Bug#874191: gdm3 started users start in wrong context

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#874191: gdm3 started users start in wrong context

Harlan Lieberman-Berg-4
Package: selinux-policy-default
Version: 2:2.20161023.1-9
Severity: serious

Hello maintainers,

It seems that shells started via Gnome start with the wrong context.
Logging in from a console shell gives me an id of
unconfined_u:unconfined_r:unconfined_t:s0-s0, whereas terminals opened
inside Gnome give me a context of system_u:system_r:initrc_t:s0.

Sincerely,

-- System Information: Debian Release: buster/sid APT prefers testing
APT policy: (900, 'testing') Architecture: amd64 (x86_64) Foreign
Architectures: i386, armhf

Kernel: Linux 4.12.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.6-3+b2
ii  libsemanage1     2.6-2+b1
ii  libsepol1        2.6-2
ii  policycoreutils  2.6-3
ii  selinux-utils    2.6-3+b2

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.6-2
ii  setools      4.0.1-6+b1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

Reply | Threaded
Open this post in threaded view
|

Bug#874191: might be a duplicate

Russell Coker
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=874201

Yesterday I was investigating an issue that might be related and I just filed
the above bug report.  Please investigate whether that might be the cause.

# ps axZ|grep sddm
system_u:system_r:xdm_t:s0-s0:c0.c1023 963 ?   Ssl    0:00 /usr/bin/sddm

Run "ps axZ|grep gdm3" to see the context, the output should be something like
the above if all goes well (xdm_t is the relevant part).

# ls -lZ /usr/bin/sddm
-rwxr-xr-x. 1 root root system_u:object_r:xdm_exec_t:s0 475968 Mar 14 19:50 /
usr/bin/sddm

Also run "ls -lZ" on the binary to see if it has the right context, the output
should be something like the above, xdm_exec_t is the relevant part.

If those checks pass then run the systemctl command suggested in #874201 and
restart gdm3 to see if it gets the right context.

PS  I gave up on gdm3 last time due to some other issues.  Is there a gdm3
specific feature you really need?  If you want to improve Debian then
debugging this is a good thing to do, if you just want a working system then
sddm might be a better choice.

--
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply | Threaded
Open this post in threaded view
|

Bug#874191: might be a duplicate

Russell Coker
In reply to this post by Harlan Lieberman-Berg-4
On Thursday, 7 September 2017 8:06:12 PM AEST Harlan Lieberman-Berg wrote:
> Hm.  Looking more, you may be right.  What's odd is that some binaries
> that are (presumably) being launched by Gnome are being correctly
> given the right context; for example, gdm and X are running as
> system_u:system_r:xdm_t:s0-s0:c0.c1023.  evolution-calendar, though,
> is system_u:system_r:init_t:s0.  And yet other things that are
> probably also part of my user session are
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.

gdm has the correct domain.  Maybe pam is not configured correctly.  Below is
/etc/pam.d/sddm from one of my systems, try making your gdm pam configuration
more like this and see if things work correctly.

#%PAM-1.0

# Block login if they are globally disabled
auth    requisite       pam_nologin.so
auth    required        pam_succeed_if.so user != root quiet_success

# auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
# gnome_keyring breaks QProcess
-auth   optional        pam_gnome_keyring.so
-auth   optional        pam_kwallet5.so

@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
# Create a new session keyring.
session optional        pam_keyinit.so force revoke
session required        pam_limits.so
session required        pam_loginuid.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open
-session optional       pam_gnome_keyring.so auto_start
-session optional       pam_kwallet5.so auto_start

@include common-password

# From the pam_env man page
# Since setting of PAM environment variables can have side effects to other
modules, this module should be the last one on the stack.

# Load environment from /etc/environment
session required        pam_env.so

# Load environment from /etc/default/locale
session required        pam_env.so envfile=/etc/default/locale


--
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply | Threaded
Open this post in threaded view
|

Bug#874191: gdm3 started users start in wrong context

Laurent Bigonville-5
In reply to this post by Harlan Lieberman-Berg-4
On Sun, 03 Sep 2017 18:02:30 -0400 Harlan Lieberman-Berg
<[hidden email]> wrote:

 > Hello maintainers,

Hello,

 >
 > It seems that shells started via Gnome start with the wrong context.
 > Logging in from a console shell gives me an id of
 > unconfined_u:unconfined_r:unconfined_t:s0-s0, whereas terminals opened
 > inside Gnome give me a context of system_u:system_r:initrc_t:s0.

How are you checking the context? With gnome-terminal? Could you please
test with xterm (or an other terminal emulator?) as well?

If I'm correct, the problem only exists for processes started by
dbus/systemd user session.

In /etc/selinux/default/contexts/users/unconfined_u, could you please
add the following line and try again?

system_r:init_t:s0              unconfined_r:unconfined_t:s0

Regards,

Laurent Bigonville

Reply | Threaded
Open this post in threaded view
|

Bug#874191: not fixing for stretch

Russell Coker
In reply to this post by Harlan Lieberman-Berg-4
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850116

Due to the above issue I'm not going to fix this for stretch.  I'm about to
make a policy upload for unstable that will be the basis of a proposed update
to stretch to fix a number of issues.  After I get that resolved I will upload
the new upstream policy to unstable and then work on getting gdm3 operating
correctly in unstable.

For stretch sddm is the option I recomment.

--
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply | Threaded
Open this post in threaded view
|

Bug#874191: Diagnostic and my fix

=?UTF-8?Q? "Ram=C3=B3n_?= =?UTF-8?Q?Garc=C3=ADa" ?=
In reply to this post by Harlan Lieberman-Berg-4
Hello, I have found this problem and managed to fix it for myself.

