[gentoo-hardened] SELinux and gdm/kdm -- not setting sesson context? - gentoo-hardened

From:	Mike Edenfield <kutulu@××××××.org>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] SELinux and gdm/kdm -- not setting sesson context?
Date:	Sun, 31 Jul 2011 01:16:56
Message-Id:	`23035828.Z17o8Fe1m2@platypus`

1

I just installed the latest SELinux stuff from the hardened-development overlay 

2

onto my laptop, currently using the targeted profile (though I've also switched 

3

to strict and relabelled everything, same effect).

4

5

When logging in via a display manager, either kdm or gdm, the login session is 

6

not switching to the proper security context. Everything is running as 

7

system_u:system_r:xdm_t, including my own login context. I rebuilt gdm after 

8

switching profiles, so it has USE=selinux; I didn't see a similar USE flag for 

9

kdm.

10

11

This is the first time I've tried Gentoo+SELinux on a non-server in a long time 

12

so I'm possibly missing something important. Is there something obvious I 

13

should check for?

14

15

kutulu@platypus ~ $ ls -Z `which kdm`

16

system_u:object_r:xdm_exec_t /usr/bin/kdm

17

kutulu@platypus ~ $ ls -Z `which gdm-binary`

18

system_u:object_r:xdm_exec_t /usr/sbin/gdm-binary

19

kutulu@platypus ~ $ ps xZ 

20

LABEL                             PID TTY      STAT   TIME COMMAND

21

system_u:system_r:xdm_t         14234 ?        Ss     0:00 /bin/sh 

22

/usr/bin/startkde

23

system_u:system_r:xdm_t         14298 ?        S      0:00 dbus-launch --sh-

24

syntax --exit-with-session

25

system_u:system_r:xdm_t         14299 ?        Ssl    0:03 /usr/bin/dbus-

26

daemon --fork --print-pid 5 --print-address 7 --session

27

system_u:system_r:xdm_t         14306 ?        Ss     0:00 kdeinit4: kdeinit4 

28

Running...     

29

system_u:system_r:xdm_t         14307 ?        S      0:00 kdeinit4: klauncher 

30

[kdeinit] --fd=8

31

system_u:system_r:xdm_t         14309 ?        Sl     0:01 kdeinit4: kded4 

32

[kdeinit]         

33

system_u:system_r:xdm_t         14320 ?        S      0:00 kdeinit4: 

34

kglobalaccel [kdeinit]  

35

system_u:system_r:xdm_t         14327 ?        S      0:00 kwrapper4 ksmserver

36

system_u:system_r:xdm_t         14343 ?        Sl     0:00 kdeinit4: ksmserver 

37

[kdeinit]     

38

[...]

39

kutulu@platypus ~ $ id -Z

40

system_u:system_r:xdm_t

41

kutulu@platypus ~ $ ps axZ | grep kdm

42

system_u:system_r:xdm_t          2920 ?        Ss     0:00 /usr/bin/kdm

43

kutulu@platypus ~ $ ps axZ | grep X  

44

system_u:system_r:xserver_t      2939 tty7     Ss+    1:16 /usr/bin/X -br -

45

novtswitch -quiet :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-8zHr3b

Gentoo Archives: gentoo-hardened

Replies

1	I just installed the latest SELinux stuff from the hardened-development overlay
2	onto my laptop, currently using the targeted profile (though I've also switched
3	to strict and relabelled everything, same effect).
4
5	When logging in via a display manager, either kdm or gdm, the login session is
6	not switching to the proper security context. Everything is running as
7	system_u:system_r:xdm_t, including my own login context. I rebuilt gdm after
8	switching profiles, so it has USE=selinux; I didn't see a similar USE flag for
9	kdm.
10
11	This is the first time I've tried Gentoo+SELinux on a non-server in a long time
12	so I'm possibly missing something important. Is there something obvious I
13	should check for?
14
15	kutulu@platypus ~ $ ls -Z `which kdm`
16	system_u:object_r:xdm_exec_t /usr/bin/kdm
17	kutulu@platypus ~ $ ls -Z `which gdm-binary`
18	system_u:object_r:xdm_exec_t /usr/sbin/gdm-binary
19	kutulu@platypus ~ $ ps xZ
20	LABEL PID TTY STAT TIME COMMAND
21	system_u:system_r:xdm_t 14234 ? Ss 0:00 /bin/sh
22	/usr/bin/startkde
23	system_u:system_r:xdm_t 14298 ? S 0:00 dbus-launch --sh-
24	syntax --exit-with-session
25	system_u:system_r:xdm_t 14299 ? Ssl 0:03 /usr/bin/dbus-
26	daemon --fork --print-pid 5 --print-address 7 --session
27	system_u:system_r:xdm_t 14306 ? Ss 0:00 kdeinit4: kdeinit4
28	Running...
29	system_u:system_r:xdm_t 14307 ? S 0:00 kdeinit4: klauncher
30	[kdeinit] --fd=8
31	system_u:system_r:xdm_t 14309 ? Sl 0:01 kdeinit4: kded4
32	[kdeinit]
33	system_u:system_r:xdm_t 14320 ? S 0:00 kdeinit4:
34	kglobalaccel [kdeinit]
35	system_u:system_r:xdm_t 14327 ? S 0:00 kwrapper4 ksmserver
36	system_u:system_r:xdm_t 14343 ? Sl 0:00 kdeinit4: ksmserver
37	[kdeinit]
38	[...]
39	kutulu@platypus ~ $ id -Z
40	system_u:system_r:xdm_t
41	kutulu@platypus ~ $ ps axZ \| grep kdm
42	system_u:system_r:xdm_t 2920 ? Ss 0:00 /usr/bin/kdm
43	kutulu@platypus ~ $ ps axZ \| grep X
44	system_u:system_r:xserver_t 2939 tty7 Ss+ 1:16 /usr/bin/X -br -
45	novtswitch -quiet :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-8zHr3b