public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-hardened] SELinux and gdm/kdm -- not setting sesson context?
@ 2011-07-31  1:05 Mike Edenfield
  2011-07-31 11:58 ` Anthony G. Basile
  0 siblings, 1 reply; 4+ messages in thread
From: Mike Edenfield @ 2011-07-31  1:05 UTC (permalink / raw
  To: gentoo-hardened

I just installed the latest SELinux stuff from the hardened-development overlay 
onto my laptop, currently using the targeted profile (though I've also switched 
to strict and relabelled everything, same effect).

When logging in via a display manager, either kdm or gdm, the login session is 
not switching to the proper security context. Everything is running as 
system_u:system_r:xdm_t, including my own login context. I rebuilt gdm after 
switching profiles, so it has USE=selinux; I didn't see a similar USE flag for 
kdm.

This is the first time I've tried Gentoo+SELinux on a non-server in a long time 
so I'm possibly missing something important. Is there something obvious I 
should check for?

kutulu@platypus ~ $ ls -Z `which kdm`
system_u:object_r:xdm_exec_t /usr/bin/kdm
kutulu@platypus ~ $ ls -Z `which gdm-binary`
system_u:object_r:xdm_exec_t /usr/sbin/gdm-binary
kutulu@platypus ~ $ ps xZ 
LABEL                             PID TTY      STAT   TIME COMMAND
system_u:system_r:xdm_t         14234 ?        Ss     0:00 /bin/sh 
/usr/bin/startkde
system_u:system_r:xdm_t         14298 ?        S      0:00 dbus-launch --sh-
syntax --exit-with-session
system_u:system_r:xdm_t         14299 ?        Ssl    0:03 /usr/bin/dbus-
daemon --fork --print-pid 5 --print-address 7 --session
system_u:system_r:xdm_t         14306 ?        Ss     0:00 kdeinit4: kdeinit4 
Running...     
system_u:system_r:xdm_t         14307 ?        S      0:00 kdeinit4: klauncher 
[kdeinit] --fd=8
system_u:system_r:xdm_t         14309 ?        Sl     0:01 kdeinit4: kded4 
[kdeinit]         
system_u:system_r:xdm_t         14320 ?        S      0:00 kdeinit4: 
kglobalaccel [kdeinit]  
system_u:system_r:xdm_t         14327 ?        S      0:00 kwrapper4 ksmserver
system_u:system_r:xdm_t         14343 ?        Sl     0:00 kdeinit4: ksmserver 
[kdeinit]     
[...]
kutulu@platypus ~ $ id -Z
system_u:system_r:xdm_t
kutulu@platypus ~ $ ps axZ | grep kdm
system_u:system_r:xdm_t          2920 ?        Ss     0:00 /usr/bin/kdm
kutulu@platypus ~ $ ps axZ | grep X  
system_u:system_r:xserver_t      2939 tty7     Ss+    1:16 /usr/bin/X -br -
novtswitch -quiet :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-8zHr3b




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-hardened] SELinux and gdm/kdm -- not setting sesson context?
  2011-07-31  1:05 [gentoo-hardened] SELinux and gdm/kdm -- not setting sesson context? Mike Edenfield
@ 2011-07-31 11:58 ` Anthony G. Basile
  2011-07-31 13:18   ` Mike Edenfield
  0 siblings, 1 reply; 4+ messages in thread
From: Anthony G. Basile @ 2011-07-31 11:58 UTC (permalink / raw
  To: gentoo-hardened

You get the same effect even on targeted where your session should be
running as unconfined_u:unconfined_r:unconfined_t.

Its working with gnome.  All processes from gnome-session and below run
as unconfined.

Looks like a bug.  Can you please file it.

On 07/30/2011 09:05 PM, Mike Edenfield wrote:
> I just installed the latest SELinux stuff from the hardened-development overlay 
> onto my laptop, currently using the targeted profile (though I've also switched 
> to strict and relabelled everything, same effect).
> 
> When logging in via a display manager, either kdm or gdm, the login session is 
> not switching to the proper security context. Everything is running as 
> system_u:system_r:xdm_t, including my own login context. I rebuilt gdm after 
> switching profiles, so it has USE=selinux; I didn't see a similar USE flag for 
> kdm.
> 
> This is the first time I've tried Gentoo+SELinux on a non-server in a long time 
> so I'm possibly missing something important. Is there something obvious I 
> should check for?
> 
> kutulu@platypus ~ $ ls -Z `which kdm`
> system_u:object_r:xdm_exec_t /usr/bin/kdm
> kutulu@platypus ~ $ ls -Z `which gdm-binary`
> system_u:object_r:xdm_exec_t /usr/sbin/gdm-binary
> kutulu@platypus ~ $ ps xZ 
> LABEL                             PID TTY      STAT   TIME COMMAND
> system_u:system_r:xdm_t         14234 ?        Ss     0:00 /bin/sh 
> /usr/bin/startkde
> system_u:system_r:xdm_t         14298 ?        S      0:00 dbus-launch --sh-
> syntax --exit-with-session
> system_u:system_r:xdm_t         14299 ?        Ssl    0:03 /usr/bin/dbus-
> daemon --fork --print-pid 5 --print-address 7 --session
> system_u:system_r:xdm_t         14306 ?        Ss     0:00 kdeinit4: kdeinit4 
> Running...     
> system_u:system_r:xdm_t         14307 ?        S      0:00 kdeinit4: klauncher 
> [kdeinit] --fd=8
> system_u:system_r:xdm_t         14309 ?        Sl     0:01 kdeinit4: kded4 
> [kdeinit]         
> system_u:system_r:xdm_t         14320 ?        S      0:00 kdeinit4: 
> kglobalaccel [kdeinit]  
> system_u:system_r:xdm_t         14327 ?        S      0:00 kwrapper4 ksmserver
> system_u:system_r:xdm_t         14343 ?        Sl     0:00 kdeinit4: ksmserver 
> [kdeinit]     
> [...]
> kutulu@platypus ~ $ id -Z
> system_u:system_r:xdm_t
> kutulu@platypus ~ $ ps axZ | grep kdm
> system_u:system_r:xdm_t          2920 ?        Ss     0:00 /usr/bin/kdm
> kutulu@platypus ~ $ ps axZ | grep X  
> system_u:system_r:xserver_t      2939 tty7     Ss+    1:16 /usr/bin/X -br -
> novtswitch -quiet :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-8zHr3b
> 


