Login | Register For Free | Help	Search this list this category for: (Advanced)

Mailing List Archive: Gentoo: Hardened Re: Gnome wrong Selinux user role.   Index | Next | Previous | View Flat

cor at cor Feb 29, 2012, 9:23 AM Views: 443 Permalink Re: Gnome wrong Selinux user role. [In reply to] On 02/28/12 20:48, Sven Vermeulen wrote: > On Tue, Feb 28, 2012 at 06:47:02PM +0200, Cor Legmaat wrote: >> ~ #ls -Z /usr/sbin/gdm >> system_u:object_r:bin_t /usr/sbin/gdm >> >> selinux-xserver wasn't installed, I installed it now. > Explains why it is mislabeled; the xdm_exec_t label can only be used (and > set) when that module is loaded. > >> ~ #semodule -l | grep xserver >> xserver 3.6.0 >> ~ #ls -Z /usr/sbin/gdm >> system_u:object_r:bin_t /usr/sbin/gdm > Installing selinux-xserver doesn't automatically relabel files. That's what > the chcon (temporily) or rlpkg (reset towards the correct one, permanently) > is for. > > And since it wasn't installed, it might be a good idea to relabel the entire > system (rlpkg -a -r) as other files might be missing the correct labels as > well. I'll see to it that selinux-xserver is installed when xorg-server is. > >> ~ #chcon -t xdm_exec_t /usr/sbin/gdm >> ~ #ls -Z /usr/sbin/gdm >> system_u:object_r:bin_t /usr/sbin/gdm > That's weird, the label should be set correctly. > >> ~ # rlpkg gdm >> Relabeling: gnome-base/gdm-3.2.1.1-r2 >> /sbin/restorecon: lstat(/var/run/gdm/greeter) failed: No such file or >> directory >> Error relabeling: 256 > After this, what is the context of /usr/sbin/gdm? > >> after that with gnome-terminal: >> ~ # id -Z >> system_u:system_r:xdm_t >> >> Also made pam_selinux.so required but that didn't change any thing. > At least we're a step further. I think, once you have gdm running in the > xdm_t domain, it is a matter of making sure that a logon through xdm > triggers a change in context. That is what pam is (usually) for. > > What file have you edited? /etc/pam.d/gdm? Is there an xdm file as well? > Perhaps that one is used? > > Wkr, > Sven Vermeulen > > > After the changes the context of /usr/sbin/gdm stays the same. Relabeled the whole file-system without any success. I added the pam_selinux.so module to /etc/pam.d/gdm-password witch solved the problem. It seems to get it right the pam_selinux.so module should be added to all of /etc/pam.d/gdm /etc/pam.d/gdm-autologin /etc/pam.d/gdm-fingerprint /etc/pam.d/gdm-password /etc/pam.d/gdm-smartcard /etc/pam.d/gdm-welcome. Now with gnome-terminal: ~ #id -Z staff_u:staff_r:staff_t Tnx for your help Sven. Regards: Cor Attachments: signature.asc (0.54 KB)

Subject User Time Gnome wrong Selinux user role. cor at cor Feb 27, 2012, 11:36 AM     Re: Gnome wrong Selinux user role. swift at gentoo Feb 27, 2012, 11:44 AM         Re: Gnome wrong Selinux user role. cor at cor Feb 27, 2012, 11:53 AM             Re: Gnome wrong Selinux user role. swift at gentoo Feb 27, 2012, 12:15 PM                 Re: Gnome wrong Selinux user role. h.v.bruinehsen at fu-berlin Feb 27, 2012, 1:57 PM                     Re: Gnome wrong Selinux user role. cor at cor Feb 28, 2012, 8:47 AM                         Re: Gnome wrong Selinux user role. swift at gentoo Feb 28, 2012, 10:48 AM                             Re: Gnome wrong Selinux user role. cor at cor Feb 29, 2012, 9:23 AM

Index | Next | Previous | View Flat   Gentoo     Alpha     AMD64     Announce     Desktop     Dev     Doc     Embedded     GWN     Hardened     HPPA     MIPS     OSX     Performance     PPC-Dev     PPC-User     Security     SPARC     User

Interested in having your list archived? Contact Gossamer Threads
 

Web Applications & Managed Hosting Powered by Gossamer Threads Inc.