>>>> correct sddm-greeter context with the system_r target >>>>>>> (user_r:sddm_greeter_t would collide with the for user login needed >>>>>>> target context user_r:user_t). >>>>>>> To reach the system_r:sddm_greeter_t target, I need to add the SELinux >>>>>>> login mapping for the user sddm by hand: >>>>>>> semamage login -a -s system_u sddm >>>>>>> That's quite cumbersome and leads to the next problem: >>>>>>> The passwd entry for sddm is: sddm:x:122:130:Simple Desktop Display >>>>>>> Manager:/var/lib/sddm:/bin/false >>>>>>> and so genhomedircon creates home dir contexts for sddm and I must not >>>>>>> relabel the directory /var/lib/sddm or any parent directory with the >>>>>>> recursive flag >>>>>>> >>>>>>> root at desktopdebian:~# matchpathcon /var/lib/sddm >>>>>>> /var/lib/sddm system_u:object_r:user_home_dir_t:s0 >>>>>>> >>>>>>> Am I missing something or can these problems be fixed by reworking my >>>>>>> patches or are upstream patches needed (sddm / SELinux userland)? >>>>>>> >>>>>>> Best regards and many thanks in advance, >>>>>>> Christian G?ttsche >>>>>>> _______________________________________________ >>>>>>> refpolicy mailing list >>>>>>> refpolicy at oss.tresys.com >>>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>>>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>>>>> Dominick Grift >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> refpolicy mailing list >>>>>> refpolicy at oss.tresys.com >>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>>>> >>>> >>>> >>>> -- >>>> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >>>> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >>>> Dominick Grift >>>> >> >> >> -- >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >> Dominick Grift >> -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170103/53960db8/attachment-0001.bin ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-01-03 15:33 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-01-02 12:38 [refpolicy] sddm policy help needed cgzones 2017-01-02 12:54 ` Dominick Grift 2017-01-02 20:30 ` cgzones 2017-01-02 20:47 ` Dominick Grift 2017-01-02 21:13 ` cgzones 2017-01-02 21:25 ` Dominick Grift 2017-01-03 14:20 ` cgzones 2017-01-03 15:33 ` Dominick Grift
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.