Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo Hardened (http://www.linux-archive.org/gentoo-hardened/)
-   -   SeLinux system_u:system_r:initrc_t inside KDE (http://www.linux-archive.org/gentoo-hardened/562725-selinux-system_u-system_r-initrc_t-inside-kde.html)

Radosław Smogura 08-10-2011 06:57 PM

SeLinux system_u:system_r:initrc_t inside KDE
 
Hello,

Problem mainly is about starnge ID system_u:system_r:initrc_t I have inside
KDE's konsole (all applications started / KDE service has it too).

There is simillar thread in mailing list, but I can't join.

I installed Gentoo few weeks ago, then I conveted it to hardened (without
kernel patches), I reinstalled almost all packages few times including xdm,
sysvinit, kdm, pam enusring I'm sysadm_t, but still I got above id.

I think it should be somthing like user_u:user_r:user_t, which I get when I
log thrugh ssh.

System is of course running in permissive mode, and I use strict policy.

Any ideas why it is, and/or how to fix it?

Regards,
Radek

Mike Edenfield 08-11-2011 12:26 PM

SeLinux system_u:system_r:initrc_t inside KDE
 
On 8/10/2011 2:57 PM, Radosław Smogura wrote:

Hello,

Problem mainly is about starnge ID system_u:system_r:initrc_t I have inside
KDE's konsole (all applications started / KDE service has it too).

There is simillar thread in mailing list, but I can't join.

I installed Gentoo few weeks ago, then I conveted it to hardened (without
kernel patches), I reinstalled almost all packages few times including xdm,
sysvinit, kdm, pam enusring I'm sysadm_t, but still I got above id.

I think it should be somthing like user_u:user_r:user_t, which I get when I
log thrugh ssh.

System is of course running in permissive mode, and I use strict policy.

Any ideas why it is, and/or how to fix it?


I've submitted a bug report to b.g.o about this; as near as
I can tell, neither kdm nor gdm ever actually tries to set
the execution context of their login sessions. They both
check for the presence of -lselinux at configure time but
don't appear to include any SELinux function calls.


I'm still trying to track this down, but hopefully someone
more familiar with KDE or GNOME will figure it out quicker :)


--Mike

Udo Siewert 08-11-2011 12:38 PM

SeLinux system_u:system_r:initrc_t inside KDE
 
On Wed, 10 Aug 2011 20:57:46 +0200
Radosław Smogura <mail@smogura.eu> wrote:

Hi,

> Problem mainly is about starnge ID system_u:system_r:initrc_t I have
> inside KDE's konsole (all applications started / KDE service has it
> too).
>
> There is simillar thread in mailing list, but I can't join.
>
> I installed Gentoo few weeks ago, then I conveted it to hardened
> (without kernel patches), I reinstalled almost all packages few times
> including xdm, sysvinit, kdm, pam enusring I'm sysadm_t, but still I
> got above id.
>
> I think it should be somthing like user_u:user_r:user_t, which I get
> when I log thrugh ssh.
>
> System is of course running in permissive mode, and I use strict
> policy.
>
> Any ideas why it is, and/or how to fix it?

don't use /etc/init.d/xdm to start KDE but start it by the 'startx'
command with an .xinitrc file in /home/user which should contain 'exec
startkde'.

Regards

Udo

Udo Siewert 08-11-2011 12:38 PM

SeLinux system_u:system_r:initrc_t inside KDE
 
On Wed, 10 Aug 2011 20:57:46 +0200
Radosław Smogura <mail@smogura.eu> wrote:

Hi,

> Problem mainly is about starnge ID system_u:system_r:initrc_t I have
> inside KDE's konsole (all applications started / KDE service has it
> too).
>
> There is simillar thread in mailing list, but I can't join.
>
> I installed Gentoo few weeks ago, then I conveted it to hardened
> (without kernel patches), I reinstalled almost all packages few times
> including xdm, sysvinit, kdm, pam enusring I'm sysadm_t, but still I
> got above id.
>
> I think it should be somthing like user_u:user_r:user_t, which I get
> when I log thrugh ssh.
>
> System is of course running in permissive mode, and I use strict
> policy.
>
> Any ideas why it is, and/or how to fix it?

don't use /etc/init.d/xdm to start KDE but start it by the 'startx'
command with an .xinitrc file in /home/user which should contain 'exec
startkde'.

Regards

Udo

Sven Vermeulen 08-11-2011 02:52 PM

SeLinux system_u:system_r:initrc_t inside KDE
 
On Thu, Aug 11, 2011 at 2:38 PM, Udo Siewert <algenib@lavabit.com> wrote:

don't use /etc/init.d/xdm to start KDE but start it by the 'startx'

command with an .xinitrc file in /home/user which should contain 'exec

startkde'.


SELinux-wise, it is fine to use xdm, gdm, kdm or whatever. However, it is possible that our policies are not correct yet to handle this. So we'll need to figure that out first ;-)


What context does the gdm/xdm/kdm binary have on your system? Where is the binary located?

It looks like the context should be xdm_exec_t, offered through the xserver module. Is sec-policy/selinux-xserver installed on your system?