-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-hardened] SELinux and gdm/kdm -- not setting sesson context?
  2011-07-31 11:58 ` Anthony G. Basile
@ 2011-07-31 13:18   ` Mike Edenfield
  2011-07-31 13:28     ` Anthony G. Basile
  0 siblings, 1 reply; 4+ messages in thread
From: Mike Edenfield @ 2011-07-31 13:18 UTC (permalink / raw
  To: gentoo-hardened; +Cc: Anthony G. Basile

On 7/31/2011 7:58 AM, Anthony G. Basile wrote:
> You get the same effect even on targeted where your session should be
> running as unconfined_u:unconfined_r:unconfined_t.

Yes, that was a targeted system I showed the ps output from. 
When I log in through the console I'm in the unconfined 
domain, just not through gdm or kdm.

> Its working with gnome.  All processes from gnome-session and below run
> as unconfined.
>
> Looks like a bug.  Can you please file it.

Will do. Is there anything I can do to help track down the 
problem? I assume that gdm/kdm/etc are supposed to be 
explicitly setting the context when they fire off the 
session -- this isn't something that's accomplished by an 
automatic domain transition, right?

--Mike

> On 07/30/2011 09:05 PM, Mike Edenfield wrote:
>> I just installed the latest SELinux stuff from the hardened-development overlay
>> onto my laptop, currently using the targeted profile (though I've also switched
>> to strict and relabelled everything, same effect).
>>
>> When logging in via a display manager, either kdm or gdm, the login session is
>> not switching to the proper security context. Everything is running as
>> system_u:system_r:xdm_t, including my own login context. I rebuilt gdm after
>> switching profiles, so it has USE=selinux; I didn't see a similar USE flag for
>> kdm.
>>
>> This is the first time I've tried Gentoo+SELinux on a non-server in a long time
>> so I'm possibly missing something important. Is there something obvious I
>> should check for?
>>
>> kutulu@platypus ~ $ ls -Z `which kdm`
>> system_u:object_r:xdm_exec_t /usr/bin/kdm
>> kutulu@platypus ~ $ ls -Z `which gdm-binary`
>> system_u:object_r:xdm_exec_t /usr/sbin/gdm-binary
>> kutulu@platypus ~ $ ps xZ
>> LABEL                             PID TTY      STAT   TIME COMMAND
>> system_u:system_r:xdm_t         14234 ?        Ss     0:00 /bin/sh
>> /usr/bin/startkde
>> system_u:system_r:xdm_t         14298 ?        S      0:00 dbus-launch --sh-
>> syntax --exit-with-session
>> system_u:system_r:xdm_t         14299 ?        Ssl    0:03 /usr/bin/dbus-
>> daemon --fork --print-pid 5 --print-address 7 --session
>> system_u:system_r:xdm_t         14306 ?        Ss     0:00 kdeinit4: kdeinit4
>> Running...
>> system_u:system_r:xdm_t         14307 ?        S      0:00 kdeinit4: klauncher
>> [kdeinit] --fd=8
>> system_u:system_r:xdm_t         14309 ?        Sl     0:01 kdeinit4: kded4
>> [kdeinit]
>> system_u:system_r:xdm_t         14320 ?        S      0:00 kdeinit4:
>> kglobalaccel [kdeinit]
>> system_u:system_r:xdm_t         14327 ?        S      0:00 kwrapper4 ksmserver
>> system_u:system_r:xdm_t         14343 ?        Sl     0:00 kdeinit4: ksmserver
>> [kdeinit]
>> [...]
>> kutulu@platypus ~ $ id -Z
>> system_u:system_r:xdm_t
>> kutulu@platypus ~ $ ps axZ | grep kdm
>> system_u:system_r:xdm_t          2920 ?        Ss     0:00 /usr/bin/kdm
>> kutulu@platypus ~ $ ps axZ | grep X
>> system_u:system_r:xserver_t      2939 tty7     Ss+    1:16 /usr/bin/X -br -
>> novtswitch -quiet :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-8zHr3b
>>
>
>




