From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QsJCT-0000d5-OF for garchives@archives.gentoo.org; Sat, 13 Aug 2011 18:44:49 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EBAE321C146; Sat, 13 Aug 2011 18:44:29 +0000 (UTC) Received: from basement.kutulu.org (187.250.102.97.cfl.res.rr.com [97.102.250.187]) by pigeon.gentoo.org (Postfix) with ESMTP id 36A6821C0DC for ; Sat, 13 Aug 2011 18:43:52 +0000 (UTC) Received: from localhost (basement.kutulu.org [127.0.0.1]) by basement.kutulu.org (Postfix) with ESMTP id 9DCF67D801C for ; Sat, 13 Aug 2011 14:43:51 -0400 (EDT) X-Virus-Scanned: amavisd-new at kutulu.org Received: from basement.kutulu.org ([127.0.0.1]) by localhost (basement.kutulu.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 34KxjtroADBc for ; Sat, 13 Aug 2011 14:43:51 -0400 (EDT) Received: from platypus.localnet (platypus.kutulu.org [192.168.69.93]) by basement.kutulu.org (Postfix) with ESMTPSA id 28B4A7D801B for ; Sat, 13 Aug 2011 14:43:51 -0400 (EDT) From: Mike Edenfield To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SeLinux system_u:system_r:initrc_t inside KDE Date: Sat, 13 Aug 2011 14:33:21 -0400 Message-ID: <8488509.YlHQJiIbuf@platypus> User-Agent: KMail/4.7.0 (Linux/2.6.39-hardened-r7-platypus-2; KDE/4.7.0; x86_64; ; ) In-Reply-To: References: <201108102057.46586.mail@smogura.eu> <20110811192531.0f6ac64c@studio11c> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Archives-Salt: X-Archives-Hash: 82fefe28820a968909b29a18d8498db3 On Saturday, August 13, 2011 12:25:26 AM Sven Vermeulen wrote: > On Thu, Aug 11, 2011 at 7:25 PM, Udo Siewert wrote: > > /usr/bin/kdm system_u:object_r:xdm_exec_t > > /usr/bin/xdm system_u:object_r:xdm_exec_t > > > > When starting KDE by /etc/init.d/xdm 'id -Z' -> > > system_u:system_r:xdm_t > > > > and all KDE processes -> system_u:system_r:xdm_t > > Hmm... assuming xdm works through some PAM configuration, can you tell me > how /etc/conf.d/xdm (or kdm, gdm, whatever) looks like? > > If it doesn't source system-auth (which is where we put the pam_selinux.so > call in) that might be the reason... My system-auth doesn't have anything about SELinux in it. The pam_selinux.so calls are in system-login. This looks like what pambase is supposed to be doing. system-login.in has these: #if HAVE_SELINUX session required pam_selinux.so close #endif and system-auth.in doesn't. Which one should kdm/gdm be using? Right now /etc/pam.d/kde pulls in system- auth. Can I just move the pam_selinux calls? --Mike