KWallet-PAM SELinux context transition support
Needs ReviewPublic

Authored by secureworkstation on Jan 29 2020, 3:24 AM.

Details

Reviewers
None
Group Reviewers
Plasma
Frameworks
Summary

This patch is a repurposed patch by Daniel Walsh for gnome-keyring:

https://github.com/GNOME/gnome-keyring/commit/2f6a7c049dfffed20e3f78e3f51a8cca8735f2d3
https://github.com/GNOME/gnome-keyring/commit/74fc065e3c3e04a5cd5dfa0e725f7664825a5b1e
https://bugzilla.redhat.com/show_bug.cgi?id=684225

In short, for most (if not all) existing users this patch should do nothing: for those without SELinux, for those with SELinux disabled and for those with SELinux enabled in default settings. One would need to construct a policy and no such policy currently exists (but I'm working on one for Fedora and it's not a trivial job).

SELinux works on labels given to processes and objects like files. Without this patch, pam_selinux (the PAM module, not this patch) transitions to the default user label which is used to launch kwalletd5 process by pam_kwallet. For me it's suboptimal, because I want to give it a dedicated label to further confine the process for security purposes. KWallet launched by user (not PAM) transitions correctly, it is just the PAM launch that requires special code.

Ideally that could be a start to sandbox a lot more of Plasma using SELinux.

Tracking bug on fedora-selinux Github on more work on confining Plasma using SELinux: https://github.com/fedora-selinux/selinux-policy-contrib/issues/192

Test Plan
  1. Make sure it compiles on machines without SELinux [done]
  2. Make sure it doesn't break SELinux-disabled installations [help wanted]
  3. Make sure it doesn't break vanilla SELinux installations [pending]
  4. Make sure it transitions to the correct label if a correct policy is present [done]

Diff Detail

Repository
R107 KWallet PAM Integration
Lint
Lint Skipped
Unit
Unit Tests Skipped
Restricted Application added a subscriber: plasma-devel. ยท View Herald TranscriptJan 29 2020, 3:24 AM
secureworkstation requested review of this revision.Jan 29 2020, 3:24 AM
davidedmundson added inline comments.
CMakeLists.txt
17

instead of message()

set_package_properties(SELINUX PROPERTIES DESCRIPTION "some security thing"
                       TYPE OPTIONAL
                       PURPOSE "Do a security thing."
                      )

and then line

feature_summary(WHAT ALL INCLUDE_QUIET_PACKAGES FATAL_ON_MISSING_REQUIRED_PACKAGES)

is better, it does the same thing you're doing but in a more parseable way

pam_selinux.c
44

on the gnome patch this is the macro

SECCLASS_PROCESS

any reason for the difference?