Bug#804565: /etc/pam.d/systemd-user: Please re-add the SELinux bits in the systemd-user pam service

Laurent Bigonville bigon at debian.org
Mon Nov 9 18:16:29 GMT 2015


Le 09/11/15 18:22, Michael Biebl a écrit :
> Hi Laurent!
Hello Michael!

> Am 09.11.2015 um 17:54 schrieb Laurent Bigonville:
>> Package: systemd
>> Version: 227-2
>> Severity: normal
>> File: /etc/pam.d/systemd-user
>> Tags: patch
>> User: selinux-devel at lists.alioth.debian.org
>> Usertags: selinux
>>
>> Hi,
>>
>> Could you please readd the calls to pam_selinux in the systemd-user pam
>> service?
>>
>> I would use something like:
>>
>> @include common-account
>> session  required pam_selinux.so close
>> session  required pam_selinux.so nottys open
>> @include common-session-noninteractive
>> session optional pam_systemd.so
> Not being well versed in selinux, could you quickly explain, why that is
> needed and what is broken without the entries otherwise?
ATM, systemd --user (spawned per user) is running in the init_t context 
due to the way it's started (the context set on the executable and the 
process starting it). This is wrong and this means that the user could 
create (via system-run --user) process running in this context (which is 
not confined) which is bad(tm).

The call to pam_selinux is used to make it transition to the correct 
context.

It still requires some changes to the policy but still this is the first 
step.

Full story: https://bugzilla.redhat.com/show_bug.cgi?id=1262933

Cheers,

Laurent




More information about the Pkg-systemd-maintainers mailing list