| 1 |
On 02/28/12 20:48, Sven Vermeulen wrote: |
| 2 |
> On Tue, Feb 28, 2012 at 06:47:02PM +0200, Cor Legmaat wrote: |
| 3 |
>> ~ #ls -Z /usr/sbin/gdm |
| 4 |
>> system_u:object_r:bin_t /usr/sbin/gdm |
| 5 |
>> |
| 6 |
>> selinux-xserver wasn't installed, I installed it now. |
| 7 |
> Explains why it is mislabeled; the xdm_exec_t label can only be used (and |
| 8 |
> set) when that module is loaded. |
| 9 |
> |
| 10 |
>> ~ #semodule -l | grep xserver |
| 11 |
>> xserver 3.6.0 |
| 12 |
>> ~ #ls -Z /usr/sbin/gdm |
| 13 |
>> system_u:object_r:bin_t /usr/sbin/gdm |
| 14 |
> Installing selinux-xserver doesn't automatically relabel files. That's what |
| 15 |
> the chcon (temporily) or rlpkg (reset towards the correct one, permanently) |
| 16 |
> is for. |
| 17 |
> |
| 18 |
> And since it wasn't installed, it might be a good idea to relabel the entire |
| 19 |
> system (rlpkg -a -r) as other files might be missing the correct labels as |
| 20 |
> well. I'll see to it that selinux-xserver is installed when xorg-server is. |
| 21 |
> |
| 22 |
>> ~ #chcon -t xdm_exec_t /usr/sbin/gdm |
| 23 |
>> ~ #ls -Z /usr/sbin/gdm |
| 24 |
>> system_u:object_r:bin_t /usr/sbin/gdm |
| 25 |
> That's weird, the label should be set correctly. |
| 26 |
> |
| 27 |
>> ~ # rlpkg gdm |
| 28 |
>> Relabeling: gnome-base/gdm-3.2.1.1-r2 |
| 29 |
>> /sbin/restorecon: lstat(/var/run/gdm/greeter) failed: No such file or |
| 30 |
>> directory |
| 31 |
>> Error relabeling: 256 |
| 32 |
> After this, what is the context of /usr/sbin/gdm? |
| 33 |
> |
| 34 |
>> after that with gnome-terminal: |
| 35 |
>> ~ # id -Z |
| 36 |
>> system_u:system_r:xdm_t |
| 37 |
>> |
| 38 |
>> Also made pam_selinux.so required but that didn't change any thing. |
| 39 |
> At least we're a step further. I think, once you have gdm running in the |
| 40 |
> xdm_t domain, it is a matter of making sure that a logon through xdm |
| 41 |
> triggers a change in context. That is what pam is (usually) for. |
| 42 |
> |
| 43 |
> What file have you edited? /etc/pam.d/gdm? Is there an xdm file as well? |
| 44 |
> Perhaps that one is used? |
| 45 |
> |
| 46 |
> Wkr, |
| 47 |
> Sven Vermeulen |
| 48 |
> |
| 49 |
> |
| 50 |
> |
| 51 |
After the changes the context of /usr/sbin/gdm stays the same. |
| 52 |
|
| 53 |
Relabeled the whole file-system without any success. |
| 54 |
|
| 55 |
I added the pam_selinux.so module to /etc/pam.d/gdm-password witch |
| 56 |
solved the problem. It seems to get it right the pam_selinux.so module |
| 57 |
should be added to all of /etc/pam.d/gdm /etc/pam.d/gdm-autologin |
| 58 |
/etc/pam.d/gdm-fingerprint /etc/pam.d/gdm-password |
| 59 |
/etc/pam.d/gdm-smartcard /etc/pam.d/gdm-welcome. |
| 60 |
|
| 61 |
Now with gnome-terminal: |
| 62 |
~ #id -Z |
| 63 |
staff_u:staff_r:staff_t |
| 64 |
|
| 65 |
Tnx for your help Sven. |
| 66 |
|
| 67 |
Regards: |
| 68 |
Cor |
Archives