Re: rbacsep: collapsing xserver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 29, 2008 at 8:04 PM, Eamon Walsh <ewalsh@xxxxxxxxxxxxx> wrote:
> Daniel J Walsh wrote:
>>
>> Xavier Toth wrote:
>>
>>>
>>> On Wed, May 28, 2008 at 1:59 PM, Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
>>> wrote:
>>>
>>>>
>>>> Christopher J. PeBenito wrote:
>>>>
>>>>>
>>>>> On Wed, 2008-05-28 at 11:42 -0500, Joe Nall wrote:
>>>>>
>>>>>
>>>>>>
>>>>>> On Wed, May 28, 2008 at 11:02 AM, Christopher J. PeBenito
>>>>>> <cpebenito@xxxxxxxxxx> wrote:
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> On Wed, 2008-05-28 at 10:16 -0500, Joe Nall wrote:
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, May 28, 2008 at 9:38 AM, Christopher J. PeBenito
>>>>>>>> <cpebenito@xxxxxxxxxx> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>> I've got to the point where I am collapsing the derived types in
>>>>>>>>> the
>>>>>>>>> xserver module.  It would be nice to collapse all of the X server
>>>>>>>>> domains into xserver_t, but we have xdm_xserver_t which has
>>>>>>>>> permissions
>>>>>>>>> greater than user_xserver_t, staff_server_t, etc.  However, just
>>>>>>>>> about
>>>>>>>>> everyone runs their xserver in xdm_xserver_t due to logging in via
>>>>>>>>> xdm.
>>>>>>>>> Thoughts on collapsing all of the xservers anyway?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> Why is the way the xserver gets launched important once it is
>>>>>>>> running?
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> If you log into the console and run startx, your xserver is
>>>>>>> user_xserver_t, staff_xserver_t, etc.  If you log in via a display
>>>>>>> manager, your xserver is xdm_xserver_t, since the server is started
>>>>>>> by
>>>>>>> xdm before a user logs in.  So you lose separation if you log in via
>>>>>>> xdm.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Understood.
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> There have been suggestions about either restarting the xserver or
>>>>>>> dyntransitioning it to the correct context after logging in, but
>>>>>>> nothing
>>>>>>> materialized on that.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Does that change when X is an object manager?
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> No.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Poorly worded question. _Should_ that change when X is a object
>>>>>> manager?
>>>>>>
>>>>>>
>>>>>
>>>>> We would certainly prefer that each role always has their derived type
>>>>> xserver (or role is set on xserver, if rbacsep succeeds), regardless if
>>>>> its an object manager or not.
>>>>>
>>>>>
>>>>
>>>> I have always disliked xdm_xserver_t and its associated policy
>>>> shenanigans
>>>> (what if someone creates a role named "xdm"?)
>>>>
>>>> The problem has always been the display manager behavior described
>>>> above.
>>>>  However this can be solved in at least three ways: 1) Restart the X
>>>> server
>>>> after the user logs in.  2) Have the X server setcon itself to the new
>>>> context.  3) Multi-user switching where xdm stays up all the time and
>>>> users
>>>> get new X servers on different consoles.
>>>>
>>>> The easiest solution for me to work on is 2) because I don't have to
>>>> touch
>>>> the GDM code.  I'd like to see rbacsep succeed though.
>>>>
>>>>
>>>>>>
>>>>>> What is the driver for the derived types? User preference files in
>>>>>> their home directory?
>>>>>>
>>>>>>
>>>>
>>>> There's some argument to be made that the X server is part of the user's
>>>> session.  For example, in mulit-user switching there is more than one
>>>> server
>>>> running, one for each user.
>>>>
>>>> If rbacsep succeeds then the derived types will go away regardless.
>>>>
>>>>
>>>>>>>>
>>>>>>>> On a related topic, what is the type enforcement strategy for window
>>>>>>>> managers?
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> They currently run in the user's context.  The basic templates in the
>>>>>>> policy should still allow for separations.  The policy for X objects
>>>>>>> is
>>>>>>> still immature, so I'm definitely open to suggestions.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> I did some brief experiments with the X server in MLS enforcing mode a
>>>>>> while back and it looked like a separate type would be required to
>>>>>> avoid giving the user silly levels of privilege. I'll try to get back
>>>>>> to those experiments next week.
>>>>>>
>>>>>>
>>>>
>>>> The window manager must have full access to all windows on the screens
>>>> that
>>>> it's managing.  In non-MLS this means at least full privileges on the
>>>> role
>>>> and probably for other roles too, if you're going to be popping up
>>>> sysadm
>>>> windows.  In MLS this means access across all levels, there's really no
>>>> way
>>>> around this.
>>>>
>>>>
>>>>
>>>>>>
>>>>>> Any opinions on spitting the display manager (gdm/xdm) policy out of
>>>>>> the xserver policy? The current xserver policy is quite a bit bigger
>>>>>> than apache and several times the average policy size (te + if).
>>>>>>
>>>>>>
>>>>>
>>>>> You can blame me for that.  The xdm policy used to be separate before
>>>>> refpolicy, but it was so intertwined with the xserver policy that there
>>>>> wasn't a sane way to write the policies separately and still keep the
>>>>> refpolicy encapsulation.  If we collapse all xservers into xserver_t,
>>>>> it
>>>>> may be possible to separate xdm again.  If not, xdm will be put into a
>>>>> tunable when we get real tunable support in the compiler.
>>>>>
>>>>>
>>>>
>>>> --
>>>> Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
>>>> National Security Agency
>>>>
>>>>
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing list.
>>>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
>>>> with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>>
>>>
>>> From http://www.gnome.org/projects/gdm/docs/2.20/overview.html:
>>>
>>> "On Solaris, GDM (since version 2.8.0.3) uses the SDTLOGIN interface
>>> after user authentication to tell the X server to be restarted as the
>>> user instead of as root for added security. When the user's session
>>> exits, the GDM daemon will run the PostSession script as root."
>>>
>>> Couldn't we utilize the same functionality on Fedora?
>>>
>
> I've got no problem with doing something like this.  I've already written
> support for communicating with the X server from pam_selinux.so to set up
> the user's device labels, so it could also tell the server to setcon itself.
>  That work has stalled because of dependency issues (pam depending on
> libxcb), getting PAM_XAUTH_DATA support into gdm, and waiting for the next
> release of libxcb.  But, I can pick up work on it once I finish the X Python
> stuff.
>
> With regards to SDTLOGIN, it doesn't look like it restarts the server, only
> causes it to drop privileges; see
> http://osdir.com/ml/gnome.gdm.general/2007-10/msg00080.html dated Oct 2007.
>  The current gdm upstream seems to have dropped support for it.  I did some
> grepping in the gdm source and couldn't find anything.  It's probably a
> temporary result of the gdm rewrite.
>

Yes, I think Brian mentioned that the server is not actually restarted
but rather does a setuid/setgid because of the need to be root during
some portion of the X sever initialization. Hopefully it won't be too
much trouble to add a setcon too. One question about this is what will
happen with audit once the X server transition user and context?

>
>>>
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>
>> Probably better asked on the Fedora List.
>>
>>
>
> --
> Eamon Walsh <ewalsh@xxxxxxxxxxxxx>
> National Security Agency
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux