On 07/31/2011 09:18 AM, Mike Edenfield wrote: > On 7/31/2011 7:58 AM, Anthony G. Basile wrote: >> You get the same effect even on targeted where your session should be >> running as unconfined_u:unconfined_r:unconfined_t. > > Yes, that was a targeted system I showed the ps output from. When I log > in through the console I'm in the unconfined domain, just not through > gdm or kdm.
Heh, I'm glad you properly interpreted that as a question even without the question mark! > >> Its working with gnome. All processes from gnome-session and below run >> as unconfined. >> >> Looks like a bug. Can you please file it. > > Will do. Is there anything I can do to help track down the problem? I > assume that gdm/kdm/etc are supposed to be explicitly setting the > context when they fire off the session -- this isn't something that's > accomplished by an automatic domain transition, right? > avc logs might help. Other than that, we'll have to read the policy files and use our brains. > --Mike > >> On 07/30/2011 09:05 PM, Mike Edenfield wrote: >>> I just installed the latest SELinux stuff from the >>> hardened-development overlay >>> onto my laptop, currently using the targeted profile (though I've >>> also switched >>> to strict and relabelled everything, same effect). >>> >>> When logging in via a display manager, either kdm or gdm, the login >>> session is >>> not switching to the proper security context. Everything is running as >>> system_u:system_r:xdm_t, including my own login context. I rebuilt >>> gdm after >>> switching profiles, so it has USE=selinux; I didn't see a similar USE >>> flag for >>> kdm. >>> >>> This is the first time I've tried Gentoo+SELinux on a non-server in a >>> long time >>> so I'm possibly missing something important. Is there something >>> obvious I >>> should check for? >>> >>> kutulu@platypus ~ $ ls -Z `which kdm` >>> system_u:object_r:xdm_exec_t /usr/bin/kdm >>> kutulu@platypus ~ $ ls -Z `which gdm-binary` >>> system_u:object_r:xdm_exec_t /usr/sbin/gdm-binary >>> kutulu@platypus ~ $ ps xZ >>> LABEL PID TTY STAT TIME COMMAND >>> system_u:system_r:xdm_t 14234 ? Ss 0:00 /bin/sh >>> /usr/bin/startkde >>> system_u:system_r:xdm_t 14298 ? S 0:00 >>> dbus-launch --sh- >>> syntax --exit-with-session >>> system_u:system_r:xdm_t 14299 ? Ssl 0:03 >>> /usr/bin/dbus- >>> daemon --fork --print-pid 5 --print-address 7 --session >>> system_u:system_r:xdm_t 14306 ? Ss 0:00 kdeinit4: >>> kdeinit4 >>> Running... >>> system_u:system_r:xdm_t 14307 ? S 0:00 kdeinit4: >>> klauncher >>> [kdeinit] --fd=8 >>> system_u:system_r:xdm_t 14309 ? Sl 0:01 kdeinit4: >>> kded4 >>> [kdeinit] >>> system_u:system_r:xdm_t 14320 ? S 0:00 kdeinit4: >>> kglobalaccel [kdeinit] >>> system_u:system_r:xdm_t 14327 ? S 0:00 kwrapper4 >>> ksmserver >>> system_u:system_r:xdm_t 14343 ? Sl 0:00 kdeinit4: >>> ksmserver >>> [kdeinit] >>> [...] >>> kutulu@platypus ~ $ id -Z >>> system_u:system_r:xdm_t >>> kutulu@platypus ~ $ ps axZ | grep kdm >>> system_u:system_r:xdm_t 2920 ? Ss 0:00 /usr/bin/kdm >>> kutulu@platypus ~ $ ps axZ | grep X >>> system_u:system_r:xserver_t 2939 tty7 Ss+ 1:16 /usr/bin/X >>> -br - >>> novtswitch -quiet :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-8zHr3b >>> >> >> > -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197
