[DSE-Dev] Bug#874191: gdm3 started users start in wrong context

Sam Morris sam at robots.org.uk
Wed Apr 1 11:22:16 BST 2020 

Package: selinux-policy-default
Version: 2:2.20190201-7
Followup-For: Bug #874191
Control: -1 + patch

I have fixed this by making the following changes:

 1. Patch libselinux with
    <https://github.com/SELinuxProject/selinux/commit/1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9>

 2. Modify /etc/selinux/default/contexts/users/* by adding the following lines (taken from my Fedora machine)

    $ grep init_t /etc/selinux/default/contexts/users
    /etc/selinux/default/contexts/users/guest_u:system_r:init_t:s0 guest_r:guest_t:s0
    /etc/selinux/default/contexts/users/staff_u:system_r:init_t:s0 staff_r:staff_t:s0
    /etc/selinux/default/contexts/users/unconfined_u:system_r:init_t:s0 unconfined_r:unconfined_t:s0
    /etc/selinux/default/contexts/users/user_u:system_r:init_t:s0 user_r:user_t:s0
    /etc/selinux/default/contexts/users/xguest_u:system_r:init_t:s0 xguest_r:xguest_t:s0

 3. Reboot the machine (I don't know why a simple 'loginctl teminate-user
    $USER' followed by logging in is not sufficient, any ideas?)

As for the purpose of that patch; see
<https://github.com/SELinuxProject/selinux/issues/28>. Note the ERANGE error
when writing to /sys/fs/selinux/user:

    $ strace -s 2048 python3 -c 'import selinux; selinux.get_ordered_context_list("unconfined_u", "system_u:system_r:init_t:s0")'
    [...]
    openat(AT_FDCWD, "/etc/selinux/config", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=584, ...}) = 0
    read(3, "# This file controls the state of SELinux on the system.\n# SELINUX= can take one of these three values:\n# enforcing - SELinux security policy is enforced.\n# permissive -       SELinux prints warnings instead of enforcing.\n# disabled - No SELinux policy is loaded.      \nSELINUX=permissive\n# SELINUXTYPE= can take one of these two values:\n# default -           equivalent to the old strict and targeted policies\n# mls     - Multi-Level Security (for     military and educational use)\n# src     - Custom policy built from                           source\nSELINUXTYPE=default\n\n# SETLOCALDEFS= Check local definition                         changes\nSETLOCALDEFS=0\n", 4096) = 584
    read(3, "", 4096)                       = 0
    close(3)                                = 0
    futex(0x7f546b70db40, FUTEX_WAKE_PRIVATE, 2147483647) = 0
    access("/var/run/setrans/.setrans-unix", F_OK) = -1 ENOENT (No such file or directory)
    futex(0x7f546b70dbc8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
    openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3
    write(3, "system_u:system_r:init_t:s0 unconfined_u", 40) = -1 ERANGE (Numerical result out of range)
    close(3)                                = 0
    openat(AT_FDCWD, "/etc/selinux/default/contexts/failsafe_context", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=21, ...}) = 0
    read(3, "sysadm_r:sysadm_t:s0\n", 4096) = 21
    close(3)                                = 0
    openat(AT_FDCWD, "/sys/fs/selinux/context", O_RDWR|O_CLOEXEC) = 3
    write(3, "unconfined_u:sysadm_r:sysadm_t:s0\0", 34) = -1 EINVAL (Invalid argument)
    close(3)

This matches one of the comments,

    "On our experimental Ubuntu 18.04.3 LTS machine running SELinux with
    latest official reference policy, we always get pam_selinux.so
    complaining “unable to get valid context for gdm” during system
    bootup.  And we found it is the security_compute_user() hits the 4k
    page size bound with error -ERANGE from sel_write_user().
    Specifically, we intend to transition from
    “system_u:system_r:init_t” to “system_u:system_r:xdm_t” in order to
    run the systemd user instance for system user gdm. With some
    instruments in the kernel, we realize we need roughly 16k for
    complete set of reachable contexts."

and

    I believe Fedora has worked around the issue by altering their
    policy to restrict outbound transitions from init_t and other
    unconfined domains to only legitimate ones.

And indeed, on my Fedora machine the write is successful and is followed
by a read that returns 19 contexts.

So.

Rather than figuring out how Fedora modified refpolicy to make the transitions
fit into a single page, applying the patch above does the job. But refpolicy
must still be modified by adding entries for init_t to the selinux user default
context files as descibed above (refer to Fedora's versions of these files at
<https://github.com/fedora-selinux/selinux-policy/tree/rawhide/config/appconfig-standard>;
it looks like Fedora are keeping their modifications directly in that repo
rather than as a seriers of patches to be applied to vanilla refpolicy?)

-- System Information:
Debian Release: 10.3
  APT prefers stable-debug
  APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages selinux-policy-default depends on:
ii  libselinux1      3.0-1+b1
ii  libsemanage1     2.8-2
ii  libsepol1        3.0-1
ii  policycoreutils  2.8-1
ii  selinux-utils    3.0-1+b1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.8-1
ii  setools      4.2.0-1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/contexts/default_contexts changed [not included]

-- no debconf information

More information about the SELinux-devel mailing list