From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-3484-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1Qs5gu-0001ux-Iw
	for garchives@archives.gentoo.org; Sat, 13 Aug 2011 04:19:21 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7E73D21C051;
	Sat, 13 Aug 2011 04:19:03 +0000 (UTC)
Received: from karen.lavabit.com (karen.lavabit.com [72.249.41.33])
	by pigeon.gentoo.org (Postfix) with ESMTP id B0BD721C02D
	for <gentoo-hardened@lists.gentoo.org>; Sat, 13 Aug 2011 04:18:33 +0000 (UTC)
Received: from e.earth.lavabit.com (e.earth.lavabit.com [192.168.111.14])
	by karen.lavabit.com (Postfix) with ESMTP id 606B311BEE3
	for <gentoo-hardened@lists.gentoo.org>; Fri, 12 Aug 2011 23:18:33 -0500 (CDT)
Received: from studio11c (tor5.anonymizer.ccc.de [80.237.226.75])
	by lavabit.com with ESMTP id IX09CJPQ6VC8
	for <gentoo-hardened@lists.gentoo.org>; Fri, 12 Aug 2011 23:18:33 -0500
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=lavabit; d=lavabit.com;
  b=Fy5GyXj/l/VOml5fth1tSi+mzMHfwSiJyzX8mSB/vUHKDfNcfQXKM03QHjIG3J2WObAx00l3R9rTvJ+8UCCQ/zw5aoC/3+KM0o2kSEggpNaKx2m0DINBXze+ucZLD58SPniujl01Pls+xw/s6rfn+G378nGWMjoF1rzFjypZopQ=;
  h=Date:From:To:Subject:Message-ID:In-Reply-To:References:X-Mailer:Mime-Version:Content-Type:Content-Transfer-Encoding;
Date: Sat, 13 Aug 2011 06:18:23 +0200
From: Udo Siewert <algenib@lavabit.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE
Message-ID: <20110813061823.52c1efcb@studio11c>
In-Reply-To: <CAPzO=Ny7vzeH6NzxwgMq+D=CRmueKQ+3ZNM24Lg3Nnm98F00BQ@mail.gmail.com>
References: <201108102057.46586.mail@smogura.eu>
 <20110811143809.4b45500f@studio11c>
 <CAPzO=NxCz+jsAkQVX_yvVt2+dgDSKBKHNtaDUjucvV1G8NxKpQ@mail.gmail.com>
 <20110811192531.0f6ac64c@studio11c>
 <CAPzO=Ny7vzeH6NzxwgMq+D=CRmueKQ+3ZNM24Lg3Nnm98F00BQ@mail.gmail.com>
X-Mailer: Claws Mail 3.7.6 (GTK+ 2.20.1; x86_64-pc-linux-gnu)
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 
X-Archives-Hash: f8283181c2e89eacb6331ba8db8be45c

On Sat, 13 Aug 2011 00:25:26 +0200
Sven Vermeulen <sven.vermeulen@siphos.be> wrote:

Hi,

> On Thu, Aug 11, 2011 at 7:25 PM, Udo Siewert <algenib@lavabit.com>
> wrote:
> 
> > /usr/bin/kdm system_u:object_r:xdm_exec_t
> > /usr/bin/xdm system_u:object_r:xdm_exec_t
> >
> > When starting KDE by /etc/init.d/xdm  'id -Z' ->
> > system_u:system_r:xdm_t
> >
> > and all KDE processes -> system_u:system_r:xdm_t
> >
> 
> Hmm... assuming xdm works through some PAM configuration, can you
> tell me how /etc/conf.d/xdm (or kdm, gdm, whatever) looks like?
> 
> If it doesn't source system-auth (which is where we put the
> pam_selinux.so call in) that might be the reason...

you put me in the right direction: in /etc/pam.d/kde

session required pam_selinux.so open
session required pam_selinux.so close

was missing (don't know if I messed it up during dispatch-conf or if it
is missing by default).

Thanks for that!

Regards,

Udo