Bug#804565: /etc/pam.d/systemd-user: Please re-add the SELinux bits in the systemd-user pam service
Laurent Bigonville
bigon at debian.org
Mon Nov 9 18:16:29 GMT 2015
Le 09/11/15 18:22, Michael Biebl a écrit :
> Hi Laurent!
Hello Michael!
> Am 09.11.2015 um 17:54 schrieb Laurent Bigonville:
>> Package: systemd
>> Version: 227-2
>> Severity: normal
>> File: /etc/pam.d/systemd-user
>> Tags: patch
>> User: selinux-devel at lists.alioth.debian.org
>> Usertags: selinux
>>
>> Hi,
>>
>> Could you please readd the calls to pam_selinux in the systemd-user pam
>> service?
>>
>> I would use something like:
>>
>> @include common-account
>> session required pam_selinux.so close
>> session required pam_selinux.so nottys open
>> @include common-session-noninteractive
>> session optional pam_systemd.so
> Not being well versed in selinux, could you quickly explain, why that is
> needed and what is broken without the entries otherwise?
ATM, systemd --user (spawned per user) is running in the init_t context
due to the way it's started (the context set on the executable and the
process starting it). This is wrong and this means that the user could
create (via system-run --user) process running in this context (which is
not confined) which is bad(tm).
The call to pam_selinux is used to make it transition to the correct
context.
It still requires some changes to the policy but still this is the first
step.
Full story: https://bugzilla.redhat.com/show_bug.cgi?id=1262933
Cheers,
Laurent
More information about the Pkg-systemd-maintainers
mailing list