I'm on an Ubuntu 14.04 derivative, elementary OS Freya.
I have installed and configured SELinux using the selinux-policy-default
package, which contains a lot of modules. I've also added my user to the staff_u
SELinux user:
$ sudo semanage login -l
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u SystemLow-SystemHigh *
naftuli staff_u SystemLow-SystemHigh *
root unconfined_u SystemLow-SystemHigh *
system_u system_u SystemLow-SystemHigh *
For reference, here are the SELinux users:
$ sudo semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root sysadm SystemLow SystemLow-SystemHigh staff_r sysadm_r system_r
staff_u staff SystemLow SystemLow-SystemHigh staff_r sysadm_r
sysadm_u sysadm SystemLow SystemLow-SystemHigh sysadm_r
system_u user SystemLow SystemLow-SystemHigh system_r
unconfined_u unconfined SystemLow SystemLow-SystemHigh system_r unconfined_r
user_u user SystemLow SystemLow user_r
After I login, I have a strange type, and I find myself in sysadm_r
instead of staff_r
:
$ id -Z
staff_u:sysadm_r:gpg_agent_t:SystemLow
I might be able to explain the gpg_agent_t
, as I have a script in my Xsession.d which starts gpg-agent
, /etc/X11/Xsession.d/90gpg-agent
:
: ${GNUPGHOME=$HOME/.gnupg}
GPGAGENT=/usr/bin/gpg-agent
PID_FILE="$HOME/.gpg-agent-info"
if grep -qs '^[[:space:]]*use-agent' "$GNUPGHOME/gpg.conf" "$GNUPGHOME/options" &&
test -x $GPGAGENT &&
{ test -z "$GPG_AGENT_INFO" || ! $GPGAGENT 2>/dev/null; }; then
if [ -r "$PID_FILE" ]; then
. "$PID_FILE"
fi
# Invoking gpg-agent with no arguments exits successfully if the agent
# is already running as pointed by $GPG_AGENT_INFO
if ! $GPGAGENT 2>/dev/null; then
STARTUP="$GPGAGENT --daemon --enable-ssh-support --sh --write-env-file=$PID_FILE $STARTUP"
fi
fi
However, I can't find out why any graphical shells I open have the gpg_agent_t
type and why they have the sysadm_r
role. In my /etc/sudoers
, I've granted access to be able to transition up to the sysadm_r
with sudo, but I shouldn't have that by default:
naftuli ALL=(ALL:ALL) ROLE=sysadm_r PASSWD: ALL
If I login with a TTY, everything looks great:
staff_u:staff_r:staff_t:SystemLow-SystemHigh
Why is lightdm or gala giving me this strange type and role? How can I fix it?
I know that there's no policy for either lightdm or gala, I might be writing one. I'm trying to get this system into enforcing mode, I'm currently in permissive because X/gala/lightdm crashes as soon as I setenforce 1
.
EDIT: By editing my gpg-agent start script, I'm now logged in as staff_u:sysadm_r:sysadm_t
. Also, my session processes look like this:
system_u:system_r:sysadm_t:s0 root 1875 0.0 0.0 292864 5888 ? SLsl 10:33 0:00 lightdm
system_u:system_r:xserver_t:s0 root 1927 6.3 0.4 396864 74804 tty7 Ssl+ 10:33 12:38 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
system_u:system_r:sysadm_t:s0 root 4699 0.0 0.0 170580 4688 ? Sl 10:33 0:00 lightdm --session-child 12 19
staff_u:sysadm_r:sysadm_t:s0 naftuli 5067 2.0 0.4 974688 75180 ? Sl 10:34 4:08 gala
I think that Gala is doing it wrong. It could be lightdm, which is my login greeter, but I'm not sure. Again, this is Ubuntu so SELinux awareness is not likely.
Best Answer
As this is a really good question, and it was of interest for me I did some searches which ended up being not very helpful. Finally I reached out to
#selinux
on Freenode IRC, and asked how the default selinux role is selected. Luckily the usergrift
could provide the missing pieces of information to answer your question.The main component for setting the selinux context is
pam_selinux.so
which is responsible for setting up the session. The pam module has various configuration options, and can also interactively ask the user for the desired context. In case there is no information during the login, it falls back to use information stored in/etc/selinux/$TYPE/contexts/user/$USERID
if not defined, it uses the__default__
context set incontexts/default_contexts
.As
lightdm
uses the samepam_selinux.so
calls aslogin
orsshd
this should not be the source of the problem.I've shortly tried to get the desired change working in Ubuntu, but had the impression that the selinux policy was messed up at process level. So I've done some tests on Fedora:
switching
system_r:sshd_t:s0
toguest_r:guest_t:s0
workes fine, the selinux user must have the role assigned in order to work. Thesshd
process is running under thesystem_r:sshd_t
domain. When trying to switch the default context forstaff_u
tosysadm_r:sysadm_t|system_r:system_r
the login falls back tostaff_r:staff_t:s0
when just replacing theguest_r:guest_t
part. This is related to the policy forsystem_r:sshd_t
that does not allow a context switch tosystem_r
orsysadm_t
.Setting a non-working combination leads to
unconfined_r:unconfined_t
which is the default type on Fedoratargeted
, asdefault_contexts
containsuser_r:user_t
forsystem_r:sshd_t
but the selinux user had no access to theuser_r
role during the test.Some more details on the topic:
https://selinuxproject.org/page/PolicyConfigurationFiles#contexts.2Fusers.2F.5Bseuser_id.5D_File
https://selinuxproject.org/page/RefpolicyBasicRoleCreation#Default_Contexts