The problem is that systemd user instances, running under init_t type,
are not allowed to make type transitions.

gnome-terminal is started from a systemd user instance.

For increasing the log, it is usefult to add the "debug" parameter
pam_selinux in /etc/pam.d/systemd-user . The diagnostic is in the
auth.log

2018-01-02T15:31:33.228599+01:00 myhost systemd-logind[31422]: New
session 15 of user ramon.
2018-01-02T15:31:33.230309+01:00 myhost systemd:
pam_selinux(systemd-user:session): Open Session
2018-01-02T15:31:33.230770+01:00 myhost systemd:
pam_selinux(systemd-user:session): Open Session
2018-01-02T15:31:33.234173+01:00 myhost systemd:
pam_selinux(systemd-user:session): Username= ramongar SELinux User=
user_u Level= s0-s0
2018-01-02T15:31:33.234771+01:00 myhost systemd:
pam_selinux(systemd-user:session): Unable to get valid context for
ramongar
2018-01-02T15:31:33.234896+01:00 myhost systemd:
pam_selinux(systemd-user:session): conversation failed
2018-01-02T15:31:33.235001+01:00 myhost systemd:
pam_unix(systemd-user:session): session opened for user ramongar by
(uid=0)

The key is "Unable to get valid context for ramongar"

My fix was to create a policy module "inituser"

-----------------file
inituser.te----------------------------------------------------------------
policy_module(inituser, 1.0.0)
require {
        type init_t;
}
## <desc>
## <p>
## Allow systemd user instances  as sysadm_r:sysadm_t
## </p>
## </desc>
gen_tunable(inituser_sysadm_login, false)
auth_login_pgm_domain(init_t)

tunable_policy(`inituser_sysadm_login',`
        # Relabel and access ptys created by sshd
        # ioctl is necessary for logout() processing for utmp entry and for w to
        # display the tty.
        # some versions of sshd on the new SE Linux require setattr
        userdom_spec_domtrans_all_users(init_t)
        userdom_signal_all_users(init_t)
',`
        userdom_spec_domtrans_unpriv_users(init_t)
        userdom_signal_unpriv_users(init_t)
')
------------------------------------------------------------------------------------------------------

place this file inside the policy reference source directory, create
empty inituser.fc and inituser.if, add to modules.conf, build policies
and install.

Perhaps there is some redundancy.

semod -i inituser.pp


Now in a gnome-terminal the security context is correct:

> id -Z
user_u:user_r:user_t:s0


Hope this helps.

Reply | Threaded
Open this post in threaded view
|

Bug#874191: Correction

=?UTF-8?Q? "Ram=C3=B3n_?= =?UTF-8?Q?Garc=C3=ADa" ?=
In reply to this post by Harlan Lieberman-Berg-4
I was wrong.

After rebooting, gnome-terminal was still under
system_u:system_r:initrc_t context.

The fix was, edit /etc/selinux/[selinux config]/contexts/default_contexts.
Copy the line for system_r:sshd_t and change it by sshd_t by init_t.

pam_selinux can't find a correct context because there is no context
available, coming from from init_t to the new user.

Reply | Threaded
Open this post in threaded view
|

Bug#874191: Correction

Patrick Grant
In reply to this post by Harlan Lieberman-Berg-4
On Thu, 4 Jan 2018 15:19:51 +0100 =?UTF-8?B?UmFtw7NuIEdhcmPDrWE=?= wrote:
> The fix was, edit /etc/selinux/[selinux config]/contexts/default_contexts.
> Copy the line for system_r:sshd_t and change it by sshd_t by init_t.
>
> pam_selinux can't find a correct context because there is no context
> available, coming from from init_t to the new user.

I have run into this and came to the same conclusion -- however when I make the change you describe it doesn't seem to be picked up. Is there a missing step beyond editing the file?

Reply | Threaded
Open this post in threaded view
|

Bug#874191: gdm3 started users start in wrong context

Sam Morris
In reply to this post by Harlan Lieberman-Berg-4
Package: selinux-policy-default
Version: 2:2.20190201-7
Followup-For: Bug #874191

I've noticed that the processes that are part of my login session have
the correct label. But systemd --user (and the processes underneath it)
largely run with init_t and initrc_t.

Adding 'verbose debug' to the 'pam_selinux.so open' line in
/etc/pam.d/systemd-user reveals:

    systemd[140316]: pam_selinux(systemd-user:session): Open Session
    systemd[140316]: pam_selinux(systemd-user:session): Username= Debian-gdm SELinux User= unconfined_u Level= s0-s0:c0.c1023
    systemd[140316]: pam_selinux(systemd-user:session): Unable to get valid context for Debian-gdm
    systemd[140316]: pam_selinux(systemd-user:session): conversation failed
    systemd[140316]: pam_unix(systemd-user:session): session opened for user Debian-gdm by (uid=0)

By contrast, on a system running Fedora, systemd --user and most of its
child processes are running with the expected label, and these messages
are logged:

    systemd[224172]: pam_selinux(systemd-user:session): Open Session
    systemd[224172]: pam_selinux(systemd-user:session): Username= gdm SELinux User= unconfined_u Level= s0-s0:c0.c1023
    systemd[224172]: pam_selinux(systemd-user:session): Set executable context: [] -> [unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023]
    systemd[224172]: pam_selinux(systemd-user:session): Security Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Assigned
    systemd[224172]: pam_selinux(systemd-user:session): conversation failed
    systemd[224172]: pam_selinux(systemd-user:session): Set key creation context to unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    systemd[224172]: pam_selinux(systemd-user:session): Key Creation Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Assigned
    systemd[224172]: pam_selinux(systemd-user:session): conversation failed

