1 |
On 07/31/2011 09:18 AM, Mike Edenfield wrote: |
2 |
> On 7/31/2011 7:58 AM, Anthony G. Basile wrote: |
3 |
>> You get the same effect even on targeted where your session should be |
4 |
>> running as unconfined_u:unconfined_r:unconfined_t. |
5 |
> |
6 |
> Yes, that was a targeted system I showed the ps output from. When I log |
7 |
> in through the console I'm in the unconfined domain, just not through |
8 |
> gdm or kdm. |
9 |
|
10 |
Heh, I'm glad you properly interpreted that as a question even without |
11 |
the question mark! |
12 |
|
13 |
> |
14 |
>> Its working with gnome. All processes from gnome-session and below run |
15 |
>> as unconfined. |
16 |
>> |
17 |
>> Looks like a bug. Can you please file it. |
18 |
> |
19 |
> Will do. Is there anything I can do to help track down the problem? I |
20 |
> assume that gdm/kdm/etc are supposed to be explicitly setting the |
21 |
> context when they fire off the session -- this isn't something that's |
22 |
> accomplished by an automatic domain transition, right? |
23 |
> |
24 |
|
25 |
avc logs might help. Other than that, we'll have to read the policy |
26 |
files and use our brains. |
27 |
|
28 |
> --Mike |
29 |
> |
30 |
>> On 07/30/2011 09:05 PM, Mike Edenfield wrote: |
31 |
>>> I just installed the latest SELinux stuff from the |
32 |
>>> hardened-development overlay |
33 |
>>> onto my laptop, currently using the targeted profile (though I've |
34 |
>>> also switched |
35 |
>>> to strict and relabelled everything, same effect). |
36 |
>>> |
37 |
>>> When logging in via a display manager, either kdm or gdm, the login |
38 |
>>> session is |
39 |
>>> not switching to the proper security context. Everything is running as |
40 |
>>> system_u:system_r:xdm_t, including my own login context. I rebuilt |
41 |
>>> gdm after |
42 |
>>> switching profiles, so it has USE=selinux; I didn't see a similar USE |
43 |
>>> flag for |
44 |
>>> kdm. |
45 |
>>> |
46 |
>>> This is the first time I've tried Gentoo+SELinux on a non-server in a |
47 |
>>> long time |
48 |
>>> so I'm possibly missing something important. Is there something |
49 |
>>> obvious I |
50 |
>>> should check for? |
51 |
>>> |
52 |
>>> kutulu@platypus ~ $ ls -Z `which kdm` |
53 |
>>> system_u:object_r:xdm_exec_t /usr/bin/kdm |
54 |
>>> kutulu@platypus ~ $ ls -Z `which gdm-binary` |
55 |
>>> system_u:object_r:xdm_exec_t /usr/sbin/gdm-binary |
56 |
>>> kutulu@platypus ~ $ ps xZ |
57 |
>>> LABEL PID TTY STAT TIME COMMAND |
58 |
>>> system_u:system_r:xdm_t 14234 ? Ss 0:00 /bin/sh |
59 |
>>> /usr/bin/startkde |
60 |
>>> system_u:system_r:xdm_t 14298 ? S 0:00 |
61 |
>>> dbus-launch --sh- |
62 |
>>> syntax --exit-with-session |
63 |
>>> system_u:system_r:xdm_t 14299 ? Ssl 0:03 |
64 |
>>> /usr/bin/dbus- |
65 |
>>> daemon --fork --print-pid 5 --print-address 7 --session |
66 |
>>> system_u:system_r:xdm_t 14306 ? Ss 0:00 kdeinit4: |
67 |
>>> kdeinit4 |
68 |
>>> Running... |
69 |
>>> system_u:system_r:xdm_t 14307 ? S 0:00 kdeinit4: |
70 |
>>> klauncher |
71 |
>>> [kdeinit] --fd=8 |
72 |
>>> system_u:system_r:xdm_t 14309 ? Sl 0:01 kdeinit4: |
73 |
>>> kded4 |
74 |
>>> [kdeinit] |
75 |
>>> system_u:system_r:xdm_t 14320 ? S 0:00 kdeinit4: |
76 |
>>> kglobalaccel [kdeinit] |
77 |
>>> system_u:system_r:xdm_t 14327 ? S 0:00 kwrapper4 |
78 |
>>> ksmserver |
79 |
>>> system_u:system_r:xdm_t 14343 ? Sl 0:00 kdeinit4: |
80 |
>>> ksmserver |
81 |
>>> [kdeinit] |
82 |
>>> [...] |
83 |
>>> kutulu@platypus ~ $ id -Z |
84 |
>>> system_u:system_r:xdm_t |
85 |
>>> kutulu@platypus ~ $ ps axZ | grep kdm |
86 |
>>> system_u:system_r:xdm_t 2920 ? Ss 0:00 /usr/bin/kdm |
87 |
>>> kutulu@platypus ~ $ ps axZ | grep X |
88 |
>>> system_u:system_r:xserver_t 2939 tty7 Ss+ 1:16 /usr/bin/X |
89 |
>>> -br - |
90 |
>>> novtswitch -quiet :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-8zHr3b |
91 |
>>> |
92 |
>> |
93 |
>> |
94 |
> |
95 |
|
96 |
|
97 |
-- |
98 |
Anthony G. Basile, Ph. D. |
99 |
Chair of Information Technology |
100 |
D'Youville College |
101 |
Buffalo, NY 14201 |
102 |
(716) 829-8197 |