Bug 1651378

Summary: [RFE] Provide a mechanism for persistently showing the security level of a machine at login time
Product: Red Hat Enterprise Linux 8 Reporter: Pat Riehecky <riehecky>
Component: gnome-shellAssignee: Ray Strode [halfline] <rstrode>
Status: CLOSED ERRATA QA Contact: Michael Boisvert <mboisver>
Severity: unspecified Docs Contact: Marek Suchánek <msuchane>
Priority: unspecified    
Version: 8.3CC: aday, alanm, amike, brclark, extras-qa, fmuellner, jadahl, jkoten, jwright, misterbonnie, mkolbas, otaylor, riehecky, rschiron, rstrode, sbarcomb, tpelka, tpopela, yuokada
Target Milestone: rcKeywords: FutureFeature, Reopened, Triaged
Target Release: 8.3Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnome-shell-extensions-3.32.1-20.el8 gnome-shell-3.32.2-39.el8 Doc Type: Enhancement
Doc Text:
.Displaying the system security classification at login You can now configure the GNOME Display Manager (GDM) login screen to display an overlay banner that contains a predefined message. This is useful for deployments where the user is required to read the security classification of the system before logging in. To enable the overlay banner and configure a security classification message, use the following procedure: 1. Install the `gnome-shell-extension-heads-up-display` package: + ---- # yum install gnome-shell-extension-heads-up-display ---- 2. Create the `/etc/dconf/db/gdm.d/99-hud-message` file with the following content: + [subs=+quotes] ---- [org/gnome/shell] enabled-extensions=['heads-up-display@gnome-shell-extensions.gcampax.github.com'] [org/gnome/shell/extensions/heads-up-display] message-heading="_Security classification title_" message-body="_Security classification description_" ---- + Replace the following values with text that describes the security classification of your system: + _Security classification title_:: A short heading that identifies the security classification. _Security classification description_:: A longer message that provides additional details, such as references to various guidelines. 3. Update the `dconf` database: + ---- # dconf update ---- 4. Reboot the system.
 Story Points: ---
Clone Of: 1637700 Environment:
Last Closed: 2021-11-09 19:33:50 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pat Riehecky 2018-11-19 21:04:37 UTC 
+++ This bug was initially created as a clone of Bug #1637700 +++

Description of problem:
For Scientific Linux we rebuild all the packages and try to replace visual branding where able.

With gnome-shell the noise-texture.png is part of the build rather than sourced from the system at runtime.

This requires patching the source at every rebuild.

Version-Release number of selected component (if applicable):
gnome-shell-3.30.1-1.fc29

How reproducible:
100%

Steps to Reproduce:
1.Try to rebuild gnome-shell with a different 'noise' background
2.
3.

Actual results:
This requires patching the spec with each rebuild.

Expected results:
I expected this background to be changable via fedora-logos rpm.

Possible solution:

Can the spec file be made a bit smarter so that downstream rebuilds can automatically use an alternate background?


Example patch to resolve:

--- a/gnome-shell.spec
+++ b/gnome-shell.spec
@@ -142,6 +142,10 @@ easy to use experience.
 
 %prep
 %autosetup -S git
+# Permit downstream to replace background at compile time
+if [[ -f %{_datadir}/pixmaps/gnome-shell/noise-texture.png ]]; then
+  %{__cp} %{_datadir}/pixmaps/gnome-shell/noise-texture.png data/theme/noise-texture.png
+fi
 
 %build
 %meson
Comment 1 Tomas Pelka 2018-11-20 18:29:40 UTC 
The right place to file this bz is upstream of gnome-shell or gdm.
Comment 3 Ray Strode [halfline] 2020-02-07 14:59:56 UTC 
The noise texture is not really a themeable part of the login screen.

The login screen is getting a redesign that will dramatically effect how the background is displayed in the future.

At that point, hopefully, Scientific Linux will no longer want to patch this. I don't have a specific timeline on
when that feature will be incorporated into Red Hat Enterprise Linux 8.

In the interim, though, we're unlikely to make changes to accommodate this sort of cosmetic reworking of the login screen.
Comment 4 Ray Strode [halfline] 2020-02-07 16:10:21 UTC 
Also relevant https://lwn.net/Articles/786422/
Comment 5 Andrew Mike 2020-04-02 13:33:59 UTC 
I'm reopening this RFE on a request from another customer. Details are below.

- Proposed title of this feature request  

Display of classification level on login screen
  
- What is the nature and description of the request?  

To allow a persistent, configuration-file-based option to display a classification notification/banner before any input occurs.

- Why does the customer need this? (List the business requirements here)  

Government security (STIG-type) documents often /usually require the security-classification level of the RHEL system to be prominently displayed on BOTH the initial login screen (before someone logs in), as well as the desktop background after the user logs in.
  
- How would the customer like to achieve this? (List the functional requirements here)  

A variety of ways are acceptable, but the solution must be persistent, and not require "extreme" measures by the customer (such as recompiling). The dconf-based configuration file method that allows for a customer-created custom background to be displayed on the (post-login) desktop, would be a fine way to accomplish the similar task of displaying a customer-created custom background that appears behind the initial login screen prompt for their username/password. Alternatively, a text-based classification banner superimposed on the screen akin to Frank Caviggia's classification banner program (https://github.com/fcaviggia/classification-banner) may also be acceptable, as long as it displays on all monitors attached to the system. (NOTE: This login-screen background must not supercede the ability to also put a custom 'banner' (text message) next to the login prompt).
  
- For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  

Simple test.  a) the custom background or classification banner appears behind the login screen every time it is displayed  b) any custom banner text is also successfully displayed every time the login screen is displayed  c) the solution is persistent (not altered/broken by patches/upgrades)
  
- Is there already an existing RFE upstream or in Red Hat Bugzilla?

None present at time of writing, save this one.
  
- Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  

RHEL7. We have an immediate need to accomplish this security-classification-level background on the initial login screen, in a handful of classified environments.

- Is the sales team involved in this request and do they have any additional input?  
 
Sales is not involved.

- List any affected packages or components.  

  - gdm
  - gnome-shell
  
- Would the customer be able to assist in testing this functionality if implemented?

Yes.
Comment 35 Michael Boisvert 2021-08-26 20:30:49 UTC 
Using the reproducer in #c33, I was able to apply a message at the login screen depicting the security level of the system. The message was present without any interaction with the user.
Comment 46 errata-xmlrpc 2021-11-09 19:33:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: GNOME security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4381