Bug ID 1208606
Summary [SELinux] greetd/sway session runs too many applications in xdm_t context
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee filippo.bonazzi@suse.com
Reporter mcepl@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Created attachment 865083 [details]
Output of ausearch -m AVC -ts today

With greetd-0.9.0-38.4.x86_64, gtkgreet-0.7-2.1.x86_64, sway-1.8.1-1.1.x86_64,
selinux-policy-targeted-20221019-8.1.noarch I get

stitny~$ ps auxZ|grep xdm_t
system_u:system_r:xdm_t:s0-s0:c0.c1023 root 2464 0.0  0.0  3908  3668 ?       
SLs  18:14   0:00 greetd
system_u:system_r:xdm_t:s0-s0:c0.c1023 root 2734 0.1  0.0  7512  7472 tty2    
SLs+ 18:14   0:00 /usr/bin/greetd --session-worker 12
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2755 0.0  0.0 7012  3172 tty2    
S+   18:14   0:00 /bin/sh /usr/bin/sway-run.sh
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2800 5.9  0.7 3089064 118052 tty2
Rl+  18:14   0:00 sway
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2823 0.3  0.0 17124 9724 tty2    
S+   18:14   0:00 swaybg -o * -i /usr/share/wallpapers/default-1920x1080.jpg -m
fill
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2834 3.3  0.3 1938976 61960 tty2 
Sl+  18:14   0:00 waybar -b bar-0
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2836 0.0  0.0 6256  1540 ?       
S    18:14   0:00 swayidle -w timeout 300 swaylock -f -c 000000 timeout 600
swaymsg "output * dpms off" resume swaymsg "output * dpms on" before-sleep
swaylock -f -c 000000
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2856 0.0  0.0 7012  3216 ?       
S    18:14   0:00 sh -c tail -f $SWAYSOCK.wob | wob --config
/etc/sway/wob/wob.ini
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2860 1.5  0.1 339372 27536 ?     
Sl   18:14   0:00 swaync --style /etc/sway/swaync/style.css --config
/etc/sway/swaync/config.json
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2861 0.0  0.0 5568  1044 ?       
S    18:14   0:00 tail -f /run/user/1000/sway-ipc.1000.2800.sock.wob
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2862 0.0  0.0 2916  1100 ?       
S    18:14   0:00 wob --config /etc/sway/wob/wob.ini
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2890 0.0  0.0 7012  3152 ?       
S    18:14   0:00 sh -c tail -f $SWAYSOCK.wob | wob
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2896 1.2  0.1 337620 23484 ?     
Sl   18:14   0:00 /usr/libexec/polkit-gnome-authentication-agent-1
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2897 0.0  0.0 5568  1000 ?       
S    18:14   0:00 tail -f /run/user/1000/sway-ipc.1000.2800.sock.wob
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2898 0.0  0.0 2944  1148 ?       
S    18:14   0:00 wob
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2900 0.0  0.0 2708  1056 ?       
S    18:14   0:00 wl-paste -t text --watch clipman store
--histpath=~/.cache/clipman.json
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2989 0.0  0.0 7012  3156 tty2    
S    18:14   0:00 sh -c swaymsg -mrt subscribe '["input"]' | jq -r --unbuffered
"select(.change == \"xkb_layout\") | .input | select(.type == \"keyboard\") |
.xkb_active_layout_name | .[0:2]"
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2994 0.0  0.0 2672   964 tty2    
S    18:14   0:00 swaymsg -mrt subscribe ["input"]
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2995 0.2  0.0 5084  3284 tty2    
S    18:14   0:00 jq -r --unbuffered select(.change == "xkb_layout") | .input |
select(.type == "keyboard") | .xkb_active_layout_name | .[0:2]
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3009 0.0  0.0 7012  3136 tty2    
S    18:14   0:00 sh -c swaymsg -mrt subscribe '["input"]' | jq -r --unbuffered
"select(.change == \"xkb_layout\") | .input | select(.type == \"keyboard\") |
.xkb_active_layout_name | .[0:2]"
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3014 0.0  0.0 2672   964 tty2    
S    18:14   0:00 swaymsg -mrt subscribe ["input"]
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3015 0.2  0.0 5084  3180 tty2    
S    18:14   0:00 jq -r --unbuffered select(.change == "xkb_layout") | .input |
select(.type == "keyboard") | .xkb_active_layout_name | .[0:2]
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3031 5.4  0.1 1135464 27864 ?    
Sl   18:14   0:00 foot
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3032 0.5  0.0 160620 8488 pts/0  
Ss+  18:14   0:00 /usr/bin/fish
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3044 0.0  0.0 81508 1092 ?       
Ss   18:14   0:00 gpg-agent --homedir /home/matej/.gnupg --use-standard-socket
--daemon
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3051 0.0  0.0 7344   760 ?       
Ss   18:14   0:00 ssh-agent -c
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3069 7.1  0.1 1135476 24144 ?    
Sl   18:14   0:00 foot
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3070 1.3  0.0 164568 12428 pts/1 
Ssl  18:14   0:00 /usr/bin/fish
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3099 7.2  0.1 1135332 24736 ?    
Sl   18:14   0:00 foot
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3100 0.8  0.0 160620 8512 pts/2  
Ss+  18:14   0:00 /usr/bin/fish
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3142 0.0  0.0 10980 4080 pts/1   
R+   18:14   0:00 ps auxZ
system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3143 0.0  0.0 6584  2180 pts/1   
R+   18:14   0:00 grep --color=auto xdm_t
stitny~$ 

I have SELinux in the Permissive mode.

You are receiving this mail because: