[DSE-Dev] Bug#874191: gdm3 started users start in wrong context

Sam Morris sam at robots.org.uk
Mon Mar 30 19:24:36 BST 2020


Package: selinux-policy-default
Version: 2:2.20190201-7
Followup-For: Bug #874191

I realised that the log messages I provided above refer to gdm's systemd
--user instance.

Looking more carefully, on the Fedora system I see:

    systemd[1]: Starting User Manager for UID 1673000001...
    audit[236830]: USER_ACCT pid=236830 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="sam" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    systemd[236830]: pam_selinux(systemd-user:session): Open Session
    systemd[236830]: pam_selinux(systemd-user:session): Username= sam SELinux User= unconfined_u Level= s0-s0:c0.c1023
    systemd[236830]: pam_selinux(systemd-user:session): Set executable context: [] -> [unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023]
    systemd[236830]: pam_selinux(systemd-user:session): Security Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Assigned
    audit[236830]: USER_ROLE_CHANGE pid=236830 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    systemd[236830]: pam_selinux(systemd-user:session): conversation failed
    systemd[236830]: pam_selinux(systemd-user:session): Set key creation context to unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    systemd[236830]: pam_selinux(systemd-user:session): Key Creation Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Assigned
    systemd[236830]: pam_selinux(systemd-user:session): conversation failed
    systemd[236830]: pam_unix(systemd-user:session): session opened for user sam by (uid=0)
    audit[236830]: USER_START pid=236830 uid=0 auid=1673000001 ses=13 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss acct="sam" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Note that we have "Username= sam" so we're looking at the right messages
this time! Based on this it looks like the mechanism by which 'systemd
--user' transitions from init_t to unconfined_t is via pam_selinux.so.

By contrast, when logging on to my Debian system:

    audit[9657]: USER_ACCT pid=9657 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_permit,pam_sss acct="sam.morris at ad.domain.example" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    audit[9657]: CRED_ACQ pid=9657 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=pam_permit acct="sam.morris at ad.domain.example" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    systemd[9657]: pam_selinux(systemd-user:session): Open Session
    audit[8280]: AVC avc:  denied  { read } for  pid=8280 comm="polkitd" name="userdb" dev="tmpfs" ino=18467 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
    audit[8280]: AVC avc:  denied  { map } for  pid=8280 comm="polkitd" path="/etc/passwd" dev="dm-2" ino=133411 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
    audit[8280]: AVC avc:  denied  { connectto } for  pid=8280 comm="polkitd" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
    systemd[9657]: pam_selinux(systemd-user:session): Username= sam.morris at ad.domain.example SELinux User= unconfined_u Level= s0-s0:c0.c1023
    systemd[9657]: pam_selinux(systemd-user:session): Unable to get valid context for sam.morris at ad.domain.example
    systemd[9657]: pam_selinux(systemd-user:session): conversation failed
    systemd[9657]: pam_unix(systemd-user:session): session opened for user sam.morris at ad.domain.example by (uid=0)
    audit[9657]: USER_START pid=9657 uid=0 auid=876099160 ses=10 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_limits,pam_permit,pam_unix,pam_systemd acct="sam.morris at ad.domain.example" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

I can reproduce this with the test program at
<https://github.com/yrro/selinux-scratch>:

    $ build/se
    user=sam.morris at ad.domain.example
    seuser=unconfined_u; level=s0-s0:c0.c1023
    get_ordered_context_list_with_level: Invalid argument

Perhaps this is expected, since there is no entry for init_t in
/etc/selinux/default/contexts/default_contexts; on the other hand,
adding an entry such as:

    system_u:system_r:init_t:s0     user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0

... doesn't make a difference. On the other hand, my Fedora machine
doesn't have an entry for init_t in the default_contexts file, and:

    $ ./se
    user=sam
    seuser=unconfined_u; level=s0-s0:c0.c1023
    1 contexts
    [0]: unconfined_u:unconfined_r:unconfined_t:so-s0:c0.c1023

-- System Information:
Debian Release: 10.3
  APT prefers stable-debug
  APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages selinux-policy-default depends on:
ii  libselinux1      3.0-1+b1
ii  libsemanage1     2.8-2
ii  libsepol1        3.0-1
ii  policycoreutils  2.8-1
ii  selinux-utils    3.0-1+b1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.8-1
ii  setools      4.2.0-1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information



More information about the SELinux-devel mailing list