Here's a handy command for examining the relationship between parent
process, login session, user and selinux context:

    $ ps f -e -o user,lsession,label,cmd
    USER     SESSION     LABEL                           CMD
    root     -           system_u:system_r:kernel_t:s0   [kthreadd]
    root     -           system_u:system_r:kernel_t:s0    \_ [rcu_gp]
    root     -           system_u:system_r:kernel_t:s0    \_ [rcu_par_gp]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/0:0H]
    root     -           system_u:system_r:kernel_t:s0    \_ [mm_percpu_wq]
    root     -           system_u:system_r:kernel_t:s0    \_ [ksoftirqd/0]
    root     -           system_u:system_r:kernel_t:s0    \_ [rcu_sched]
    root     -           system_u:system_r:kernel_t:s0    \_ [migration/0]
    root     -           system_u:system_r:kernel_t:s0    \_ [cpuhp/0]
    root     -           system_u:system_r:kernel_t:s0    \_ [cpuhp/1]
    root     -           system_u:system_r:kernel_t:s0    \_ [migration/1]
    root     -           system_u:system_r:kernel_t:s0    \_ [ksoftirqd/1]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/1:0H-kblockd]
    root     -           system_u:system_r:kernel_t:s0    \_ [cpuhp/2]
    root     -           system_u:system_r:kernel_t:s0    \_ [migration/2]
    root     -           system_u:system_r:kernel_t:s0    \_ [ksoftirqd/2]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/2:0H-events_highpri]
    root     -           system_u:system_r:kernel_t:s0    \_ [cpuhp/3]
    root     -           system_u:system_r:kernel_t:s0    \_ [migration/3]
    root     -           system_u:system_r:kernel_t:s0    \_ [ksoftirqd/3]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/3:0H-events_highpri]
    root     -           system_u:system_r:kernel_t:s0    \_ [kdevtmpfs]
    root     -           system_u:system_r:kernel_t:s0    \_ [netns]
    root     -           system_u:system_r:kernel_t:s0    \_ [kauditd]
    root     -           system_u:system_r:kernel_t:s0    \_ [khungtaskd]
    root     -           system_u:system_r:kernel_t:s0    \_ [oom_reaper]
    root     -           system_u:system_r:kernel_t:s0    \_ [writeback]
    root     -           system_u:system_r:kernel_t:s0    \_ [kcompactd0]
    root     -           system_u:system_r:kernel_t:s0    \_ [ksmd]
    root     -           system_u:system_r:kernel_t:s0    \_ [khugepaged]
    root     -           system_u:system_r:kernel_t:s0    \_ [kintegrityd]
    root     -           system_u:system_r:kernel_t:s0    \_ [kblockd]
    root     -           system_u:system_r:kernel_t:s0    \_ [blkcg_punt_bio]
    root     -           system_u:system_r:kernel_t:s0    \_ [edac-poller]
    root     -           system_u:system_r:kernel_t:s0    \_ [devfreq_wq]
    root     -           system_u:system_r:kernel_t:s0    \_ [kswapd0]
    root     -           system_u:system_r:kernel_t:s0    \_ [kthrotld]
    root     -           system_u:system_r:kernel_t:s0    \_ [irq/122-aerdrv]
    root     -           system_u:system_r:kernel_t:s0    \_ [irq/123-aerdrv]
    root     -           system_u:system_r:kernel_t:s0    \_ [irq/124-aerdrv]
    root     -           system_u:system_r:kernel_t:s0    \_ [irq/125-aerdrv]
    root     -           system_u:system_r:kernel_t:s0    \_ [acpi_thermal_pm]
    root     -           system_u:system_r:kernel_t:s0    \_ [ipv6_addrconf]
    root     -           system_u:system_r:kernel_t:s0    \_ [kstrp]
    root     -           system_u:system_r:kernel_t:s0    \_ [nvme-wq]
    root     -           system_u:system_r:kernel_t:s0    \_ [nvme-reset-wq]
    root     -           system_u:system_r:kernel_t:s0    \_ [cryptd]
    root     -           system_u:system_r:kernel_t:s0    \_ [nvme-delete-wq]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/3:1H-events_highpri]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/2:1H-events_highpri]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/1:1H-kblockd]
    root     -           system_u:system_r:kernel_t:s0    \_ [kdmflush]
    root     -           system_u:system_r:kernel_t:s0    \_ [kcryptd_io/254:]
    root     -           system_u:system_r:kernel_t:s0    \_ [kcryptd/254:0]
    root     -           system_u:system_r:kernel_t:s0    \_ [dmcrypt_write/2]
    root     -           system_u:system_r:kernel_t:s0    \_ [kdmflush]
    root     -           system_u:system_r:kernel_t:s0    \_ [kdmflush]
    root     -           system_u:system_r:kernel_t:s0    \_ [jbd2/dm-2-8]
    root     -           system_u:system_r:kernel_t:s0    \_ [ext4-rsv-conver]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/0:1H-events_highpri]
    root     -           system_u:system_r:kernel_t:s0    \_ [tpm_dev_wq]
    root     -           system_u:system_r:kernel_t:s0    \_ [kmemstick]
    root     -           system_u:system_r:kernel_t:s0    \_ [watchdogd]
    root     -           system_u:system_r:kernel_t:s0    \_ [cfg80211]
    root     -           system_u:system_r:kernel_t:s0    \_ [jbd2/nvme0n1p2-]
    root     -           system_u:system_r:kernel_t:s0    \_ [ext4-rsv-conver]
    root     -           system_u:system_r:kernel_t:s0    \_ [irq/141-iwlwifi]
    root     -           system_u:system_r:kernel_t:s0    \_ [krfcommd]
    root     -           system_u:system_r:kernel_t:s0    \_ [cifsiod]
    root     -           system_u:system_r:kernel_t:s0    \_ [smb3decryptd]
    root     -           system_u:system_r:kernel_t:s0    \_ [cifsfileinfoput]
    root     -           system_u:system_r:kernel_t:s0    \_ [cifsoplockd]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/u9:2-rb_allocator]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/2:4-events]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/u8:41-kcryptd/254:0]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/2:1-cgroup_destroy]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/0:78-events]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/1:127-events]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/u8:5-kcryptd/254:0]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/u8:6-kcryptd/254:0]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/u8:23-kcryptd/254:0]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/u8:24-events_unbound]
