Re: [gentoo-hardened] SELinux and gdm/kdm -- not setting sesson context? - gentoo-hardened

From:	"Anthony G. Basile" <basile@××××××××××××××.edu>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] SELinux and gdm/kdm -- not setting sesson context?
Date:	Sun, 31 Jul 2011 13:29:03
Message-Id:	`4E35587F.3050901@opensource.dyc.edu`
In Reply to:	Re: [gentoo-hardened] SELinux and gdm/kdm -- not setting sesson context? by Mike Edenfield

1

On 07/31/2011 09:18 AM, Mike Edenfield wrote:

2

> On 7/31/2011 7:58 AM, Anthony G. Basile wrote:

3

>> You get the same effect even on targeted where your session should be

4

>> running as unconfined_u:unconfined_r:unconfined_t.

5

>

6

> Yes, that was a targeted system I showed the ps output from. When I log

7

> in through the console I'm in the unconfined domain, just not through

8

> gdm or kdm.

9

10

Heh, I'm glad you properly interpreted that as a question even without

11

the question mark!

12

13

>

14

>> Its working with gnome.  All processes from gnome-session and below run

15

>> as unconfined.

16

>>

17

>> Looks like a bug.  Can you please file it.

18

>

19

> Will do. Is there anything I can do to help track down the problem? I

20

> assume that gdm/kdm/etc are supposed to be explicitly setting the

21

> context when they fire off the session -- this isn't something that's

22

> accomplished by an automatic domain transition, right?

23

>

24

25

avc logs might help.  Other than that, we'll have to read the policy

26

files and use our brains.

27

28

> --Mike

29

>

30

>> On 07/30/2011 09:05 PM, Mike Edenfield wrote:

31

>>> I just installed the latest SELinux stuff from the

32

>>> hardened-development overlay

33

>>> onto my laptop, currently using the targeted profile (though I've

34

>>> also switched

35

>>> to strict and relabelled everything, same effect).

36

>>>

37

>>> When logging in via a display manager, either kdm or gdm, the login

38

>>> session is

39

>>> not switching to the proper security context. Everything is running as

40

>>> system_u:system_r:xdm_t, including my own login context. I rebuilt

41

>>> gdm after

42

>>> switching profiles, so it has USE=selinux; I didn't see a similar USE

43

>>> flag for

44

>>> kdm.

45

>>>

46

>>> This is the first time I've tried Gentoo+SELinux on a non-server in a

47

>>> long time

48

>>> so I'm possibly missing something important. Is there something

49

>>> obvious I

50

>>> should check for?

51

>>>

52

>>> kutulu@platypus ~ $ ls -Z `which kdm`

53

>>> system_u:object_r:xdm_exec_t /usr/bin/kdm

54

>>> kutulu@platypus ~ $ ls -Z `which gdm-binary`

55

>>> system_u:object_r:xdm_exec_t /usr/sbin/gdm-binary

56

>>> kutulu@platypus ~ $ ps xZ

57

>>> LABEL                             PID TTY      STAT   TIME COMMAND

58

>>> system_u:system_r:xdm_t         14234 ?        Ss     0:00 /bin/sh

59

>>> /usr/bin/startkde

60

>>> system_u:system_r:xdm_t         14298 ?        S      0:00

61

>>> dbus-launch --sh-

62

>>> syntax --exit-with-session

63

>>> system_u:system_r:xdm_t         14299 ?        Ssl    0:03

64

>>> /usr/bin/dbus-

65

>>> daemon --fork --print-pid 5 --print-address 7 --session

66

>>> system_u:system_r:xdm_t         14306 ?        Ss     0:00 kdeinit4:

67

>>> kdeinit4

68

>>> Running...

69

>>> system_u:system_r:xdm_t         14307 ?        S      0:00 kdeinit4:

70

>>> klauncher

71

>>> [kdeinit] --fd=8

72

>>> system_u:system_r:xdm_t         14309 ?        Sl     0:01 kdeinit4:

73

>>> kded4

74

>>> [kdeinit]

75

>>> system_u:system_r:xdm_t         14320 ?        S      0:00 kdeinit4:

76

>>> kglobalaccel [kdeinit]

77

>>> system_u:system_r:xdm_t         14327 ?        S      0:00 kwrapper4

78

>>> ksmserver

79

>>> system_u:system_r:xdm_t         14343 ?        Sl     0:00 kdeinit4:

80

>>> ksmserver

81

>>> [kdeinit]

82

>>> [...]

83

>>> kutulu@platypus ~ $ id -Z

84

>>> system_u:system_r:xdm_t

85

>>> kutulu@platypus ~ $ ps axZ | grep kdm

86

>>> system_u:system_r:xdm_t          2920 ?        Ss     0:00 /usr/bin/kdm

87

>>> kutulu@platypus ~ $ ps axZ | grep X

88

>>> system_u:system_r:xserver_t      2939 tty7     Ss+    1:16 /usr/bin/X

89

>>> -br -

90

>>> novtswitch -quiet :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-8zHr3b

91

>>>

92

>>

93

>>

94

>

95

96

97

--

98

Anthony G. Basile, Ph. D.

