Eliminate use of /sys/fs/selinux/user aka security_compute_user() about selinux HOT 3 CLOSED

On our experimental Ubuntu 18.04.3 LTS machine running SELinux with latest official reference policy, we always get pam_selinux.so complaining “unable to get valid context for gdm” during system bootup. And we found it is the security_compute_user() hits the 4k page size bound with error -ERANGE from sel_write_user(). Specifically, we intend to transition from “system_u:system_r:init_t” to “system_u:system_r:xdm_t” in order to run the systemd user instance for system user gdm. With some instruments in the kernel, we realize we need roughly 16k for complete set of reachable contexts. That makes us wondering:

1. The assumption about one page size is insufficient. We need to bump up size. But how large is enough?
2. Maybe this is indeed a feature that disfavor type transition for a type that has large reachable contexts (fan-outs)?
3. Or, it is time to bring the whole compute_user to userland?

What do you think?

from selinux.

I believe Fedora has worked around the issue by altering their policy to restrict outbound transitions from init_t and other unconfined domains to only legitimate ones. I would also recommend getting rid of the use of security_compute_user altogether. There was a patch to do this but there were some unresolved issues/concerns with it, see https://lore.kernel.org/selinux/[email protected]/ and its follow-ups.

from selinux.

I have proposed re-visiting the patch above with minor modifications to resolve this issue.

from selinux.