From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QsajE-0004N8-5G for garchives@archives.gentoo.org; Sun, 14 Aug 2011 13:27:49 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A3D8221C07A; Sun, 14 Aug 2011 13:27:37 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id DCAE921C028 for ; Sun, 14 Aug 2011 13:27:15 +0000 (UTC) Received: by smtp.gentoo.org (Postfix, from userid 617) id 795CC1B4046; Sun, 14 Aug 2011 13:27:15 +0000 (UTC) Date: Sun, 14 Aug 2011 13:27:15 +0000 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE Message-ID: <20110814132715.GA23212@gentoo.org> Mail-Followup-To: gentoo-hardened@lists.gentoo.org References: <201108102057.46586.mail@smogura.eu> <20110811192531.0f6ac64c@studio11c> <8488509.YlHQJiIbuf@platypus> <4E47C773.8050700@kutulu.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <4E47C773.8050700@kutulu.org> User-Agent: Mutt/1.5.16 (2007-06-09) X-Archives-Salt: X-Archives-Hash: fda3985de9baebd2bda4f944f776983c On Sun, Aug 14, 2011 at 09:02:43AM -0400, Mike Edenfield wrote: > It fixed my KDM logins to be unconfined, but it appears to break a bunch of > other things: > > kutulu@platypus ~ $ id -Z > unconfined_u:unconfined_r:unconfined_t > kutulu@platypus ~ $ sudo -s > Password: > platypus kutulu # id -Z > unconfined_u:unconfined_r:bootloader_t > > bootloader_t seems pretty random so its possible I screwed up my policy in > some unrelated way. I'm reinstalling all the policy packages and > relabeling, we'll see what happens. This is usually the sign that the default context for the SELinux user (in your case "unconfined_u") isn't set properly or that there is an issue with it. When I look at the default context information, I notice that there is none for kdm_t (there is for xdm_t though): ~# grep xdm_t /etc/selinux/strict/contexts/default_contexts system_r:xdm_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t Since you work with unconfined, you'll need to use /etc/selinux/targeted/contexts of course. To find out if the initial context is set correctly, you can use getseuser: ~# getseuser swift system_u:system_r:xdm_t seuser: staff_u, level (null) Context 0 staff_u:staff_r:staff_t When I try it with kdm_t, I get an incorrect result as well (in my case, it would use sysadm_t which is definitely not something I would like to happen ;-) Wkr, Sven Vermeulen