search

openSUSE / openSUSEway

dotfiles for Sway on openSUSE
MIT License
94 stars 16 forks source link

Whole sway session doesn't transition from system_u:system_r:xdm_t:s0-s0:c0.c1023 #110

Closed mcepl closed 1 year ago

mcepl commented 1 year ago

We have been trying to understand with @FilippoBonazziSUSE for the past few weeks why sway on my system when started from greetd doesn't transition from its original SELinux context system_u:system_r:xdm_t:s0-s0:c0.c1023. When looking at the output of pstree -uZ I see this ridiculous situation:

 ├─greetd(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
 │  └─greetd(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
 │     └─sway-run.sh(matej,`system_u:system_r:xdm_t:s0-s0:c0.c1023')
 │        └─sway(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
 │           └─16*[{sway}(`system_u:system_r:xdm_t:s0-s0:c0.c1023')]

and then whole sway session (including fetchmail or even this Firefox where I write this ticket) are in xdm_t context, which is obviously completely wrong.

Obviously SELinux is unhappy with me (see the output of ausearch -m AVC -ts boot).

When discussing this situation on the greetd IRC channel, @alebastr claimed:

It sounds like your pam config for greetd is missing pam_selinux. That is the module that does transition to the user's security context.

And truly when I look at Fedora greetd package I see much more complicated set of *.pam files (starting with that they have two of them).

Shouldn’t we follow their example?

FilippoBonazziSUSE commented 1 year ago

For reference, let me add that I have not been able to reproduce the issue neither on my development machine (TW / openSUSEway with modifications / SELinux permissive) nor on a freshly installed TW / stock openSUSEway / enforcing SELinux VM.

This is what I see on both, as expected:

 ├─greetd(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
 │  └─greetd(`system_u:system_r:xdm_t:s0-s0:c0.c1023')
 │     └─sway-run.sh(filippo,`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')
 │        └─sway(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')
 │           └─28*[{sway}(`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023')]
mcepl commented 1 year ago

Actually on the other system (also Tumbleweed) it works as well:

  ├─greetd,`system_u:system_r:xdm_t:s0-s0:c0.c1023'
  │   └─greetd,`system_u:system_r:xdm_t:s0-s0:c0.c1023' --session-worker 12
  │       └─sway-run.sh,`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023' /usr/bin/sway-run.sh
  │           └─sway,`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023'
  │               └─12*[{sway},`unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023']

(edited: whoops, that was other computer over ssh)

FilippoBonazziSUSE commented 1 year ago

Closing this as issue cannot be reproduced and the problem system has gone away