    root     -           system_u:system_r:kernel_t:s0    \_ [irq/126-mei_me]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/u9:0-hci0]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/0:0-events]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/1:1-events]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/3:1-events]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/3:3-events]
    root     -           system_u:system_r:kernel_t:s0    \_ [kworker/1:0-cgroup_destroy]
    root     -           system_u:system_r:init_t:s0     /sbin/init splash splash
    root     -           system_u:system_r:syslogd_t:s0  /lib/systemd/systemd-journald
    root     -           system_u:system_r:udev_t:s0-s0:c0.c1023 /lib/systemd/systemd-udevd
    root     -           system_u:system_r:udev_t:s0-s0:c0.c1023  \_ /lib/systemd/systemd-udevd
    root     -           system_u:system_r:udev_t:s0-s0:c0.c1023  \_ /lib/systemd/systemd-udevd
    root     -           system_u:system_r:udev_t:s0-s0:c0.c1023  \_ /lib/systemd/systemd-udevd
    root     -           system_u:system_r:udev_t:s0-s0:c0.c1023  \_ /lib/systemd/systemd-udevd
    root     -           system_u:system_r:udev_t:s0-s0:c0.c1023  \_ /lib/systemd/systemd-udevd
    root     -           system_u:system_r:udev_t:s0-s0:c0.c1023  \_ /lib/systemd/systemd-udevd
    root     -           system_u:system_r:udev_t:s0-s0:c0.c1023  \_ /lib/systemd/systemd-udevd
    root     -           system_u:system_r:udev_t:s0-s0:c0.c1023  \_ /lib/systemd/systemd-udevd
    root     -           system_u:system_r:udev_t:s0-s0:c0.c1023  \_ /lib/systemd/systemd-udevd
    systemd+ -           system_u:system_r:systemd_resolved_t:s0 /lib/systemd/systemd-resolved
    root     -           system_u:system_r:auditd_t:s0   /sbin/auditd
    root     -           system_u:system_r:modemmanager_t:s0 /usr/sbin/ModemManager --filter-policy=strict
    avahi    -           system_u:system_r:avahi_t:s0    avahi-daemon: running [fragarach.local]
    avahi    -           system_u:system_r:avahi_t:s0     \_ avahi-daemon: chroot helper
    message+ -           system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
    root     -           system_u:system_r:firewalld_t:s0 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
    root     -           system_u:system_r:initrc_t:s0   /usr/libexec/iwd
    root     -           system_u:system_r:sssd_t:s0     /usr/sbin/sssd -i --logger=files
    root     -           system_u:system_r:sssd_t:s0      \_ /usr/libexec/sssd/sssd_be --domain ipa.example.com --uid 0 --gid 0 --logger=files
    root     -           system_u:system_r:sssd_t:s0      \_ /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
    root     -           system_u:system_r:devicekit_disk_t:s0 /usr/lib/udisks2/udisksd
    root     -           system_u:system_r:initrc_t:s0   /usr/sbin/atopacctd
    root     -           system_u:system_r:initrc_t:s0   /usr/sbin/usbguard-daemon -f -s -c /etc/usbguard/usbguard-daemon.conf
    root     -           system_u:system_r:policykit_t:s0 /usr/lib/policykit-1/polkitd --no-debug
    root     -           system_u:system_r:alsa_t:s0     /usr/sbin/alsactl -E HOME=/run/alsa -s -n 19 -c rdaemon
    root     -           system_u:system_r:bluetooth_t:s0 /usr/lib/bluetooth/bluetoothd
    root     -           system_u:system_r:NetworkManager_t:s0 /usr/sbin/NetworkManager --no-daemon
    root     -           system_u:system_r:initrc_t:s0   /usr/sbin/dockerd -H fd://
    root     -           system_u:system_r:initrc_t:s0    \_ docker-containerd --config /var/run/docker/containerd/containerd.toml --log-level info
    root     -           system_u:system_r:accountsd_t:s0 /usr/lib/accountsservice/accounts-daemon
    root     -           system_u:system_r:crond_t:s0-s0:c0.c1023 /usr/sbin/cron -f
    root     -           system_u:system_r:systemd_logind_t:s0 /lib/systemd/systemd-logind
    root     -           system_u:system_r:sshd_t:s0-s0:c0.c1023 /usr/sbin/sshd -D
    root     -           system_u:system_r:xdm_t:s0-s0:c0.c1023 /usr/sbin/gdm3
    root     126         system_u:system_r:xdm_t:s0-s0:c0.c1023  \_ gdm-session-worker [pam/gdm-password]
    sam.mor+ 126         unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023      \_ /usr/libexec/gdm-wayland-session /usr/bin/gnome-session
    sam.mor+ 126         unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023          \_ /usr/libexec/gnome-session-binary --systemd
    colord   -           system_u:system_r:colord_t:s0   /usr/lib/colord/colord
    root     -           system_u:system_r:NetworkManager_t:s0 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
    rtkit    -           system_u:system_r:rtkit_daemon_t:s0 /usr/lib/rtkit/rtkit-daemon
    nobody   -           system_u:system_r:dnsmasq_t:s0-s0:c0.c1023 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
    root     -           system_u:system_r:dnsmasq_t:s0-s0:c0.c1023  \_ /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
    root     -           system_u:system_r:devicekit_power_t:s0 /usr/lib/upower/upowerd
    sam.mor+ -           system_u:system_r:init_t:s0     /lib/systemd/systemd --user
    sam.mor+ -           system_u:system_r:init_t:s0      \_ (sd-pam)
    sam.mor+ -           system_u:system_r:pulsudio_t:s0  \_ /usr/bin/pulseaudio --daemonize=no
    sam.mor+ -           system_u:system_r:init_t:s0      \_ ssh-agent -D -a /run/user/876099160/openssh_agent
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/bin/onedrive --monitor
    sam.mor+ -           system_u:system_r:init_t:s0      \_ /usr/bin/gpg-agent --supervised
    sam.mor+ -           system_u:system_r:syst:c0.c1023  \_ /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gnome-session-ctl --monitor
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gnome-session-binary --systemd-service --session=gnome
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/lib/at-spi2-core/at-spi-bus-launcher --launch-immediately
    sam.mor+ -           system_u:system_rtem_dbusd_t:s0  |   |   \_ /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/bin/python3 /usr/bin/firewall-applet
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ usbguard-applet-qt
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/lib/tracker/tracker-miner-apps
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/lib/gnome-disk-utility/gsd-disk-utility-notify
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/libexec/evolution-data-server/evolution-alarm-notify
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/bin/nextcloud
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/lib/tracker/tracker-miner-fs
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/bin/gnome-software --gapplication-service
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/bin/owncloud
    sam.mor+ -           system_u:system_r:init_t:s0      \_ /usr/bin/gnome-shell
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/bin/Xwayland :0 -rootless -noreset -accessx -core -auth /run/user/876099160/.mutter-Xwaylandauth.DQ66H0 -listen 4 -listen 5 -displayfd 6
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ ibus-daemon --panel disable -r --xim
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/lib/ibus/ibus-dconf
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/lib/ibus/ibus-extension-gtk3
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/lib/ibus/ibus-engine-simple
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ pidgin
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/lib/firefox/firefox
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 1 -prefMapSize 223666 -parentBuildID 20200309095159 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 63179 true tab
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 497 -prefMapSize 223666 -parentBuildID 20200309095159 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 63179 true tab
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 497 -prefMapSize 223666 -parentBuildID 20200309095159 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 63179 true tab
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 497 -prefMapSize 223666 -parentBuildID 20200309095159 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 63179 true tab
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/lib/firefox/firefox -contentproc -childID 6 -isForBrowser -prefsLen 497 -prefMapSize 223666 -parentBuildID 20200309095159 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 63179 true tab
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/lib/firefox/firefox -contentproc -childID 7 -isForBrowser -prefsLen 497 -prefMapSize 223666 -parentBuildID 20200309095159 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 63179 true tab
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/lib/firefox/firefox -contentproc -childID 8 -isForBrowser -prefsLen 497 -prefMapSize 223666 -parentBuildID 20200309095159 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 63179 true tab
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/lib/firefox/firefox -contentproc -childID 10 -isForBrowser -prefsLen 6590 -prefMapSize 223666 -parentBuildID 20200309095159 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 63179 true tab
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/bin/python3 /usr/bin/chrome-gnome-shell /usr/lib/mozilla/native-messaging-hosts/org.gnome.chrome_gnome_shell.json [hidden email]
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/lib/firefox/firefox -contentproc -childID 18 -isForBrowser -prefsLen 8118 -prefMapSize 223666 -parentBuildID 20200309095159 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 63179 true tab
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/lib/firefox/firefox -contentproc -parentBuildID 20200309095159 -prefsLen 12960 -prefMapSize 223666 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 63179 true rdd
    root     -           system_u:system_r:initrc_t:s0    |   \_ bwrap --args 33 keepassxc
    sam.mor+ -           system_u:system_r:initrc_t:s0    |       \_ bwrap --args 33 keepassxc
    sam.mor+ -           system_u:system_r:initrc_t:s0    |           \_ keepassxc
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/lib/gvfs/gvfsd
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/lib/gvfs/gvfsd-trash --spawner :1.19 /org/gtk/gvfs/exec_spaw/0
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/lib/gvfs/gvfsd-network --spawner :1.19 /org/gtk/gvfs/exec_spaw/5
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ /usr/lib/gvfs/gvfsd-dnssd --spawner :1.19 /org/gtk/gvfs/exec_spaw/9
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/lib/gvfs/gvfsd-fuse /run/user/876099160/gvfs -f -o big_writes
    sam.mor+ -           system_u:system_r:system_dbusd_t:s0  \_ /usr/lib/at-spi2-core/at-spi2-registryd --use-gnome-session
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/xdg-permission-store
    sam.mor+ -           system_u:system_r:system_dbusd_t:s0-s0:c0.c1023  \_ /usr/lib/gnome-shell/gnome-shell-calendar-server
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/evolution-source-registry
    sam.mor+ -           system_u:system_r:system_dbusd_t:s0-s0:c0.c1023  \_ /usr/lib/dconf/dconf-service
    sam.mor+ -           system_u:system_r:system_dbusd_t:s0-s0:c0.c1023  \_ /usr/libexec/goa-daemon
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/lib/gvfs/gvfs-udisks2-volume-monitor
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/lib/gvfs/gvfsd-metadata
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/lib/gvfs/gvfs-gphoto2-volume-monitor
    sam.mor+ -           system_u:system_r:system_dbusd_t:s0-s0:c0.c1023  \_ /usr/libexec/goa-identity-service
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/lib/gvfs/gvfs-goa-volume-monitor
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/lib/gvfs/gvfs-mtp-volume-monitor
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/lib/gvfs/gvfs-afc-volume-monitor
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/lib/ibus/ibus-x11 --kill-daemon
    sam.mor+ -           system_u:system_r:system_dbusd_t:s0-s0:c0.c1023  \_ /usr/lib/ibus/ibus-portal
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-a11y-settings
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-color
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-datetime