99

Chair of Information Technology

100

D'Youville College

101

Buffalo, NY 14201

102

(716) 829-8197

1	On 07/31/2011 09:18 AM, Mike Edenfield wrote:
2	> On 7/31/2011 7:58 AM, Anthony G. Basile wrote:
3	>> You get the same effect even on targeted where your session should be
4	>> running as unconfined_u:unconfined_r:unconfined_t.
5	>
6	> Yes, that was a targeted system I showed the ps output from. When I log
7	> in through the console I'm in the unconfined domain, just not through
8	> gdm or kdm.
9
10	Heh, I'm glad you properly interpreted that as a question even without
11	the question mark!
12
13	>
14	>> Its working with gnome. All processes from gnome-session and below run
15	>> as unconfined.
16	>>
17	>> Looks like a bug. Can you please file it.
18	>
19	> Will do. Is there anything I can do to help track down the problem? I
20	> assume that gdm/kdm/etc are supposed to be explicitly setting the
21	> context when they fire off the session -- this isn't something that's
22	> accomplished by an automatic domain transition, right?
23	>
24
25	avc logs might help. Other than that, we'll have to read the policy
26	files and use our brains.
27
28	> --Mike
29	>
30	>> On 07/30/2011 09:05 PM, Mike Edenfield wrote:
31	>>> I just installed the latest SELinux stuff from the
32	>>> hardened-development overlay
33	>>> onto my laptop, currently using the targeted profile (though I've
34	>>> also switched
35	>>> to strict and relabelled everything, same effect).
36	>>>
37	>>> When logging in via a display manager, either kdm or gdm, the login
38	>>> session is
39	>>> not switching to the proper security context. Everything is running as
40	>>> system_u:system_r:xdm_t, including my own login context. I rebuilt
41	>>> gdm after
42	>>> switching profiles, so it has USE=selinux; I didn't see a similar USE
43	>>> flag for
44	>>> kdm.
45	>>>
46	>>> This is the first time I've tried Gentoo+SELinux on a non-server in a
47	>>> long time
48	>>> so I'm possibly missing something important. Is there something
49	>>> obvious I
50	>>> should check for?
51	>>>
52	>>> kutulu@platypus ~ $ ls -Z `which kdm`
53	>>> system_u:object_r:xdm_exec_t /usr/bin/kdm
54	>>> kutulu@platypus ~ $ ls -Z `which gdm-binary`
55	>>> system_u:object_r:xdm_exec_t /usr/sbin/gdm-binary
56	>>> kutulu@platypus ~ $ ps xZ
57	>>> LABEL PID TTY STAT TIME COMMAND
58	>>> system_u:system_r:xdm_t 14234 ? Ss 0:00 /bin/sh
59	>>> /usr/bin/startkde
60	>>> system_u:system_r:xdm_t 14298 ? S 0:00
61	>>> dbus-launch --sh-
62	>>> syntax --exit-with-session
63	>>> system_u:system_r:xdm_t 14299 ? Ssl 0:03
64	>>> /usr/bin/dbus-
65	>>> daemon --fork --print-pid 5 --print-address 7 --session
66	>>> system_u:system_r:xdm_t 14306 ? Ss 0:00 kdeinit4:
67	>>> kdeinit4
68	>>> Running...
69	>>> system_u:system_r:xdm_t 14307 ? S 0:00 kdeinit4:
70	>>> klauncher
71	>>> [kdeinit] --fd=8
72	>>> system_u:system_r:xdm_t 14309 ? Sl 0:01 kdeinit4:
73	>>> kded4
74	>>> [kdeinit]
75	>>> system_u:system_r:xdm_t 14320 ? S 0:00 kdeinit4:
76	>>> kglobalaccel [kdeinit]
77	>>> system_u:system_r:xdm_t 14327 ? S 0:00 kwrapper4
78	>>> ksmserver
79	>>> system_u:system_r:xdm_t 14343 ? Sl 0:00 kdeinit4:
80	>>> ksmserver
81	>>> [kdeinit]
82	>>> [...]
83	>>> kutulu@platypus ~ $ id -Z
84	>>> system_u:system_r:xdm_t
85	>>> kutulu@platypus ~ $ ps axZ \| grep kdm
86	>>> system_u:system_r:xdm_t 2920 ? Ss 0:00 /usr/bin/kdm
87	>>> kutulu@platypus ~ $ ps axZ \| grep X
88	>>> system_u:system_r:xserver_t 2939 tty7 Ss+ 1:16 /usr/bin/X
89	>>> -br -
90	>>> novtswitch -quiet :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-8zHr3b
91	>>>
92	>>
93	>>
94	>
95
96
97	--
98	Anthony G. Basile, Ph. D.
99	Chair of Information Technology
100	D'Youville College
101	Buffalo, NY 14201
102	(716) 829-8197

Gentoo Archives: gentoo-hardened