| 1 |
On Tue, Feb 28, 2012 at 06:47:02PM +0200, Cor Legmaat wrote: |
| 2 |
> ~ #ls -Z /usr/sbin/gdm |
| 3 |
> system_u:object_r:bin_t /usr/sbin/gdm |
| 4 |
> |
| 5 |
> selinux-xserver wasn't installed, I installed it now. |
| 6 |
|
| 7 |
Explains why it is mislabeled; the xdm_exec_t label can only be used (and |
| 8 |
set) when that module is loaded. |
| 9 |
|
| 10 |
> ~ #semodule -l | grep xserver |
| 11 |
> xserver 3.6.0 |
| 12 |
> ~ #ls -Z /usr/sbin/gdm |
| 13 |
> system_u:object_r:bin_t /usr/sbin/gdm |
| 14 |
|
| 15 |
Installing selinux-xserver doesn't automatically relabel files. That's what |
| 16 |
the chcon (temporily) or rlpkg (reset towards the correct one, permanently) |
| 17 |
is for. |
| 18 |
|
| 19 |
And since it wasn't installed, it might be a good idea to relabel the entire |
| 20 |
system (rlpkg -a -r) as other files might be missing the correct labels as |
| 21 |
well. I'll see to it that selinux-xserver is installed when xorg-server is. |
| 22 |
|
| 23 |
> ~ #chcon -t xdm_exec_t /usr/sbin/gdm |
| 24 |
> ~ #ls -Z /usr/sbin/gdm |
| 25 |
> system_u:object_r:bin_t /usr/sbin/gdm |
| 26 |
|
| 27 |
That's weird, the label should be set correctly. |
| 28 |
|
| 29 |
> ~ # rlpkg gdm |
| 30 |
> Relabeling: gnome-base/gdm-3.2.1.1-r2 |
| 31 |
> /sbin/restorecon: lstat(/var/run/gdm/greeter) failed: No such file or |
| 32 |
> directory |
| 33 |
> Error relabeling: 256 |
| 34 |
|
| 35 |
After this, what is the context of /usr/sbin/gdm? |
| 36 |
|
| 37 |
> after that with gnome-terminal: |
| 38 |
> ~ # id -Z |
| 39 |
> system_u:system_r:xdm_t |
| 40 |
> |
| 41 |
> Also made pam_selinux.so required but that didn't change any thing. |
| 42 |
|
| 43 |
At least we're a step further. I think, once you have gdm running in the |
| 44 |
xdm_t domain, it is a matter of making sure that a logon through xdm |
| 45 |
triggers a change in context. That is what pam is (usually) for. |
| 46 |
|
| 47 |
What file have you edited? /etc/pam.d/gdm? Is there an xdm file as well? |
| 48 |
Perhaps that one is used? |
| 49 |
|
| 50 |
Wkr, |
| 51 |
Sven Vermeulen |
Archives