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-housekeeping
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-keyboard
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-media-keys
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-power
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-print-notifications
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-rfkill
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-screensaver-proxy
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-sharing
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-smartcard
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-sound
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-usb-protection
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-wacom
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-wwan
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-xsettings
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/evolution-calendar-factory
    sam.mor+ -           system_u:system_r:init_t:s0      \_ /usr/lib/tracker/tracker-store
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gsd-printer
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/evolution-addressbook-factory
    sam.mor+ -           system_u:system_r:system_dbusd_t:s0-s0:c0.c1023  \_ /usr/bin/gnome-calendar --gapplication-service
    sam.mor+ -           system_u:system_r:system_dbusd_t:s0-s0:c0.c1023  \_ /usr/bin/seahorse --gapplication-service
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/bin/python3 /usr/share/virt-manager/virt-manager
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/gnome-terminal-server
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ bash
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ bash
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ bash
    root     -           system_u:system_r:initrc_t:s0    |   |   \_ sudo apt install -t buster-backports libreoffice
    root     -           system_u:system_r:initrc_t:s0    |   |       \_ sudo apt install -t buster-backports libreoffice
    root     -           system_u:system_r:apt_t:s0       |   |           \_ apt install -t buster-backports libreoffice
    root     -           system_u:system_r:apt_t:s0       |   |               \_ apt install -t buster-backports libreoffice
    root     -           system_u:system_r:apt_t:s0       |   |                   \_ sh -c test -x /usr/lib/needrestart/apt-pinvoke && /usr/lib/needrestart/apt-pinvoke || true
    root     -           system_u:system_r:apt_t:s0       |   |                       \_ /usr/bin/perl -w /usr/share/debconf/frontend /usr/sbin/needrestart
    root     -           system_u:system_r:apt_t:s0       |   |                           \_ /usr/bin/perl /usr/sbin/needrestart
    root     -           system_u:system_r:apt_t:s0       |   |                           \_ whiptail --backtitle Package configuration --title Daemons using outdated libraries --output-fd 12 --separate-output --checklist   Which services should be restarted? 11 47 1 -- libvirtd.service  off
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ bash
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ vim selinux-process-tree
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ bash
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |   \_ /usr/bin/python3 /usr/bin/reportbug -N 874191
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |       \_ sh -c gvim -c :6 '/tmp/reportbug-874191-20200330-126232-3b7z1tcz'
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   |           \_ gvim -c :6 /tmp/reportbug-874191-20200330-126232-3b7z1tcz
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ bash
    sam.mor+ -           system_u:system_r:initrc_t:s0    |       \_ vim /etc/selinux/default/contexts/default_contexts
    sam.mor+ -           system_u:system_r:initrc_t:s0    |       \_ ps f -e -o user,lsession,label,cmd
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/flatpak-session-helper
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ server --sh -n /run/user/876099160/.flatpak-helper/pkcs11-flatpak-80340 --provider p11-kit-trust.so pkcs11:model=p11-kit-trust?write-protected=yes
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/xdg-document-portal
    root     -           system_u:system_r:initrc_t:s0    \_ bwrap --args 32 xdg-dbus-proxy --args=36
    sam.mor+ -           system_u:system_r:initrc_t:s0    |   \_ xdg-dbus-proxy --args=36
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/xdg-desktop-portal
    sam.mor+ -           system_u:system_r:initrc_t:s0    \_ /usr/libexec/xdg-desktop-portal-gtk
    root     -           system_u:system_r:init_t:s0     /usr/lib/bolt/boltd
    root     -           system_u:system_r:initrc_t:s0   /usr/libexec/sssd/sssd_sudo --socket-activated
    root     -           system_u:system_r:virtd_t:s0-s0:c0.c1023 /usr/sbin/libvirtd
    root     -           system_u:system_r:getty_t:s0    /sbin/agetty -o -p -- \u --noclear tty6 linux
    root     -           system_u:system_r:getty_t:s0    /sbin/agetty -o -p -- \u --noclear tty3 linux
    sam.mor+ 126         unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 /usr/bin/gnome-keyring-daemon --daemonize --login
    sam.mor+ 126         unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023  \_ /usr/bin/ssh-agent -D -a /run/user/876099160/keyring/.ssh
    root     -           system_u:system_r:virtlogd_t:s0-s0:c0.c1023 /usr/sbin/virtlogd
    root     -           system_u:system_r:initrc_t:s0   /usr/sbin/oddjobd -n -p /var/run/oddjobd.pid -t 300
    root     -           system_u:system_r:init_t:s0     /usr/lib/fwupd/fwupd
    root     -           system_u:system_r:initrc_t:s0   /usr/bin/via-vpn-srv -f -d 2
    _chrony  -           system_u:system_r:chronyd_t:s0  /usr/sbin/chronyd -F -1
    _chrony  -           system_u:system_r:chronyd_t:s0   \_ /usr/sbin/chronyd -F -1
    root     -           system_u:system_r:initrc_t:s0   /usr/libexec/sssd/sssd_nss --logger=files --socket-activated
    root     -           system_u:system_r:initrc_t:s0   /usr/bin/atop -R -w /var/log/atop/atop_20200330 600
    root     -           system_u:system_r:cupsd_t:s0-s0:c0.c1023 /usr/sbin/cupsd -l


