https://bugzilla.suse.com/show_bug.cgi?id=1208606 Bug ID: 1208606 Summary: [SELinux] greetd/sway session runs too many applications in xdm_t context Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: filippo.bonazzi@suse.com Reporter: mcepl@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 865083 --> https://bugzilla.suse.com/attachment.cgi?id=865083&action=edit Output of ausearch -m AVC -ts today With greetd-0.9.0-38.4.x86_64, gtkgreet-0.7-2.1.x86_64, sway-1.8.1-1.1.x86_64, selinux-policy-targeted-20221019-8.1.noarch I get stitny~$ ps auxZ|grep xdm_t system_u:system_r:xdm_t:s0-s0:c0.c1023 root 2464 0.0 0.0 3908 3668 ? SLs 18:14 0:00 greetd system_u:system_r:xdm_t:s0-s0:c0.c1023 root 2734 0.1 0.0 7512 7472 tty2 SLs+ 18:14 0:00 /usr/bin/greetd --session-worker 12 system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2755 0.0 0.0 7012 3172 tty2 S+ 18:14 0:00 /bin/sh /usr/bin/sway-run.sh system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2800 5.9 0.7 3089064 118052 tty2 Rl+ 18:14 0:00 sway system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2823 0.3 0.0 17124 9724 tty2 S+ 18:14 0:00 swaybg -o * -i /usr/share/wallpapers/default-1920x1080.jpg -m fill system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2834 3.3 0.3 1938976 61960 tty2 Sl+ 18:14 0:00 waybar -b bar-0 system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2836 0.0 0.0 6256 1540 ? S 18:14 0:00 swayidle -w timeout 300 swaylock -f -c 000000 timeout 600 swaymsg "output * dpms off" resume swaymsg "output * dpms on" before-sleep swaylock -f -c 000000 system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2856 0.0 0.0 7012 3216 ? S 18:14 0:00 sh -c tail -f $SWAYSOCK.wob | wob --config /etc/sway/wob/wob.ini system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2860 1.5 0.1 339372 27536 ? Sl 18:14 0:00 swaync --style /etc/sway/swaync/style.css --config /etc/sway/swaync/config.json system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2861 0.0 0.0 5568 1044 ? S 18:14 0:00 tail -f /run/user/1000/sway-ipc.1000.2800.sock.wob system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2862 0.0 0.0 2916 1100 ? S 18:14 0:00 wob --config /etc/sway/wob/wob.ini system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2890 0.0 0.0 7012 3152 ? S 18:14 0:00 sh -c tail -f $SWAYSOCK.wob | wob system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2896 1.2 0.1 337620 23484 ? Sl 18:14 0:00 /usr/libexec/polkit-gnome-authentication-agent-1 system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2897 0.0 0.0 5568 1000 ? S 18:14 0:00 tail -f /run/user/1000/sway-ipc.1000.2800.sock.wob system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2898 0.0 0.0 2944 1148 ? S 18:14 0:00 wob system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2900 0.0 0.0 2708 1056 ? S 18:14 0:00 wl-paste -t text --watch clipman store --histpath=~/.cache/clipman.json system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2989 0.0 0.0 7012 3156 tty2 S 18:14 0:00 sh -c swaymsg -mrt subscribe '["input"]' | jq -r --unbuffered "select(.change == \"xkb_layout\") | .input | select(.type == \"keyboard\") | .xkb_active_layout_name | .[0:2]" system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2994 0.0 0.0 2672 964 tty2 S 18:14 0:00 swaymsg -mrt subscribe ["input"] system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 2995 0.2 0.0 5084 3284 tty2 S 18:14 0:00 jq -r --unbuffered select(.change == "xkb_layout") | .input | select(.type == "keyboard") | .xkb_active_layout_name | .[0:2] system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3009 0.0 0.0 7012 3136 tty2 S 18:14 0:00 sh -c swaymsg -mrt subscribe '["input"]' | jq -r --unbuffered "select(.change == \"xkb_layout\") | .input | select(.type == \"keyboard\") | .xkb_active_layout_name | .[0:2]" system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3014 0.0 0.0 2672 964 tty2 S 18:14 0:00 swaymsg -mrt subscribe ["input"] system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3015 0.2 0.0 5084 3180 tty2 S 18:14 0:00 jq -r --unbuffered select(.change == "xkb_layout") | .input | select(.type == "keyboard") | .xkb_active_layout_name | .[0:2] system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3031 5.4 0.1 1135464 27864 ? Sl 18:14 0:00 foot system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3032 0.5 0.0 160620 8488 pts/0 Ss+ 18:14 0:00 /usr/bin/fish system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3044 0.0 0.0 81508 1092 ? Ss 18:14 0:00 gpg-agent --homedir /home/matej/.gnupg --use-standard-socket --daemon system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3051 0.0 0.0 7344 760 ? Ss 18:14 0:00 ssh-agent -c system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3069 7.1 0.1 1135476 24144 ? Sl 18:14 0:00 foot system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3070 1.3 0.0 164568 12428 pts/1 Ssl 18:14 0:00 /usr/bin/fish system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3099 7.2 0.1 1135332 24736 ? Sl 18:14 0:00 foot system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3100 0.8 0.0 160620 8512 pts/2 Ss+ 18:14 0:00 /usr/bin/fish system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3142 0.0 0.0 10980 4080 pts/1 R+ 18:14 0:00 ps auxZ system_u:system_r:xdm_t:s0-s0:c0.c1023 matej 3143 0.0 0.0 6584 2180 pts/1 R+ 18:14 0:00 grep --color=auto xdm_t stitny~$ I have SELinux in the Permissive mode. -- You are receiving this mail because: You are on the CC list for the bug.