[gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[Radosław Smogura]

Hello,

Problem mainly is about starnge ID system_u:system_r:initrc_t I have inside 
KDE's konsole (all applications started / KDE service has it too).

There is simillar thread in mailing list, but I can't join.

I installed Gentoo few weeks ago, then I conveted it to hardened (without 
kernel patches), I reinstalled almost all packages few times including xdm, 
sysvinit, kdm, pam enusring I'm sysadm_t, but still I got above id.

I think it should be somthing like user_u:user_r:user_t, which I get when I 
log thrugh ssh.

System is of course running in permissive mode, and I use strict policy.

Any ideas why it is, and/or how to fix it?

Regards,
Radek

Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[Mike Edenfield]

On 8/10/2011 2:57 PM, Radosław Smogura wrote:
> Hello,
>
> Problem mainly is about starnge ID system_u:system_r:initrc_t I have inside
> KDE's konsole (all applications started / KDE service has it too).
>
> There is simillar thread in mailing list, but I can't join.
>
> I installed Gentoo few weeks ago, then I conveted it to hardened (without
> kernel patches), I reinstalled almost all packages few times including xdm,
> sysvinit, kdm, pam enusring I'm sysadm_t, but still I got above id.
>
> I think it should be somthing like user_u:user_r:user_t, which I get when I
> log thrugh ssh.
>
> System is of course running in permissive mode, and I use strict policy.
>
> Any ideas why it is, and/or how to fix it?

I've submitted a bug report to b.g.o about this; as near as 
I can tell, neither kdm nor gdm ever actually tries to set 
the execution context of their login sessions. They both 
check for the presence of -lselinux at configure time but 
don't appear to include any SELinux function calls.

I'm still trying to track this down, but hopefully someone 
more familiar with KDE or GNOME will figure it out quicker :)

--Mike

Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[Udo Siewert]

On Wed, 10 Aug 2011 20:57:46 +0200
Radosław Smogura <mail@smogura.eu> wrote:

Hi, 

> Problem mainly is about starnge ID system_u:system_r:initrc_t I have
> inside KDE's konsole (all applications started / KDE service has it
> too).
> 
> There is simillar thread in mailing list, but I can't join.
> 
> I installed Gentoo few weeks ago, then I conveted it to hardened
> (without kernel patches), I reinstalled almost all packages few times
> including xdm, sysvinit, kdm, pam enusring I'm sysadm_t, but still I
> got above id.
> 
> I think it should be somthing like user_u:user_r:user_t, which I get
> when I log thrugh ssh.
> 
> System is of course running in permissive mode, and I use strict
> policy.
> 
> Any ideas why it is, and/or how to fix it?

don't use /etc/init.d/xdm to start KDE but start it by the 'startx'
command with an .xinitrc file in /home/user which should contain 'exec
startkde'.

Regards

Udo

Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 671 bytes --]

On Thu, Aug 11, 2011 at 2:38 PM, Udo Siewert <algenib@lavabit.com> wrote:

> don't use /etc/init.d/xdm to start KDE but start it by the 'startx'
> command with an .xinitrc file in /home/user which should contain 'exec
> startkde'.
>
>
SELinux-wise, it is fine to use xdm, gdm, kdm or whatever. However, it is
possible that our policies are not correct yet to handle this. So we'll need
to figure that out first ;-)

What context does the gdm/xdm/kdm binary have on your system? Where is the
binary located?

It looks like the context should be xdm_exec_t, offered through the xserver
module. Is sec-policy/selinux-xserver installed on your system?

Wkr,
  Sven Vermeulen

[-- Attachment #2: Type: text/html, Size: 969 bytes --]

Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[Udo Siewert]

On Thu, 11 Aug 2011 16:52:46 +0200
Sven Vermeulen <sven.vermeulen@siphos.be> wrote:

Hi,

> On Thu, Aug 11, 2011 at 2:38 PM, Udo Siewert <algenib@lavabit.com>
> wrote:
> 
> > don't use /etc/init.d/xdm to start KDE but start it by the 'startx'
> > command with an .xinitrc file in /home/user which should contain
> > 'exec startkde'.
> >
> >
> SELinux-wise, it is fine to use xdm, gdm, kdm or whatever. However,
> it is possible that our policies are not correct yet to handle this.
> So we'll need to figure that out first ;-)
> 
> What context does the gdm/xdm/kdm binary have on your system? Where
> is the binary located?

/usr/bin/kdm system_u:object_r:xdm_exec_t
/usr/bin/xdm system_u:object_r:xdm_exec_t

When starting KDE by /etc/init.d/xdm  'id -Z' ->
system_u:system_r:xdm_t

and all KDE processes -> system_u:system_r:xdm_t

Using the 'startx' command  'id-Z' ->
unconfined_u:unconfined_r:unconfined_t

KDE processes -> unconfined_u:unconfined_r:unconfined_t

which should be correctly.

