On Thursday, 28 January 2021 10:36:19 PM AEDT Dominick Grift wrote: > >> In Debian/Unstable (which will soon be frozen and become the next stable > >> release) the sddm X login program (the one that's generally recommended > >> and specifically known to generally work well with SE Linux) uses PAM to > >> start a session for the "greeter" (the program that asks for a password > >> before a new session is started). > >> > >> With the policy currently in Debian that means the sddm user matches > >> "__default__" and gets unconfined_u:unconfined_r:unconfined_t, not what > >> is desirable for a program that takes input from unauthenticated users. > >> > >> role xdm_r; > >> role xdm_r types xdm_t; > >> allow system_r xdm_r; > >> allow xdm_t xdm_tmpfs_t:file execmod; > > > > that looks like a bug or at least bad code That's a design decision. One could make a convincing argument that it's a good decision. > >> corecmd_bin_entry_type(xdm_t) > > Also wondering what or which bin_t file or files this applies to and if > it instead is not possible to give these a private type /usr/bin/sddm-greeter. Yes I can give it a private type, might be a good idea in any case. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
