[DSE-Dev] Bug#874191: gdm3 started users start in wrong context
Sam Morris
sam at robots.org.uk
Mon Mar 30 19:24:36 BST 2020
Package: selinux-policy-default
Version: 2:2.20190201-7
Followup-For: Bug #874191
I realised that the log messages I provided above refer to gdm's systemd
--user instance.
Looking more carefully, on the Fedora system I see:
systemd[1]: Starting User Manager for UID 1673000001...
audit[236830]: USER_ACCT pid=236830 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="sam" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
systemd[236830]: pam_selinux(systemd-user:session): Open Session
systemd[236830]: pam_selinux(systemd-user:session): Username= sam SELinux User= unconfined_u Level= s0-s0:c0.c1023
systemd[236830]: pam_selinux(systemd-user:session): Set executable context: [] -> [unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023]
systemd[236830]: pam_selinux(systemd-user:session): Security Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Assigned
audit[236830]: USER_ROLE_CHANGE pid=236830 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
systemd[236830]: pam_selinux(systemd-user:session): conversation failed
systemd[236830]: pam_selinux(systemd-user:session): Set key creation context to unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
systemd[236830]: pam_selinux(systemd-user:session): Key Creation Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Assigned
systemd[236830]: pam_selinux(systemd-user:session): conversation failed
systemd[236830]: pam_unix(systemd-user:session): session opened for user sam by (uid=0)
audit[236830]: USER_START pid=236830 uid=0 auid=1673000001 ses=13 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss acct="sam" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Note that we have "Username= sam" so we're looking at the right messages
this time! Based on this it looks like the mechanism by which 'systemd
--user' transitions from init_t to unconfined_t is via pam_selinux.so.
By contrast, when logging on to my Debian system:
audit[9657]: USER_ACCT pid=9657 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_permit,pam_sss acct="sam.morris at ad.domain.example" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
audit[9657]: CRED_ACQ pid=9657 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=pam_permit acct="sam.morris at ad.domain.example" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
systemd[9657]: pam_selinux(systemd-user:session): Open Session
audit[8280]: AVC avc: denied { read } for pid=8280 comm="polkitd" name="userdb" dev="tmpfs" ino=18467 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
audit[8280]: AVC avc: denied { map } for pid=8280 comm="polkitd" path="/etc/passwd" dev="dm-2" ino=133411 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
audit[8280]: AVC avc: denied { connectto } for pid=8280 comm="polkitd" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
systemd[9657]: pam_selinux(systemd-user:session): Username= sam.morris at ad.domain.example SELinux User= unconfined_u Level= s0-s0:c0.c1023
systemd[9657]: pam_selinux(systemd-user:session): Unable to get valid context for sam.morris at ad.domain.example
systemd[9657]: pam_selinux(systemd-user:session): conversation failed
systemd[9657]: pam_unix(systemd-user:session): session opened for user sam.morris at ad.domain.example by (uid=0)
audit[9657]: USER_START pid=9657 uid=0 auid=876099160 ses=10 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_limits,pam_permit,pam_unix,pam_systemd acct="sam.morris at ad.domain.example" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
I can reproduce this with the test program at
<https://github.com/yrro/selinux-scratch>:
$ build/se
user=sam.morris at ad.domain.example
seuser=unconfined_u; level=s0-s0:c0.c1023
get_ordered_context_list_with_level: Invalid argument
Perhaps this is expected, since there is no entry for init_t in
/etc/selinux/default/contexts/default_contexts; on the other hand,
adding an entry such as:
system_u:system_r:init_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
... doesn't make a difference. On the other hand, my Fedora machine
doesn't have an entry for init_t in the default_contexts file, and:
$ ./se
user=sam
seuser=unconfined_u; level=s0-s0:c0.c1023
1 contexts
[0]: unconfined_u:unconfined_r:unconfined_t:so-s0:c0.c1023
-- System Information:
Debian Release: 10.3
APT prefers stable-debug
APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default
Versions of packages selinux-policy-default depends on:
ii libselinux1 3.0-1+b1
ii libsemanage1 2.8-2
ii libsepol1 3.0-1
ii policycoreutils 2.8-1
ii selinux-utils 3.0-1+b1
Versions of packages selinux-policy-default recommends:
ii checkpolicy 2.8-1
ii setools 4.2.0-1
Versions of packages selinux-policy-default suggests:
pn logcheck <none>
pn syslog-summary <none>
-- no debconf information
More information about the SELinux-devel
mailing list