D26979: KWallet-PAM SELinux context transition support

secureworkstation noreply at phabricator.kde.org
Wed Jan 29 03:24:08 GMT 2020 

secureworkstation created this revision.
secureworkstation added projects: Frameworks, Plasma.
Herald added a subscriber: plasma-devel.
secureworkstation requested review of this revision.

REVISION SUMMARY
  This patch is a repurposed patch by Daniel Walsh for gnome-keyring:
  
  https://github.com/GNOME/gnome-keyring/commit/2f6a7c049dfffed20e3f78e3f51a8cca8735f2d3
  https://github.com/GNOME/gnome-keyring/commit/74fc065e3c3e04a5cd5dfa0e725f7664825a5b1e
  https://bugzilla.redhat.com/show_bug.cgi?id=684225
  
  In short, for most (if not all) existing users this patch should do nothing: for those without SELinux, for those with SELinux disabled and for those with SELinux enabled in default settings. One would need to construct a policy and no such policy currently exists (but I'm working on one for Fedora and it's not a trivial job).
  
  SELinux works on labels given to processes and objects like files. Without this patch, pam_selinux (the PAM module, not this patch) transitions to the default user label which is used to launch kwalletd5 process by pam_kwallet. For me it's suboptimal, because I want to give it a dedicated label to further confine the process for security purposes. KWallet launched by user (not PAM) transitions correctly, it is just the PAM launch that requires special code.
  
  Ideally that could be a start to sandbox a lot more of Plasma using SELinux.
  
  Tracking bug on fedora-selinux Github on more work on confining Plasma using SELinux: https://github.com/fedora-selinux/selinux-policy-contrib/issues/192

TEST PLAN
  1. Make sure it compiles on machines without SELinux [done]
  2. Make sure it doesn't break SELinux-disabled installations [help wanted]
  3. Make sure it doesn't break vanilla SELinux installations [pending]
  4. Make sure it transitions to the correct label if a correct policy is present [done]

REPOSITORY
  R107 KWallet PAM Integration

REVISION DETAIL
  https://phabricator.kde.org/D26979

AFFECTED FILES
  CMakeLists.txt
  pam_kwallet.c
  pam_selinux.c
  pam_selinux.h

To: secureworkstation
Cc: plasma-devel, Orage, LeGast00n, The-Feren-OS-Dev, jraleigh, zachus, fbampaloukas, GB_2, ragreen, michaelh, ZrenBot, ngraham, bruns, alexeymin, himcesjf, lesliezhai, ali-mohamed, jensreuterberg, abetts, sebas, apol, ahiemstra, mart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/plasma-devel/attachments/20200129/c2849ba0/attachment.html>

More information about the Plasma-devel mailing list