search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
168 stars 172 forks source link

SELinux blocking homed #1222

Open alexpattyn opened 2 years ago

alexpattyn commented 2 years ago

See: https://bugzilla.redhat.com/show_bug.cgi?id=2036108

SELinux blocks homed and related programs from working properly. I.e. Setting up the $USER.home directory, etc.

Based on using the SELinux trouble shooter the following programs need updated polices:

  1. systemd-homed
  2. systemd-homewor
  3. dbus-broker
  4. gdm-session-wor
  5. gdbus
  6. colord

I have the .pp and .te files having gone through this and can prepare a PR. I can confirm that I am not having issues logging in as existing homed users or making new ones even with SELinux back in enforcing mode.

alexpattyn commented 2 years ago

Looks like https://github.com/fedora-selinux/selinux-policy/pull/939 is working on this issue. And I assume doing a better job making proper policies than just accepting whatever SELinux trouble shooter gave me.

alexpattyn commented 2 years ago

Looks like this may be a little more complicated.

Trying enabling homed on another system, but this time with --storage=luks. Went through all the selinux troubleshooter prompts but if I leave SELINUX=enforcing I can't login. However, if I set it to permissive mode I can login.

Will take a look at if this has to do with enabling encryption or what.

alexpattyn commented 2 years ago

Should note I modified PAM the same way for both systems. Only difference seems to be LUKS, so it may have to do with issues mounting the loop back file.

dngray commented 2 years ago

Did you have any luck with this? I was wanting to try out systemd-homed on Silverblue.

arturasb commented 1 year ago

Should note I modified PAM the same way for both systems. Only difference seems to be LUKS, so it may have to do with issues mounting the loop back file.

Hi. Have you found anything regarding this LUKS-related case ? I have same issue - with SELinux in the enforcing mode I'm unable to login to my homed-managed user on LUKS storage (file). All works if SELinux is set to permissive.

richiedaze commented 1 year ago

You luks problem seems to come from your custom selinux policy. In my custom policy, everything I have tried just works, this includes Silverblue and Kinoite.

arturasb commented 1 year ago

You luks problem seems to come from your custom selinux policy. In my custom policy, everything I have tried just works, this includes Silverblue and Kinoite.

Maybe I should try your custom policy with regular Fedora Workstation.

mattdm commented 1 year ago

FWIW @richiedaze's custom policy seems to work fine on Fedora Workstation for me.

arturasb commented 1 year ago

FWIW @richiedaze's custom policy seems to work fine on Fedora Workstation for me.

Same here, it is working on FW37 with SELinux in the enforced mode.

alexpattyn commented 1 year ago

As an update authselect was updated to enable homed.

So authselect won't cause any issues, but I am still getting issues from SELinux. Now what is the best possible way to upstream @richiedaze changes and get them reviewed?

alexpattyn commented 1 year ago

Looks like a few people are moving forward with homed on Fedora:

  1. https://discussion.fedoraproject.org/t/building-a-new-home-with-systemd-homed-on-fedora/72690
  2. https://discussion.fedoraproject.org/t/getting-systemd-homed-working-properly-on-fedora-workstation/81004/7

It doesn't seem like an ideal solution for silverblue however, since it would require layering various selinux packages to build the homed.pp profile.