Package: selinux-policy-default Version: 2:2.20190201-7 Followup-For: Bug #874191 Control: -1 + patch
I have fixed this by making the following changes: 1. Patch libselinux with <https://github.com/SELinuxProject/selinux/commit/1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9> 2. Modify /etc/selinux/default/contexts/users/* by adding the following lines (taken from my Fedora machine) $ grep init_t /etc/selinux/default/contexts/users /etc/selinux/default/contexts/users/guest_u:system_r:init_t:s0 guest_r:guest_t:s0 /etc/selinux/default/contexts/users/staff_u:system_r:init_t:s0 staff_r:staff_t:s0 /etc/selinux/default/contexts/users/unconfined_u:system_r:init_t:s0 unconfined_r:unconfined_t:s0 /etc/selinux/default/contexts/users/user_u:system_r:init_t:s0 user_r:user_t:s0 /etc/selinux/default/contexts/users/xguest_u:system_r:init_t:s0 xguest_r:xguest_t:s0 3. Reboot the machine (I don't know why a simple 'loginctl teminate-user $USER' followed by logging in is not sufficient, any ideas?) As for the purpose of that patch; see <https://github.com/SELinuxProject/selinux/issues/28>. Note the ERANGE error when writing to /sys/fs/selinux/user: $ strace -s 2048 python3 -c 'import selinux; selinux.get_ordered_context_list("unconfined_u", "system_u:system_r:init_t:s0")' [...] openat(AT_FDCWD, "/etc/selinux/config", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=584, ...}) = 0 read(3, "# This file controls the state of SELinux on the system.\n# SELINUX= can take one of these three values:\n# enforcing - SELinux security policy is enforced.\n# permissive - SELinux prints warnings instead of enforcing.\n# disabled - No SELinux policy is loaded. \nSELINUX=permissive\n# SELINUXTYPE= can take one of these two values:\n# default - equivalent to the old strict and targeted policies\n# mls - Multi-Level Security (for military and educational use)\n# src - Custom policy built from source\nSELINUXTYPE=default\n\n# SETLOCALDEFS= Check local definition changes\nSETLOCALDEFS=0\n", 4096) = 584 read(3, "", 4096) = 0 close(3) = 0 futex(0x7f546b70db40, FUTEX_WAKE_PRIVATE, 2147483647) = 0 access("/var/run/setrans/.setrans-unix", F_OK) = -1 ENOENT (No such file or directory) futex(0x7f546b70dbc8, FUTEX_WAKE_PRIVATE, 2147483647) = 0 openat(AT_FDCWD, "/sys/fs/selinux/user", O_RDWR|O_CLOEXEC) = 3 write(3, "system_u:system_r:init_t:s0 unconfined_u", 40) = -1 ERANGE (Numerical result out of range) close(3) = 0 openat(AT_FDCWD, "/etc/selinux/default/contexts/failsafe_context", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=21, ...}) = 0 read(3, "sysadm_r:sysadm_t:s0\n", 4096) = 21 close(3) = 0 openat(AT_FDCWD, "/sys/fs/selinux/context", O_RDWR|O_CLOEXEC) = 3 write(3, "unconfined_u:sysadm_r:sysadm_t:s0\0", 34) = -1 EINVAL (Invalid argument) close(3) This matches one of the comments, "On our experimental Ubuntu 18.04.3 LTS machine running SELinux with latest official reference policy, we always get pam_selinux.so complaining âunable to get valid context for gdmâ during system bootup. And we found it is the security_compute_user() hits the 4k page size bound with error -ERANGE from sel_write_user(). Specifically, we intend to transition from âsystem_u:system_r:init_tâ to âsystem_u:system_r:xdm_tâ in order to run the systemd user instance for system user gdm. With some instruments in the kernel, we realize we need roughly 16k for complete set of reachable contexts." and I believe Fedora has worked around the issue by altering their policy to restrict outbound transitions from init_t and other unconfined domains to only legitimate ones. And indeed, on my Fedora machine the write is successful and is followed by a read that returns 19 contexts. So. Rather than figuring out how Fedora modified refpolicy to make the transitions fit into a single page, applying the patch above does the job. But refpolicy must still be modified by adding entries for init_t to the selinux user default context files as descibed above (refer to Fedora's versions of these files at <https://github.com/fedora-selinux/selinux-policy/tree/rawhide/config/appconfig-standard>; it looks like Fedora are keeping their modifications directly in that repo rather than as a seriers of patches to be applied to vanilla refpolicy?) -- System Information: Debian Release: 10.3 APT prefers stable-debug APT policy: (570, 'stable-debug'), (570, 'stable'), (550, 'testing-debug'), (550, 'testing'), (530, 'unstable-debug'), (530, 'unstable'), (500, 'stable-updates'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-4-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_USER Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: default Versions of packages selinux-policy-default depends on: ii libselinux1 3.0-1+b1 ii libsemanage1 2.8-2 ii libsepol1 3.0-1 ii policycoreutils 2.8-1 ii selinux-utils 3.0-1+b1 Versions of packages selinux-policy-default recommends: ii checkpolicy 2.8-1 ii setools 4.2.0-1 Versions of packages selinux-policy-default suggests: pn logcheck <none> pn syslog-summary <none> -- Configuration Files: /etc/selinux/default/contexts/default_contexts changed [not included] -- no debconf information