Wkr,
* Sven Vermeulen

Udo Siewert 08-11-2011 05:25 PM

SeLinux system_u:system_r:initrc_t inside KDE
 
On Thu, 11 Aug 2011 16:52:46 +0200
Sven Vermeulen <sven.vermeulen@siphos.be> wrote:

Hi,

> On Thu, Aug 11, 2011 at 2:38 PM, Udo Siewert <algenib@lavabit.com>
> wrote:
>
> > don't use /etc/init.d/xdm to start KDE but start it by the 'startx'
> > command with an .xinitrc file in /home/user which should contain
> > 'exec startkde'.
> >
> >
> SELinux-wise, it is fine to use xdm, gdm, kdm or whatever. However,
> it is possible that our policies are not correct yet to handle this.
> So we'll need to figure that out first ;-)
>
> What context does the gdm/xdm/kdm binary have on your system? Where
> is the binary located?

/usr/bin/kdm system_u:object_r:xdm_exec_t
/usr/bin/xdm system_u:object_r:xdm_exec_t

When starting KDE by /etc/init.d/xdm 'id -Z' ->
system_u:system_r:xdm_t

and all KDE processes -> system_u:system_r:xdm_t

Using the 'startx' command 'id-Z' ->
unconfined_u:unconfined_r:unconfined_t

KDE processes -> unconfined_u:unconfined_r:unconfined_t

which should be correctly.

> It looks like the context should be xdm_exec_t, offered through the
> xserver module. Is sec-policy/selinux-xserver installed on your
> system?

Nope, emerging fails due to file collisions.

Probably cause I've installed sec-policy/selinux-Desktop-2.20101213.

semodule -l

[...]

xserver 3.5.0


Regards,

Udo

Sven Vermeulen 08-12-2011 10:25 PM

SeLinux system_u:system_r:initrc_t inside KDE
 
On Thu, Aug 11, 2011 at 7:25 PM, Udo Siewert <algenib@lavabit.com> wrote:

/usr/bin/kdm system_u:object_r:xdm_exec_t

/usr/bin/xdm system_u:object_r:xdm_exec_t



When starting KDE by /etc/init.d/xdm *'id -Z' ->

system_u:system_r:xdm_t



and all KDE processes -> system_u:system_r:xdm_t

Hmm... assuming xdm works through some PAM configuration, can you tell me how /etc/conf.d/xdm (or kdm, gdm, whatever) looks like?

If it doesn't source system-auth (which is where we put the pam_selinux.so call in) that might be the reason...


Wkr,
* Sven Vermeulen

Udo Siewert 08-13-2011 04:18 AM

SeLinux system_u:system_r:initrc_t inside KDE
 
On Sat, 13 Aug 2011 00:25:26 +0200
Sven Vermeulen <sven.vermeulen@siphos.be> wrote:

Hi,

> On Thu, Aug 11, 2011 at 7:25 PM, Udo Siewert <algenib@lavabit.com>
> wrote:
>
> > /usr/bin/kdm system_u:object_r:xdm_exec_t
> > /usr/bin/xdm system_u:object_r:xdm_exec_t
> >
> > When starting KDE by /etc/init.d/xdm 'id -Z' ->
> > system_u:system_r:xdm_t
> >
> > and all KDE processes -> system_u:system_r:xdm_t
> >
>
> Hmm... assuming xdm works through some PAM configuration, can you
> tell me how /etc/conf.d/xdm (or kdm, gdm, whatever) looks like?
>
> If it doesn't source system-auth (which is where we put the
> pam_selinux.so call in) that might be the reason...

you put me in the right direction: in /etc/pam.d/kde

session required pam_selinux.so open
session required pam_selinux.so close

was missing (don't know if I messed it up during dispatch-conf or if it
is missing by default).

Thanks for that!

Regards,

Udo

Mike Edenfield 08-13-2011 06:33 PM

SeLinux system_u:system_r:initrc_t inside KDE
 
On Saturday, August 13, 2011 12:25:26 AM Sven Vermeulen wrote:
> On Thu, Aug 11, 2011 at 7:25 PM, Udo Siewert <algenib@lavabit.com> wrote:
> > /usr/bin/kdm system_u:object_r:xdm_exec_t
> > /usr/bin/xdm system_u:object_r:xdm_exec_t
> >
> > When starting KDE by /etc/init.d/xdm 'id -Z' ->
> > system_u:system_r:xdm_t
> >
> > and all KDE processes -> system_u:system_r:xdm_t
>
> Hmm... assuming xdm works through some PAM configuration, can you tell me
> how /etc/conf.d/xdm (or kdm, gdm, whatever) looks like?
>
> If it doesn't source system-auth (which is where we put the pam_selinux.so
> call in) that might be the reason...

My system-auth doesn't have anything about SELinux in it. The pam_selinux.so
calls are in system-login. This looks like what pambase is supposed to be
doing. system-login.in has these:

#if HAVE_SELINUX
session required pam_selinux.so close
#endif

and system-auth.in doesn't.

Which one should kdm/gdm be using? Right now /etc/pam.d/kde pulls in system-
auth. Can I just move the pam_selinux calls?

--Mike

Sven Vermeulen 08-14-2011 09:25 AM

SeLinux system_u:system_r:initrc_t inside KDE
 
On Sat, Aug 13, 2011 at 8:33 PM, Mike Edenfield <kutulu@kutulu.org> wrote:

My system-auth doesn't have anything about SELinux in it. The pam_selinux.so

calls are in system-login. This looks like what pambase is supposed to be

doing. system-login.in has these:



#if HAVE_SELINUX

session * * * * required * * * *pam_selinux.so close

#endif



and system-auth.in doesn't.



Which one should kdm/gdm be using? Right now /etc/pam.d/kde pulls in system-

auth. Can I just move the pam_selinux calls?



If you do, does it break things (like logon through terminals)?
If not, does it fix the KDM logons?

Wkr,
* Sven Vermeulen


All times are GMT. The time now is 06:45 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.