On Sun, 14 Aug 2011 11:25:26 +0200
Sven Vermeulen <sven.vermeulen@siphos.be> wrote:

> On Sat, Aug 13, 2011 at 8:33 PM, Mike Edenfield <kutulu@kutulu.org>
> wrote:
>
> > My system-auth doesn't have anything about SELinux in it. The
> > pam_selinux.so
> > calls are in system-login. This looks like what pambase is supposed
> > to be doing. system-login.in has these:
> >
> > #if HAVE_SELINUX
> > session required pam_selinux.so close
> > #endif
> >
> > and system-auth.in doesn't.
> >
> > Which one should kdm/gdm be using? Right now /etc/pam.d/kde pulls in
> > system-
> > auth. Can I just move the pam_selinux calls?
> >
> >
> If you do, does it break things (like logon through terminals)?
> If not, does it fix the KDM logons?

AFAIC it doesn't break anything so far and KDM logons via xdm do have
the proper security contexts.

Regards,

Udo

On 8/14/2011 5:25 AM, Sven Vermeulen wrote:

On Sat, Aug 13, 2011 at 8:33 PM, Mike Edenfield
<kutulu@kutulu.org <mailto:kutulu@kutulu.org>> wrote:

My system-auth doesn't have anything about SELinux in
it. The pam_selinux.so
calls are in system-login. This looks like what pambase
is supposed to be
doing. system-login.in <http://system-login.in> has these:

#if HAVE_SELINUX
session required pam_selinux.so close
#endif

and system-auth.in <http://system-auth.in> doesn't.

Which one should kdm/gdm be using? Right now
/etc/pam.d/kde pulls in system-
auth. Can I just move the pam_selinux calls?


If you do, does it break things (like logon through terminals)?
If not, does it fix the KDM logons?


It fixed my KDM logins to be unconfined, but it appears to
break a bunch of other things:


kutulu@platypus ~ $ id -Z
unconfined_u:unconfined_r:unconfined_t
kutulu@platypus ~ $ sudo -s
Password:
platypus kutulu # id -Z
unconfined_u:unconfined_r:bootloader_t

bootloader_t seems pretty random so its possible I screwed
up my policy in some unrelated way. I'm reinstalling all the
policy packages and relabeling, we'll see what happens.


--Mike

On Sun, Aug 14, 2011 at 09:02:43AM -0400, Mike Edenfield wrote:
> It fixed my KDM logins to be unconfined, but it appears to break a bunch of
> other things:
>
> kutulu@platypus ~ $ id -Z
> unconfined_u:unconfined_r:unconfined_t
> kutulu@platypus ~ $ sudo -s
> Password:
> platypus kutulu # id -Z
> unconfined_u:unconfined_r:bootloader_t
>
> bootloader_t seems pretty random so its possible I screwed up my policy in
> some unrelated way. I'm reinstalling all the policy packages and
> relabeling, we'll see what happens.

This is usually the sign that the default context for the SELinux user (in
your case "unconfined_u") isn't set properly or that there is an issue with
it.

When I look at the default context information, I notice that there is none
for kdm_t (there is for xdm_t though):

~# grep xdm_t /etc/selinux/strict/contexts/default_contexts
system_r:xdm_t user_r:user_t staff_r:staff_t sysadm_r:sysadm_t unconfined_r:unconfined_t

Since you work with unconfined, you'll need to use
/etc/selinux/targeted/contexts of course.

To find out if the initial context is set correctly, you can use getseuser:

~# getseuser swift system_u:system_r:xdm_t
seuser: staff_u, level (null)
Context 0 staff_u:staff_r:staff_t

When I try it with kdm_t, I get an incorrect result as well (in my case, it
would use sysadm_t which is definitely not something I would like to happen
;-)

Wkr,
Sven Vermeulen

I changed in pam.d/kde all include system-auth to include system-local-login.
Now I'm user_u:user_r:user_t.

Regards,
Radek

Udo Siewert <algenib@lavabit.com> Saturday 13 of August 2011 04:18:23
> On Sat, 13 Aug 2011 00:25:26 +0200
> Sven Vermeulen <sven.vermeulen@siphos.be> wrote:
>
> Hi,
>
> > On Thu, Aug 11, 2011 at 7:25 PM, Udo Siewert <algenib@lavabit.com>
> >
> > wrote:
> > > /usr/bin/kdm system_ubject_r:xdm_exec_t
> > > /usr/bin/xdm system_ubject_r:xdm_exec_t
> > >
> > > When starting KDE by /etc/init.d/xdm 'id -Z' ->
> > > system_u:system_r:xdm_t
> > >
> > > and all KDE processes -> system_u:system_r:xdm_t
> >
> > Hmm... assuming xdm works through some PAM configuration, can you
> > tell me how /etc/conf.d/xdm (or kdm, gdm, whatever) looks like?
> >
> > If it doesn't source system-auth (which is where we put the
> > pam_selinux.so call in) that might be the reason...
>
> you put me in the right direction: in /etc/pam.d/kde
>
> session required pam_selinux.so open
> session required pam_selinux.so close
>
> was missing (don't know if I messed it up during dispatch-conf or if it
> is missing by default).
>
> Thanks for that!
>
> Regards,
>
> Udo