[frameworks-kwindowsystem] [Bug 457064] New: Using KDE Plasma with SELinux restricted users cause weird AVC's with SELinux running as permissive and makes restricted login impossible with SELinux running as enforcing

Sun, 24 Jul 2022 01:11:58 -0700 

https://bugs.kde.org/show_bug.cgi?id=457064

            Bug ID: 457064
           Summary: Using KDE Plasma with SELinux restricted users cause
                    weird AVC's with SELinux running as permissive and
                    makes restricted login impossible with SELinux running
                    as enforcing
           Product: frameworks-kwindowsystem
           Version: 5.96.0
          Platform: Other
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: kwin-bugs-n...@kde.org
          Reporter: roger.k.truss...@gmail.com
  Target Milestone: ---

SUMMARY
***
NOTE: If you are reporting a crash, please try to attach a backtrace with debug
symbols.
See
https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports
***


STEPS TO REPRODUCE
1. Install the Fedora Workstation 36 KDE Spin and apply all updates
2. Edit the "/etc/selinux/config" file and put SELinux in permissive mode
because the following steps won't work in "enforcing" mode.
2. Create a new Linux user and use "sudo semanage login" to map that new Linux
user onto the SELinux user "user_u"
3. Reboot and login as that restricted user


OBSERVED RESULT
You will see interesting AVC's such as:
SELinux is preventing plasmashell from watch access on the directory /
SELinux is preventing plasmashell from watch access on the file /etc/passwd.
SELinux is preventing ksmserver-logou from watch access on the file
/etc/passwd.
SELinux is preventing kwin_wayland from write access on the file /tmp/#118

EXPECTED RESULT

I kinda expected that maybe the KDE login mechanism would be modular or at
least use a standard PAM and not need direct access to any sensitive system
resources.  I understand if temporary files need to be stored in the user
directory. 

I was hoping to create SELinux restricted accounts on this Fedora Workstation
that would not need direct access to any sensitive system resources. 

I'm still trying to wrap my head around how Wayland and modern window managers
work. 

I just assumed that maybe things like sddm and the Wayland compositor would
both run as daemons with root level permissions and the Wayland clients would
run with the same system permissions as the "logged in user". Perhaps having
the compositor and sddm both running as root would block or confuse the
communication between the clients and the compositor. I just don't know. Sorry.

SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: Fedora Workstation 36 KDE Spin: kernel:
5.18.13-200.fc36.x86_64
(available in About System)
KDE Plasma Version: 5.25.3
KDE Frameworks Version: 5.96.0
Qt Version: 5.15.3

ADDITIONAL INFORMATION

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to