-- System Information:
Debian Release: 10.3
  APT prefers stable-debug
  APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.8-1+b1
ii  libsemanage1     2.8-2
ii  libsepol1        2.8-1
ii  policycoreutils  2.8-1
ii  selinux-utils    2.8-1+b1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.8-1
ii  setools      4.2.0-1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/contexts/default_contexts changed:
system_r:crond_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0 user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
system_r:local_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:remote_login_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 unconfined_r:unconfined_t:s0
system_r:sshd_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0
system_r:xdm_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
staff_r:staff_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
staff_r:staff_sudo_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
user_r:user_su_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
user_r:user_sudo_t:s0 sysadm_r:sysadm_t:s0 user_r:user_t:s0
system_r:init_t:s0 user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0


-- no debconf information

Reply | Threaded
Open this post in threaded view
|

Bug#874191: gdm3 started users start in wrong context

Sam Morris
In reply to this post by Harlan Lieberman-Berg-4
Package: selinux-policy-default
Version: 2:2.20190201-7
Followup-For: Bug #874191

I realised that the log messages I provided above refer to gdm's systemd
--user instance.

Looking more carefully, on the Fedora system I see:

    systemd[1]: Starting User Manager for UID 1673000001...
    audit[236830]: USER_ACCT pid=236830 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="sam" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    systemd[236830]: pam_selinux(systemd-user:session): Open Session
    systemd[236830]: pam_selinux(systemd-user:session): Username= sam SELinux User= unconfined_u Level= s0-s0:c0.c1023
    systemd[236830]: pam_selinux(systemd-user:session): Set executable context: [] -> [unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023]
    systemd[236830]: pam_selinux(systemd-user:session): Security Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Assigned
    audit[236830]: USER_ROLE_CHANGE pid=236830 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    systemd[236830]: pam_selinux(systemd-user:session): conversation failed
    systemd[236830]: pam_selinux(systemd-user:session): Set key creation context to unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    systemd[236830]: pam_selinux(systemd-user:session): Key Creation Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Assigned
    systemd[236830]: pam_selinux(systemd-user:session): conversation failed
    systemd[236830]: pam_unix(systemd-user:session): session opened for user sam by (uid=0)
    audit[236830]: USER_START pid=236830 uid=0 auid=1673000001 ses=13 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_sss acct="sam" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

Note that we have "Username= sam" so we're looking at the right messages
this time! Based on this it looks like the mechanism by which 'systemd
--user' transitions from init_t to unconfined_t is via pam_selinux.so.

By contrast, when logging on to my Debian system:

    audit[9657]: USER_ACCT pid=9657 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:accounting grantors=pam_permit,pam_sss acct="[hidden email]" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    audit[9657]: CRED_ACQ pid=9657 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='op=PAM:setcred grantors=pam_permit acct="[hidden email]" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    systemd[9657]: pam_selinux(systemd-user:session): Open Session
    audit[8280]: AVC avc:  denied  { read } for  pid=8280 comm="polkitd" name="userdb" dev="tmpfs" ino=18467 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=1
    audit[8280]: AVC avc:  denied  { map } for  pid=8280 comm="polkitd" path="/etc/passwd" dev="dm-2" ino=133411 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
    audit[8280]: AVC avc:  denied  { connectto } for  pid=8280 comm="polkitd" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=1
    systemd[9657]: pam_selinux(systemd-user:session): Username= [hidden email] SELinux User= unconfined_u Level= s0-s0:c0.c1023
    systemd[9657]: pam_selinux(systemd-user:session): Unable to get valid context for [hidden email]
    systemd[9657]: pam_selinux(systemd-user:session): conversation failed
    systemd[9657]: pam_unix(systemd-user:session): session opened for user [hidden email] by (uid=0)
    audit[9657]: USER_START pid=9657 uid=0 auid=876099160 ses=10 subj=system_u:system_r:init_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_limits,pam_permit,pam_unix,pam_systemd acct="[hidden email]" exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

I can reproduce this with the test program at
<https://github.com/yrro/selinux-scratch>:

    $ build/se
    user=[hidden email]
    seuser=unconfined_u; level=s0-s0:c0.c1023
    get_ordered_context_list_with_level: Invalid argument

Perhaps this is expected, since there is no entry for init_t in
/etc/selinux/default/contexts/default_contexts; on the other hand,
adding an entry such as:

    system_u:system_r:init_t:s0     user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0

... doesn't make a difference. On the other hand, my Fedora machine
doesn't have an entry for init_t in the default_contexts file, and:

    $ ./se
    user=sam
    seuser=unconfined_u; level=s0-s0:c0.c1023
    1 contexts
    [0]: unconfined_u:unconfined_r:unconfined_t:so-s0:c0.c1023

-- System Information:
Debian Release: 10.3
  APT prefers stable-debug
  APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages selinux-policy-default depends on:
ii  libselinux1      3.0-1+b1
ii  libsemanage1     2.8-2
ii  libsepol1        3.0-1
ii  policycoreutils  2.8-1
ii  selinux-utils    3.0-1+b1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.8-1
ii  setools      4.2.0-1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information

Reply | Threaded
Open this post in threaded view
|

Bug#874191: gdm3 started users start in wrong context

Sam Morris
In reply to this post by Harlan Lieberman-Berg-4
Package: selinux-policy-default
Version: 2:2.20190201-7
Followup-For: Bug #874191
Control: -1 + patch

I have fixed this by making the following changes:

