secureworkstation created this revision. secureworkstation added projects: Frameworks, Plasma. Herald added a subscriber: plasma-devel. secureworkstation requested review of this revision.
REVISION SUMMARY This patch is a repurposed patch by Daniel Walsh for gnome-keyring: https://github.com/GNOME/gnome-keyring/commit/2f6a7c049dfffed20e3f78e3f51a8cca8735f2d3 https://github.com/GNOME/gnome-keyring/commit/74fc065e3c3e04a5cd5dfa0e725f7664825a5b1e https://bugzilla.redhat.com/show_bug.cgi?id=684225 In short, for most (if not all) existing users this patch should do nothing: for those without SELinux, for those with SELinux disabled and for those with SELinux enabled in default settings. One would need to construct a policy and no such policy currently exists (but I'm working on one for Fedora and it's not a trivial job). SELinux works on labels given to processes and objects like files. Without this patch, pam_selinux (the PAM module, not this patch) transitions to the default user label which is used to launch kwalletd5 process by pam_kwallet. For me it's suboptimal, because I want to give it a dedicated label to further confine the process for security purposes. KWallet launched by user (not PAM) transitions correctly, it is just the PAM launch that requires special code. Ideally that could be a start to sandbox a lot more of Plasma using SELinux. Tracking bug on fedora-selinux Github on more work on confining Plasma using SELinux: https://github.com/fedora-selinux/selinux-policy-contrib/issues/192 TEST PLAN 1. Make sure it compiles on machines without SELinux [done] 2. Make sure it doesn't break SELinux-disabled installations [help wanted] 3. Make sure it doesn't break vanilla SELinux installations [pending] 4. Make sure it transitions to the correct label if a correct policy is present [done] REPOSITORY R107 KWallet PAM Integration REVISION DETAIL https://phabricator.kde.org/D26979 AFFECTED FILES CMakeLists.txt pam_kwallet.c pam_selinux.c pam_selinux.h To: secureworkstation Cc: plasma-devel, Orage, LeGast00n, The-Feren-OS-Dev, jraleigh, zachus, fbampaloukas, GB_2, ragreen, michaelh, ZrenBot, ngraham, bruns, alexeymin, himcesjf, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, ahiemstra, mart
