Le 09/11/15 18:22, Michael Biebl a écrit :
Hi Laurent!
Hello Michael!
Am 09.11.2015 um 17:54 schrieb Laurent Bigonville:
Package: systemd
Version: 227-2
Severity: normal
File: /etc/pam.d/systemd-user
Tags: patch
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux
Hi,
Could you please readd the calls to pam_selinux in the systemd-user pam
service?
I would use something like:
@include common-account
session required pam_selinux.so close
session required pam_selinux.so nottys open
@include common-session-noninteractive
session optional pam_systemd.so
Not being well versed in selinux, could you quickly explain, why that is
needed and what is broken without the entries otherwise?
ATM, systemd --user (spawned per user) is running in the init_t context
due to the way it's started (the context set on the executable and the
process starting it). This is wrong and this means that the user could
create (via system-run --user) process running in this context (which is
not confined) which is bad(tm).
The call to pam_selinux is used to make it transition to the correct
context.
It still requires some changes to the policy but still this is the first
step.
Full story: https://bugzilla.redhat.com/show_bug.cgi?id=1262933
Cheers,
Laurent
