[DSE-Dev] Bug#874191: Diagnostic and my fix

Ramón García ramon.garcia.f+debian at gmail.com
Wed Jan 3 19:06:00 UTC 2018 

Hello, I have found this problem and managed to fix it for myself.

The problem is that systemd user instances, running under init_t type,
are not allowed to make type transitions.

gnome-terminal is started from a systemd user instance.

For increasing the log, it is usefult to add the "debug" parameter
pam_selinux in /etc/pam.d/systemd-user . The diagnostic is in the
auth.log

2018-01-02T15:31:33.228599+01:00 myhost systemd-logind[31422]: New
session 15 of user ramon.
2018-01-02T15:31:33.230309+01:00 myhost systemd:
pam_selinux(systemd-user:session): Open Session
2018-01-02T15:31:33.230770+01:00 myhost systemd:
pam_selinux(systemd-user:session): Open Session
2018-01-02T15:31:33.234173+01:00 myhost systemd:
pam_selinux(systemd-user:session): Username= ramongar SELinux User=
user_u Level= s0-s0
2018-01-02T15:31:33.234771+01:00 myhost systemd:
pam_selinux(systemd-user:session): Unable to get valid context for
ramongar
2018-01-02T15:31:33.234896+01:00 myhost systemd:
pam_selinux(systemd-user:session): conversation failed
2018-01-02T15:31:33.235001+01:00 myhost systemd:
pam_unix(systemd-user:session): session opened for user ramongar by
(uid=0)

The key is "Unable to get valid context for ramongar"

My fix was to create a policy module "inituser"

-----------------file
inituser.te----------------------------------------------------------------
policy_module(inituser, 1.0.0)
require {
        type init_t;
}
## <desc>
## <p>
## Allow systemd user instances  as sysadm_r:sysadm_t
## </p>
## </desc>
gen_tunable(inituser_sysadm_login, false)
auth_login_pgm_domain(init_t)

tunable_policy(`inituser_sysadm_login',`
        # Relabel and access ptys created by sshd
        # ioctl is necessary for logout() processing for utmp entry and for w to
        # display the tty.
        # some versions of sshd on the new SE Linux require setattr
        userdom_spec_domtrans_all_users(init_t)
        userdom_signal_all_users(init_t)
',`
        userdom_spec_domtrans_unpriv_users(init_t)
        userdom_signal_unpriv_users(init_t)
')
------------------------------------------------------------------------------------------------------

place this file inside the policy reference source directory, create
empty inituser.fc and inituser.if, add to modules.conf, build policies
and install.

Perhaps there is some redundancy.

semod -i inituser.pp


Now in a gnome-terminal the security context is correct:

> id -Z
user_u:user_r:user_t:s0


Hope this helps.

More information about the SELinux-devel mailing list