 1. Patch libselinux with
    <https://github.com/SELinuxProject/selinux/commit/1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9>

 2. Modify /etc/selinux/default/contexts/users/* by adding the following lines (taken from my Fedora machine)

    $ grep init_t /etc/selinux/default/contexts/users
    /etc/selinux/default/contexts/users/guest_u:system_r:init_t:s0 guest_r:guest_t:s0
    /etc/selinux/default/contexts/users/staff_u:system_r:init_t:s0 staff_r:staff_t:s0
    /etc/selinux/default/contexts/users/unconfined_u:system_r:init_t:s0 unconfined_r:unconfined_t:s0
    /etc/selinux/default/contexts/users/user_u:system_r:init_t:s0 user_r:user_t:s0
    /etc/selinux/default/contexts/users/xguest_u:system_r:init_t:s0 xguest_r:xguest_t:s0

 3. Reboot the machine (I don't know why a simple 'loginctl teminate-user
    $USER' followed by logging in is not sufficient, any ideas?)

As for the purpose of that patch; see
<https://github.com/SELinuxProject/selinux/issues/28>. Note the ERANGE error
when writing to /sys/fs/selinux/user:

    $ strace -s 2048 python3 -c 'import selinux; selinux.get_ordered_context_list("unconfined_u", "system_u:system_r:init_t:s0")'
    [...]
    openat(AT_FDCWD, "/etc/selinux/config", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=584, ...}) = 0
    read(3, "# This file controls the state of SELinux on the system.\n# SELINUX= can take one of these three values:\n# enforcing - SELinux security policy is enforced.\n# permissive -       SELinux prints warnings instead of enforcing.\n# disabled - No SELinux policy is loaded.      \nSELINUX=permissive\n# SELINUXTYPE= can take one of these two values:\n# default -           equivalent to the old strict and targeted policies\n# mls     - Multi-Level Security (for     military and educational use)\n# src     - Custom policy built from                           source\nSELINUXTYPE=default\n\n# SETLOCALDEFS= Check local definition                         changes\nSETLOCALDEFS=0\n", 4096) = 584
    read(3, "", 4096)                       = 0
    close(3)                                = 0
    futex(0x7f546b70db40, FUTEX_WAKE_PRIVATE, 2147483647) = 0
    access("/var/run/setrans/.setrans-unix", F_OK) = -1 ENOENT (No such file or directory)
    futex(0x7f546b70dbc8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
    openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3
    write(3, "system_u:system_r:init_t:s0 unconfined_u", 40) = -1 ERANGE (Numerical result out of range)
    close(3)                                = 0
    openat(AT_FDCWD, "/etc/selinux/default/contexts/failsafe_context", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=21, ...}) = 0
    read(3, "sysadm_r:sysadm_t:s0\n", 4096) = 21
    close(3)                                = 0
    openat(AT_FDCWD, "/sys/fs/selinux/context", O_RDWR|O_CLOEXEC) = 3
    write(3, "unconfined_u:sysadm_r:sysadm_t:s0\0", 34) = -1 EINVAL (Invalid argument)
    close(3)

This matches one of the comments,

    "On our experimental Ubuntu 18.04.3 LTS machine running SELinux with
    latest official reference policy, we always get pam_selinux.so
    complaining “unable to get valid context for gdm” during system
    bootup.  And we found it is the security_compute_user() hits the 4k
    page size bound with error -ERANGE from sel_write_user().
    Specifically, we intend to transition from
    “system_u:system_r:init_t” to “system_u:system_r:xdm_t” in order to
    run the systemd user instance for system user gdm. With some
    instruments in the kernel, we realize we need roughly 16k for
    complete set of reachable contexts."

and

    I believe Fedora has worked around the issue by altering their
    policy to restrict outbound transitions from init_t and other
    unconfined domains to only legitimate ones.

And indeed, on my Fedora machine the write is successful and is followed
by a read that returns 19 contexts.

So.

Rather than figuring out how Fedora modified refpolicy to make the transitions
fit into a single page, applying the patch above does the job. But refpolicy
must still be modified by adding entries for init_t to the selinux user default
context files as descibed above (refer to Fedora's versions of these files at
<https://github.com/fedora-selinux/selinux-policy/tree/rawhide/config/appconfig-standard>;
it looks like Fedora are keeping their modifications directly in that repo
rather than as a seriers of patches to be applied to vanilla refpolicy?)

-- System Information:
Debian Release: 10.3
  APT prefers stable-debug
  APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'stable-updates'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_USER
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages selinux-policy-default depends on:
ii  libselinux1      3.0-1+b1
ii  libsemanage1     2.8-2
ii  libsepol1        3.0-1
ii  policycoreutils  2.8-1
ii  selinux-utils    3.0-1+b1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.8-1
ii  setools      4.2.0-1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/contexts/default_contexts changed [not included]

-- no debconf information

Reply | Threaded
Open this post in threaded view
|

Bug#874191: gdm3 started users start in wrong context

Sam Morris
In reply to this post by Harlan Lieberman-Berg-4
Package: selinux-policy-default
Followup-For: Bug #874191

Patches available:

https://salsa.debian.org/selinux-team/libselinux/-/merge_requests/2
https://salsa.debian.org/selinux-team/refpolicy/-/merge_requests/10

-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (535, 'stable-updates'), (535, 'stable'), (520, 'testing'), (510, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 4.19.0-8-686-pae (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.8-1+b1
ii  libsemanage1     2.8-2
ii  libsepol1        2.8-1
pn  policycoreutils  <none>
pn  selinux-utils    <none>

Versions of packages selinux-policy-default recommends:
pn  checkpolicy  <none>
pn  setools      <none>

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>