Bug 457064

Summary: Using KDE Plasma with SELinux restricted users cause weird AVC's with SELinux running as permissive and makes restricted login impossible with SELinux running as enforcing
Product: [Plasma] plasmashell Reporter: Roger K. Trussell <roger.k.trussell>
Component: generalAssignee: Plasma Bugs List <plasma-bugs-null>
Status: RESOLVED WORKSFORME    
Severity: normal CC: kde, nate
Priority: NOR    
Version First Reported In: 5.25.3   
Target Milestone: 1.0   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Roger K. Trussell 2022-07-24 08:11:40 UTC 
SUMMARY
***
NOTE: If you are reporting a crash, please try to attach a backtrace with debug symbols.
See https://community.kde.org/Guidelines_and_HOWTOs/Debugging/How_to_create_useful_crash_reports
***


STEPS TO REPRODUCE
1. Install the Fedora Workstation 36 KDE Spin and apply all updates
2. Edit the "/etc/selinux/config" file and put SELinux in permissive mode because the following steps won't work in "enforcing" mode.
2. Create a new Linux user and use "sudo semanage login" to map that new Linux user onto the SELinux user "user_u"
3. Reboot and login as that restricted user


OBSERVED RESULT
You will see interesting AVC's such as:
SELinux is preventing plasmashell from watch access on the directory /
SELinux is preventing plasmashell from watch access on the file /etc/passwd.
SELinux is preventing ksmserver-logou from watch access on the file /etc/passwd.
SELinux is preventing kwin_wayland from write access on the file /tmp/#118

EXPECTED RESULT

I kinda expected that maybe the KDE login mechanism would be modular or at least use a standard PAM and not need direct access to any sensitive system resources.  I understand if temporary files need to be stored in the user directory. 

I was hoping to create SELinux restricted accounts on this Fedora Workstation that would not need direct access to any sensitive system resources. 

I'm still trying to wrap my head around how Wayland and modern window managers work. 

I just assumed that maybe things like sddm and the Wayland compositor would both run as daemons with root level permissions and the Wayland clients would run with the same system permissions as the "logged in user". Perhaps having the compositor and sddm both running as root would block or confuse the communication between the clients and the compositor. I just don't know. Sorry.

SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: Fedora Workstation 36 KDE Spin: kernel: 5.18.13-200.fc36.x86_64
(available in About System)
KDE Plasma Version: 5.25.3
KDE Frameworks Version: 5.96.0
Qt Version: 5.15.3

ADDITIONAL INFORMATION
Comment 1 Nate Graham 2025-04-05 20:44:00 UTC 
Sorry we didn't manage to get to this yet.

In fact it's advantageous for the compositor to not run as root on Wayland, and KWin doesn't; it runs in userspace.

Is this still a problem for your today? Are you sure it's our issue, as opposed to simply a lack of SELinux configuration to accommodate what you're trying to do?
Comment 2 Bug Janitor Service 2025-04-20 03:47:09 UTC 
๐Ÿ›๐Ÿงน โš ๏ธ This bug has been in NEEDSINFO status with no change for at least 15 days. Please provide the requested information, then set the bug status to REPORTED. If there is no change for at least 30 days, it will be automatically closed as RESOLVED WORKSFORME.

For more information about our bug triaging procedures, please read https://community.kde.org/Guidelines_and_HOWTOs/Bug_triaging.

Thank you for helping us make KDE software even better for everyone!
Comment 3 Bug Janitor Service 2025-05-05 03:47:16 UTC 
๐Ÿ›๐Ÿงน This bug has been in NEEDSINFO status with no change for at least 30 days. Closing as RESOLVED WORKSFORME.