> It looks like the context should be xdm_exec_t, offered through the
> xserver module. Is sec-policy/selinux-xserver installed on your
> system?

Nope, emerging fails due to file collisions.

Probably cause I've installed sec-policy/selinux-Desktop-2.20101213.

semodule -l 

[...]

xserver 3.5.0


Regards,

Udo

Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 564 bytes --]

On Thu, Aug 11, 2011 at 7:25 PM, Udo Siewert <algenib@lavabit.com> wrote:

> /usr/bin/kdm system_u:object_r:xdm_exec_t
> /usr/bin/xdm system_u:object_r:xdm_exec_t
>
> When starting KDE by /etc/init.d/xdm  'id -Z' ->
> system_u:system_r:xdm_t
>
> and all KDE processes -> system_u:system_r:xdm_t
>

Hmm... assuming xdm works through some PAM configuration, can you tell me
how /etc/conf.d/xdm (or kdm, gdm, whatever) looks like?

If it doesn't source system-auth (which is where we put the pam_selinux.so
call in) that might be the reason...

Wkr,
  Sven Vermeulen

[-- Attachment #2: Type: text/html, Size: 859 bytes --]

Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[Udo Siewert]

On Sat, 13 Aug 2011 00:25:26 +0200
Sven Vermeulen <sven.vermeulen@siphos.be> wrote:

Hi,

> On Thu, Aug 11, 2011 at 7:25 PM, Udo Siewert <algenib@lavabit.com>
> wrote:
> 
> > /usr/bin/kdm system_u:object_r:xdm_exec_t
> > /usr/bin/xdm system_u:object_r:xdm_exec_t
> >
> > When starting KDE by /etc/init.d/xdm  'id -Z' ->
> > system_u:system_r:xdm_t
> >
> > and all KDE processes -> system_u:system_r:xdm_t
> >
> 
> Hmm... assuming xdm works through some PAM configuration, can you
> tell me how /etc/conf.d/xdm (or kdm, gdm, whatever) looks like?
> 
> If it doesn't source system-auth (which is where we put the
> pam_selinux.so call in) that might be the reason...

you put me in the right direction: in /etc/pam.d/kde

session required pam_selinux.so open
session required pam_selinux.so close

was missing (don't know if I messed it up during dispatch-conf or if it
is missing by default).

Thanks for that!

Regards,

Udo

Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[Radosław Smogura]

I changed in pam.d/kde all include system-auth to include system-local-login.
Now I'm user_u:user_r:user_t.

Regards,
Radek

Udo Siewert <algenib@lavabit.com> Saturday 13 of August 2011 04:18:23
> On Sat, 13 Aug 2011 00:25:26 +0200
> Sven Vermeulen <sven.vermeulen@siphos.be> wrote:
> 
> Hi,
> 
> > On Thu, Aug 11, 2011 at 7:25 PM, Udo Siewert <algenib@lavabit.com>
> > 
> > wrote:
> > > /usr/bin/kdm system_u:object_r:xdm_exec_t
> > > /usr/bin/xdm system_u:object_r:xdm_exec_t
> > > 
> > > When starting KDE by /etc/init.d/xdm  'id -Z' ->
> > > system_u:system_r:xdm_t
> > > 
> > > and all KDE processes -> system_u:system_r:xdm_t
> > 
> > Hmm... assuming xdm works through some PAM configuration, can you
> > tell me how /etc/conf.d/xdm (or kdm, gdm, whatever) looks like?
> > 
> > If it doesn't source system-auth (which is where we put the
> > pam_selinux.so call in) that might be the reason...
> 
> you put me in the right direction: in /etc/pam.d/kde
> 
> session required pam_selinux.so open
> session required pam_selinux.so close
> 
> was missing (don't know if I messed it up during dispatch-conf or if it
> is missing by default).
> 
> Thanks for that!
> 
> Regards,
> 
> Udo

Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[Mike Edenfield]

On Saturday, August 13, 2011 12:25:26 AM Sven Vermeulen wrote:
> On Thu, Aug 11, 2011 at 7:25 PM, Udo Siewert <algenib@lavabit.com> wrote:
> > /usr/bin/kdm system_u:object_r:xdm_exec_t
> > /usr/bin/xdm system_u:object_r:xdm_exec_t
> > 
> > When starting KDE by /etc/init.d/xdm  'id -Z' ->
> > system_u:system_r:xdm_t
> > 
> > and all KDE processes -> system_u:system_r:xdm_t
> 
> Hmm... assuming xdm works through some PAM configuration, can you tell me
> how /etc/conf.d/xdm (or kdm, gdm, whatever) looks like?
> 
> If it doesn't source system-auth (which is where we put the pam_selinux.so
> call in) that might be the reason...

My system-auth doesn't have anything about SELinux in it. The pam_selinux.so 
calls are in system-login. This looks like what pambase is supposed to be 
doing. system-login.in has these:

#if HAVE_SELINUX
session         required        pam_selinux.so close
#endif

and system-auth.in doesn't.

Which one should kdm/gdm be using? Right now /etc/pam.d/kde pulls in system-
auth. Can I just move the pam_selinux calls?

--Mike

Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[Sven Vermeulen]

[-- Attachment #1: Type: text/plain, Size: 643 bytes --]

On Sat, Aug 13, 2011 at 8:33 PM, Mike Edenfield <kutulu@kutulu.org> wrote:

> My system-auth doesn't have anything about SELinux in it. The
> pam_selinux.so
> calls are in system-login. This looks like what pambase is supposed to be
> doing. system-login.in has these:
>
> #if HAVE_SELINUX
> session         required        pam_selinux.so close
> #endif
>
> and system-auth.in doesn't.
>
> Which one should kdm/gdm be using? Right now /etc/pam.d/kde pulls in
> system-
> auth. Can I just move the pam_selinux calls?
>
>
If you do, does it break things (like logon through terminals)?
If not, does it fix the KDM logons?

Wkr,
  Sven Vermeulen

[-- Attachment #2: Type: text/html, Size: 1086 bytes --]

Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[Udo Siewert]

On Sun, 14 Aug 2011 11:25:26 +0200
Sven Vermeulen <sven.vermeulen@siphos.be> wrote:

> On Sat, Aug 13, 2011 at 8:33 PM, Mike Edenfield <kutulu@kutulu.org>
> wrote:
> 
> > My system-auth doesn't have anything about SELinux in it. The
> > pam_selinux.so
> > calls are in system-login. This looks like what pambase is supposed
> > to be doing. system-login.in has these:
> >
> > #if HAVE_SELINUX
> > session         required        pam_selinux.so close
> > #endif
> >
> > and system-auth.in doesn't.
> >
> > Which one should kdm/gdm be using? Right now /etc/pam.d/kde pulls in
> > system-
> > auth. Can I just move the pam_selinux calls?
> >
> >
> If you do, does it break things (like logon through terminals)?
> If not, does it fix the KDM logons?

AFAIC it doesn't break anything so far and KDM logons via xdm do have
the proper security contexts.

Regards,

Udo

Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[Mike Edenfield]

On 8/14/2011 5:25 AM, Sven Vermeulen wrote:
> On Sat, Aug 13, 2011 at 8:33 PM, Mike Edenfield
> <kutulu@kutulu.org <mailto:kutulu@kutulu.org>> wrote:
>
>     My system-auth doesn't have anything about SELinux in
>     it. The pam_selinux.so
>     calls are in system-login. This looks like what pambase
>     is supposed to be
>     doing. system-login.in <http://system-login.in> has these:
>
>     #if HAVE_SELINUX
>     session         required        pam_selinux.so close
>     #endif
>
>     and system-auth.in <http://system-auth.in> doesn't.
>
>     Which one should kdm/gdm be using? Right now
>     /etc/pam.d/kde pulls in system-
>     auth. Can I just move the pam_selinux calls?
>
>
> If you do, does it break things (like logon through terminals)?
> If not, does it fix the KDM logons?

It fixed my KDM logins to be unconfined, but it appears to 
break a bunch of other things:

kutulu@platypus ~ $ id -Z
unconfined_u:unconfined_r:unconfined_t
kutulu@platypus ~ $ sudo -s
Password:
platypus kutulu # id -Z
unconfined_u:unconfined_r:bootloader_t

bootloader_t seems pretty random so its possible I screwed 
up my policy in some unrelated way. I'm reinstalling all the 
policy packages and relabeling, we'll see what happens.

--Mike

Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE

[Sven Vermeulen]

On Sun, Aug 14, 2011 at 09:02:43AM -0400, Mike Edenfield wrote:
> It fixed my KDM logins to be unconfined, but it appears to break a bunch of 
> other things:
>
> kutulu@platypus ~ $ id -Z
> unconfined_u:unconfined_r:unconfined_t
> kutulu@platypus ~ $ sudo -s
> Password:
> platypus kutulu # id -Z
> unconfined_u:unconfined_r:bootloader_t
>
> bootloader_t seems pretty random so its possible I screwed up my policy in 
> some unrelated way. I'm reinstalling all the policy packages and 
> relabeling, we'll see what happens.

This is usually the sign that the default context for the SELinux user (in
your case "unconfined_u") isn't set properly or that there is an issue with
it.

When I look at the default context information, I notice that there is none
for kdm_t (there is for xdm_t though):

~# grep xdm_t /etc/selinux/strict/contexts/default_contexts
system_r:xdm_t          user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t

Since you work with unconfined, you'll need to use
/etc/selinux/targeted/contexts of course.

To find out if the initial context is set correctly, you can use getseuser:

~# getseuser swift system_u:system_r:xdm_t
seuser:  staff_u, level (null)
Context 0     staff_u:staff_r:staff_t

When I try it with kdm_t, I get an incorrect result as well (in my case, it
would use sysadm_t which is definitely not something I would like to happen
;-)

Wkr,
	Sven Vermeulen