RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1651378 - [RFE] Provide a mechanism for persistently showing the security level of a machine at login time
Summary: [RFE] Provide a mechanism for persistently showing the security level of a ma...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: gnome-shell
Version: 8.3
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: 8.3
Assignee: Ray Strode [halfline]
QA Contact: Michael Boisvert
Marek Suchánek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-19 21:04 UTC by Pat Riehecky
Modified: 2021-11-10 07:22 UTC (History)
19 users (show)

Fixed In Version: gnome-shell-extensions-3.32.1-20.el8 gnome-shell-3.32.2-39.el8
Doc Type: Enhancement
Doc Text:
.Displaying the system security classification at login You can now configure the GNOME Display Manager (GDM) login screen to display an overlay banner that contains a predefined message. This is useful for deployments where the user is required to read the security classification of the system before logging in. To enable the overlay banner and configure a security classification message, use the following procedure: 1. Install the `gnome-shell-extension-heads-up-display` package: + ---- # yum install gnome-shell-extension-heads-up-display ---- 2. Create the `/etc/dconf/db/gdm.d/99-hud-message` file with the following content: + [subs=+quotes] ---- [org/gnome/shell] enabled-extensions=['heads-up-display@gnome-shell-extensions.gcampax.github.com'] [org/gnome/shell/extensions/heads-up-display] message-heading="_Security classification title_" message-body="_Security classification description_" ---- + Replace the following values with text that describes the security classification of your system: + _Security classification title_:: A short heading that identifies the security classification. _Security classification description_:: A longer message that provides additional details, such as references to various guidelines. 3. Update the `dconf` database: + ---- # dconf update ---- 4. Reboot the system.
Clone Of: 1637700
Environment:
Last Closed: 2021-11-09 19:33:50 UTC
Type: Feature Request
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4850451 0 None None None 2020-02-21 19:55:33 UTC
Red Hat Product Errata RHSA-2021:4381 0 None None None 2021-11-09 19:34:02 UTC

Description Pat Riehecky 2018-11-19 21:04:37 UTC 
+++ This bug was initially created as a clone of Bug #1637700 +++

Description of problem:
For Scientific Linux we rebuild all the packages and try to replace visual branding where able.

With gnome-shell the noise-texture.png is part of the build rather than sourced from the system at runtime.

This requires patching the source at every rebuild.

Version-Release number of selected component (if applicable):
gnome-shell-3.30.1-1.fc29

How reproducible:
100%

Steps to Reproduce:
1.Try to rebuild gnome-shell with a different 'noise' background
2.
3.

Actual results:
This requires patching the spec with each rebuild.

Expected results:
I expected this background to be changable via fedora-logos rpm.

Possible solution:

Can the spec file be made a bit smarter so that downstream rebuilds can automatically use an alternate background?


Example patch to resolve:

--- a/gnome-shell.spec
+++ b/gnome-shell.spec
@@ -142,6 +142,10 @@ easy to use experience.
 
 %prep
 %autosetup -S git
+# Permit downstream to replace background at compile time
+if [[ -f %{_datadir}/pixmaps/gnome-shell/noise-texture.png ]]; then
+  %{__cp} %{_datadir}/pixmaps/gnome-shell/noise-texture.png data/theme/noise-texture.png
+fi
 
 %build
 %meson
Comment 1 Tomas Pelka 2018-11-20 18:29:40 UTC 
The right place to file this bz is upstream of gnome-shell or gdm.
Comment 3 Ray Strode [halfline] 2020-02-07 14:59:56 UTC 
The noise texture is not really a themeable part of the login screen.

The login screen is getting a redesign that will dramatically effect how the background is displayed in the future.

At that point, hopefully, Scientific Linux will no longer want to patch this. I don't have a specific timeline on
when that feature will be incorporated into Red Hat Enterprise Linux 8.

In the interim, though, we're unlikely to make changes to accommodate this sort of cosmetic reworking of the login screen.
Comment 4 Ray Strode [halfline] 2020-02-07 16:10:21 UTC 
Also relevant https://lwn.net/Articles/786422/
Comment 5 Andrew Mike 2020-04-02 13:33:59 UTC 
I'm reopening this RFE on a request from another customer. Details are below.

- Proposed title of this feature request  

Display of classification level on login screen
  
- What is the nature and description of the request?  

To allow a persistent, configuration-file-based option to display a classification notification/banner before any input occurs.

- Why does the customer need this? (List the business requirements here)  

Government security (STIG-type) documents often /usually require the security-classification level of the RHEL system to be prominently displayed on BOTH the initial login screen (before someone logs in), as well as the desktop background after the user logs in.
  
- How would the customer like to achieve this? (List the functional requirements here)  

A variety of ways are acceptable, but the solution must be persistent, and not require "extreme" measures by the customer (such as recompiling). The dconf-based configuration file method that allows for a customer-created custom background to be displayed on the (post-login) desktop, would be a fine way to accomplish the similar task of displaying a customer-created custom background that appears behind the initial login screen prompt for their username/password. Alternatively, a text-based classification banner superimposed on the screen akin to Frank Caviggia's classification banner program (https://github.com/fcaviggia/classification-banner) may also be acceptable, as long as it displays on all monitors attached to the system. (NOTE: This login-screen background must not supercede the ability to also put a custom 'banner' (text message) next to the login prompt).
  
- For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.  

Simple test.  a) the custom background or classification banner appears behind the login screen every time it is displayed  b) any custom banner text is also successfully displayed every time the login screen is displayed  c) the solution is persistent (not altered/broken by patches/upgrades)
  
- Is there already an existing RFE upstream or in Red Hat Bugzilla?

None present at time of writing, save this one.
  
- Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL5, RHEL6)?  

RHEL7. We have an immediate need to accomplish this security-classification-level background on the initial login screen, in a handful of classified environments.

- Is the sales team involved in this request and do they have any additional input?  
 
Sales is not involved.

- List any affected packages or components.  

  - gdm
  - gnome-shell
  
- Would the customer be able to assist in testing this functionality if implemented?

Yes.
Comment 35 Michael Boisvert 2021-08-26 20:30:49 UTC 
Using the reproducer in #c33, I was able to apply a message at the login screen depicting the security level of the system. The message was present without any interaction with the user.
Comment 46 errata-xmlrpc 2021-11-09 19:33:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: GNOME security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4381
Note You need to log in before you can comment on or make changes to this bug.