Bug 1222978

*** Bug 1221272 has been marked as a duplicate of this bug. ***

I am having some issues that are related to our custom patches in gdm.

When the autologin setting is changed, gdm first writes a temporary file in /etc/sysconfig/displaymanager.new.<randomnumber> and writes it back into /etc/sysconfig/displaymanager.

This is done in our custom patch: https://build.opensuse.org/projects/openSUSE:Factory/packages/gdm/files/gdm-sysconfig-settings.patch?expand=1

```
+static gboolean
+save_settings_file (const gchar *file_name, gchar **lines)
+{
+        GIOStatus   last_status = G_IO_STATUS_ERROR;
+        GIOChannel *channel     = NULL;
+        gchar      *temp_file_name;
+        gint        i;
+
+        temp_file_name = g_strdup_printf ("%s.new.%u", file_name, g_random_int ());
+
+        channel = g_io_channel_new_file (temp_file_name, "w", NULL);
...
```

The problem is that selinux can not easily set the correct type to displaymanager.new.<randomnumber> as we can not easily file transition to a wildcard.

There are 2 options to fix this:
1) We remove the <randomnumber>, which should be okay as we are not in /tmp and /etc/sysconfig is not world writable (please correct me if i am wrong @Johannes). Then i can add a transition to the correct type of displaymanager.new in the policy
2) We make the patch selinux-aware to set the correct types (needs probably a lot of changes)

@xiaoguang.wang @hpj as maintainer of gdm / patch writers, is there a reason why we need the random number in /etc/sysconfig/displaymanager.new.<randomnumber>? and what would be your preferred solution?

(In reply to Cathy Hu from comment #2)
> There are 2 options to fix this:
> 1) We remove the <randomnumber>, which should be okay as we are not in /tmp
> and /etc/sysconfig is not world writable (please correct me if i am wrong
> @Johannes). Then i can add a transition to the correct type of
> displaymanager.new in the policy

It's possible there are two or more gdm processes at same time(When remote login with session management), so we use randomnumber to distinguish them.

> 2) We make the patch selinux-aware to set the correct types (needs probably
> a lot of changes)

I have no idea what is the best solution.

Hi @xiaoguang.wang, instead of writing the temp file to /etc/sysconfig/displaymanager.new.<somenumber>, could you write it to <some_private_temp_folder>/displaymanager.new?

If you do this, we can detect the file by name and assign it the proper SELinux context upon creation. This would be the easiest and cleanest solution for us.

The file context is retained when the temp file is then renamed (moved) to /etc/sysconfig/displaymanager.

(In reply to Filippo Bonazzi from comment #4)
> Hi @xiaoguang.wang, instead of writing the temp file to
> /etc/sysconfig/displaymanager.new.<somenumber>, could you write it to
> <some_private_temp_folder>/displaymanager.new?

Writing the temp file to /tmp/gdm.xxxxxx/displaymanager.new, xxxxxx is the random number. Does it work for SELinux context?

I think so. If you can build a GDM rpm with this change, we can test it and see what we need to change for SELinux.

The temp file is changed to /run/sysconfig.XXXXXX/displaymanager.new. My repo is https://build.opensuse.org/package/show/home:xiaoguang_wang:branches:GNOME:Factory:SELinux/gdm, you can test with it.

Any specific reason why you went with /run/sysconfig.XXXXXX/displaymanager.new instead of /tmp/sysconfig.XXXXXX/displaymanager.new?

(In reply to Filippo Bonazzi from comment #9)
> Any specific reason why you went with
> /run/sysconfig.XXXXXX/displaymanager.new instead of
> /tmp/sysconfig.XXXXXX/displaymanager.new?

The package gdm and accountsservice use the same way to write displaymanager. The accountsservice has no priority to write the /tmp, so I change it to /run.

/etc/sysconfig/displaymanager is managed in parallel at least by by (possibly several instances of) gdm and accountsservice.

These can access the file in several ways, but have been patched to specifically atomically replace the file with a new version with the /run/.../displaymanager.new mechanism described above. This is not actually fully atomic since /etc/sysconfig/displaymanager is hard-removed first, and /run/.../displaymanager.new is then moved to /etc/sysconfig/displaymanager.

The proposed solution in https://gitlab.suse.de/selinux/selinux-policy/-/merge_requests/61 takes into account this complexity of file access, removal, creation from scratch, etc. by both GDM and accountsservice.

Fix submitted in https://build.opensuse.org/request/show/1181332

This will also need @xiaoguang wang to submit the changes in https://build.opensuse.org/package/show/home:xiaoguang_wang:branches:GNOME:Factory:SELinux/gdm and https://build.opensuse.org/package/show/home:xiaoguang_wang:branches:GNOME:Factory:SELinux/accountsservice

This is an autogenerated message for OBS integration:
This bug (1222978) was mentioned in
https://build.opensuse.org/request/show/1181710 Factory / gdm
https://build.opensuse.org/request/show/1181711 Factory / accountsservice

The change is sent to GNOME:Factory
https://build.opensuse.org/request/show/1181710 Factory / gdm
https://build.opensuse.org/request/show/1181711 Factory / accountsservice