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [gentoo-hardened] SELinux and gdm/kdm -- not setting sesson context?
  2011-07-31 13:18   ` Mike Edenfield
@ 2011-07-31 13:28     ` Anthony G. Basile
  0 siblings, 0 replies; 4+ messages in thread
From: Anthony G. Basile @ 2011-07-31 13:28 UTC (permalink / raw
  To: gentoo-hardened

On 07/31/2011 09:18 AM, Mike Edenfield wrote:
> On 7/31/2011 7:58 AM, Anthony G. Basile wrote:
>> You get the same effect even on targeted where your session should be
>> running as unconfined_u:unconfined_r:unconfined_t.
> 
> Yes, that was a targeted system I showed the ps output from. When I log
> in through the console I'm in the unconfined domain, just not through
> gdm or kdm.

Heh, I'm glad you properly interpreted that as a question even without
the question mark!

> 
>> Its working with gnome.  All processes from gnome-session and below run
>> as unconfined.
>>
>> Looks like a bug.  Can you please file it.
> 
> Will do. Is there anything I can do to help track down the problem? I
> assume that gdm/kdm/etc are supposed to be explicitly setting the
> context when they fire off the session -- this isn't something that's
> accomplished by an automatic domain transition, right?
> 

avc logs might help.  Other than that, we'll have to read the policy
files and use our brains.

> --Mike
> 
>> On 07/30/2011 09:05 PM, Mike Edenfield wrote:
>>> I just installed the latest SELinux stuff from the
>>> hardened-development overlay
>>> onto my laptop, currently using the targeted profile (though I've
>>> also switched
>>> to strict and relabelled everything, same effect).
>>>
>>> When logging in via a display manager, either kdm or gdm, the login
>>> session is
>>> not switching to the proper security context. Everything is running as
>>> system_u:system_r:xdm_t, including my own login context. I rebuilt
>>> gdm after
>>> switching profiles, so it has USE=selinux; I didn't see a similar USE
>>> flag for
>>> kdm.
>>>
>>> This is the first time I've tried Gentoo+SELinux on a non-server in a
>>> long time
>>> so I'm possibly missing something important. Is there something
>>> obvious I
>>> should check for?
>>>
>>> kutulu@platypus ~ $ ls -Z `which kdm`
>>> system_u:object_r:xdm_exec_t /usr/bin/kdm
>>> kutulu@platypus ~ $ ls -Z `which gdm-binary`
>>> system_u:object_r:xdm_exec_t /usr/sbin/gdm-binary
>>> kutulu@platypus ~ $ ps xZ
>>> LABEL                             PID TTY      STAT   TIME COMMAND
>>> system_u:system_r:xdm_t         14234 ?        Ss     0:00 /bin/sh
>>> /usr/bin/startkde
>>> system_u:system_r:xdm_t         14298 ?        S      0:00
>>> dbus-launch --sh-
>>> syntax --exit-with-session
>>> system_u:system_r:xdm_t         14299 ?        Ssl    0:03
>>> /usr/bin/dbus-
>>> daemon --fork --print-pid 5 --print-address 7 --session
>>> system_u:system_r:xdm_t         14306 ?        Ss     0:00 kdeinit4:
>>> kdeinit4
>>> Running...
>>> system_u:system_r:xdm_t         14307 ?        S      0:00 kdeinit4:
>>> klauncher
>>> [kdeinit] --fd=8
>>> system_u:system_r:xdm_t         14309 ?        Sl     0:01 kdeinit4:
>>> kded4
>>> [kdeinit]
>>> system_u:system_r:xdm_t         14320 ?        S      0:00 kdeinit4:
>>> kglobalaccel [kdeinit]
>>> system_u:system_r:xdm_t         14327 ?        S      0:00 kwrapper4
>>> ksmserver
>>> system_u:system_r:xdm_t         14343 ?        Sl     0:00 kdeinit4:
>>> ksmserver
>>> [kdeinit]
>>> [...]
>>> kutulu@platypus ~ $ id -Z
>>> system_u:system_r:xdm_t
>>> kutulu@platypus ~ $ ps axZ | grep kdm
>>> system_u:system_r:xdm_t          2920 ?        Ss     0:00 /usr/bin/kdm
>>> kutulu@platypus ~ $ ps axZ | grep X
>>> system_u:system_r:xserver_t      2939 tty7     Ss+    1:16 /usr/bin/X
>>> -br -
>>> novtswitch -quiet :0 vt7 -nolisten tcp -auth /var/run/xauth/A:0-8zHr3b
>>>
>>
>>
> 


-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2011-07-31 13:29 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-31  1:05 [gentoo-hardened] SELinux and gdm/kdm -- not setting sesson context? Mike Edenfield
2011-07-31 11:58 ` Anthony G. Basile
2011-07-31 13:18   ` Mike Edenfield
2011-07-31 13:28     ` Anthony G. Basile

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox