On Wed, 2017-01-25 at 19:07 +0100, cgzones wrote: > The use case is my sddm policy. > I asked for help with it on the reference policy ML: > http://oss.tresys.com/pipermail/refpolicy/2017-January/008950.html > > The parent process (sddm-helper) spawns over one pam service > (sddm-greeter) the login gui and over another pam service (sddm) the > user shells. > I edited the /etc/pam.d/sddm-greeter file: > +session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so open debug select_default_context=2 > -session [success=ok ignore=ignore module_unknown=ignore default=bad] > pam_selinux.so open > > And with the policy returning: > root@desktopdebian:/home/christian# compute_user > "system_u:system_r:sddm_helper_t:s0" user_u > user_u:user_r:user_t:s0 > user_u:user_r:sddm_greeter_t:s0 > > I get the correct contexts for the gui process and the user shells. > I did not get it working via a process transitions based on the > different entry points (/etc/sddm/Xsession vs /usr/bin/sddm-greeter) Couldn't you just add an entry to default_contexts like so: system_r:sddm_helper_t:s0 user_u:user_r:sddm_greeter_t:s0 user_u:user_r:user_t:s0 Then get_ordered_context_list() would return them in that order, and the existing logic would be fine without needing to modify pam_selinux. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
