| 1 |
On 7/31/2011 7:58 AM, Anthony G. Basile wrote: |
| 2 |
> You get the same effect even on targeted where your session should be |
| 3 |
> running as unconfined_u:unconfined_r:unconfined_t. |
| 4 |
|
| 5 |
Yes, that was a targeted system I showed the ps output from. |
| 6 |
When I log in through the console I'm in the unconfined |
| 7 |
domain, just not through gdm or kdm. |
| 8 |
|
| 9 |
> Its working with gnome. All processes from gnome-session and below run |
| 10 |
> as unconfined. |
| 11 |
> |
| 12 |
> Looks like a bug. Can you please file it. |
| 13 |
|
| 14 |
Will do. Is there anything I can do to help track down the |
| 15 |
problem? I assume that gdm/kdm/etc are supposed to be |
| 16 |
explicitly setting the context when they fire off the |
| 17 |
session -- this isn't something that's accomplished by an |
| 18 |
automatic domain transition, right? |
| 19 |
|
| 20 |
--Mike |
| 21 |
|
| 22 |
> On 07/30/2011 09:05 PM, Mike Edenfield wrote: |
| 23 |
>> I just installed the latest SELinux stuff from the hardened-development overlay |
| 24 |
>> onto my laptop, currently using the targeted profile (though I've also switched |
| 25 |
>> to strict and relabelled everything, same effect). |
| 26 |
>> |
| 27 |
>> When logging in via a display manager, either kdm or gdm, the login session is |
| 28 |
>> not switching to the proper security context. Everything is running as |
| 29 |
>> system_u:system_r:xdm_t, including my own login context. I rebuilt gdm after |
| 30 |
>> switching profiles, so it has USE=selinux; I didn't see a similar USE flag for |
| 31 |
>> kdm. |
| 32 |
>> |
| 33 |
>> This is the first time I've tried Gentoo+SELinux on a non-server in a long time |
| 34 |
>> so I'm possibly missing something important. Is there something obvious I |
| 35 |
>> should check for? |
| 36 |
>> |
| 37 |
>> kutulu@platypus ~ $ ls -Z `which kdm` |
| 38 |
>> system_u:object_r:xdm_exec_t /usr/bin/kdm |
| 39 |
>> kutulu@platypus ~ $ ls -Z `which gdm-binary` |
| 40 |
>> system_u:object_r:xdm_exec_t /usr/sbin/gdm-binary |
| 41 |
>> kutulu@platypus ~ $ ps xZ |
| 42 |
>> LABEL PID TTY STAT TIME COMMAND |
| 43 |
>> system_u:system_r:xdm_t 14234 ? Ss 0:00 /bin/sh |
| 44 |
>> /usr/bin/startkde |
| 45 |
>> system_u:system_r:xdm_t 14298 ? S 0:00 dbus-launch --sh- |
| 46 |
>> syntax --exit-with-session |
| 47 |
>> system_u:system_r:xdm_t 14299 ? Ssl 0:03 /usr/bin/dbus- |
| 48 |
>> daemon --fork --print-pid 5 --print-address 7 --session |
| 49 |
>> system_u:system_r:xdm_t 14306 ? Ss 0:00 kdeinit4: kdeinit4 |
| 50 |
>> Running... |
| 51 |
>> system_u:system_r:xdm_t 14307 ? S 0:00 kdeinit4: klauncher |
| 52 |
>> [kdeinit] --fd=8 |
| 53 |
>> system_u:system_r:xdm_t 14309 ? Sl 0:01 kdeinit4: kded4 |
| 54 |
>> [kdeinit] |
| 55 |
>> system_u:system_r:xdm_t 14320 ? S 0:00 kdeinit4: |
| 56 |
>> kglobalaccel [kdeinit] |
| 57 |
>> system_u:system_r:xdm_t 14327 ? S 0:00 kwrapper4 ksmserver |
| 58 |
>> system_u:system_r:xdm_t 14343 ? Sl 0:00 kdeinit4: ksmserver |
| 59 |
>> [kdeinit] |
| 60 |
>> [...] |
| 61 |
>> kutulu@platypus ~ $ id -Z |
| 62 |
>> system_u:system_r:xdm_t |
| 63 |
>> kutulu@platypus ~ $ ps axZ | grep kdm |
| 64 |
>> system_u:system_r:xdm_t 2920 ? Ss 0:00 /usr/bin/kdm |
| 65 |
>> kutulu@platypus ~ $ ps axZ | grep X |
| 66 |
>> system_u:system_r:xserver_t 2939 tty7 Ss+ 1:16 /usr/bin/X -br - |
| 67 |
>> novtswitch -quiet :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-8zHr3b |
| 68 |
>> |
| 69 |
> |
| 70 |
> |
Archives