Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo Hardened (http://www.linux-archive.org/gentoo-hardened/)
-   -   Gnome wrong Selinux user role. (http://www.linux-archive.org/gentoo-hardened/638230-gnome-wrong-selinux-user-role.html)

Cor Legmaat 02-27-2012 06:36 PM

Gnome wrong Selinux user role.
 
Hi all:

I have an Selinux enabled system running gnome 3.2 and gdm. My whole
profile is mapped to staff_u as recommended by the Selinux manual. When
I login true gdm I am logged in as system_u and when I login true ssh it
is correct.

This is what I get with gnome-terminal:
> cor@k53s ~ $ id -Z
> system_u:system_r:initrc_t
> cor@k53s ~ $ ssh 127.0.0.1
> Last login: Mon Feb 27 20:01:41 SAST 2012 from k53s.cor.za.net on pts/1
> cor@k53s ~ $ id -Z
> staff_u:staff_r:staff_t

Any ideas?

Regards:
Cor

Sven Vermeulen 02-27-2012 06:44 PM

Gnome wrong Selinux user role.
 
On Mon, Feb 27, 2012 at 09:36:55PM +0200, Cor Legmaat wrote:
> Hi all:
>
> I have an Selinux enabled system running gnome 3.2 and gdm. My whole
> profile is mapped to staff_u as recommended by the Selinux manual. When
> I login true gdm I am logged in as system_u and when I login true ssh it
> is correct.
>
> This is what I get with gnome-terminal:
> > cor@k53s ~ $ id -Z
> > system_u:system_r:initrc_t
> > cor@k53s ~ $ ssh 127.0.0.1
> > Last login: Mon Feb 27 20:01:41 SAST 2012 from k53s.cor.za.net on pts/1
> > cor@k53s ~ $ id -Z
> > staff_u:staff_r:staff_t
>
> Any ideas?

See if there is a /etc/pam.d/gdm file (and if not, try to find out which PAM
configuration file your graphical login application uses). Then add a line
similar to https://393329.bugs.gentoo.org/attachment.cgi?id=294905

Wkr,
Sven Vermeulen

Cor Legmaat 02-27-2012 06:53 PM

Gnome wrong Selinux user role.
 
On 02/27/12 21:44, Sven Vermeulen wrote:
> On Mon, Feb 27, 2012 at 09:36:55PM +0200, Cor Legmaat wrote:
>> Hi all:
>>
>> I have an Selinux enabled system running gnome 3.2 and gdm. My whole
>> profile is mapped to staff_u as recommended by the Selinux manual. When
>> I login true gdm I am logged in as system_u and when I login true ssh it
>> is correct.
>>
>> This is what I get with gnome-terminal:
>>> cor@k53s ~ $ id -Z
>>> system_u:system_r:initrc_t
>>> cor@k53s ~ $ ssh 127.0.0.1
>>> Last login: Mon Feb 27 20:01:41 SAST 2012 from k53s.cor.za.net on pts/1
>>> cor@k53s ~ $ id -Z
>>> staff_u:staff_r:staff_t
>> Any ideas?
> See if there is a /etc/pam.d/gdm file (and if not, try to find out which PAM
> configuration file your graphical login application uses). Then add a line
> similar to https://393329.bugs.gentoo.org/attachment.cgi?id=294905
>
> Wkr,
> Sven Vermeulen

/etc/pam.d/gdm now after I added last line before reboot:

#%PAM-1.0
auth optional pam_env.so
auth include system-login
auth required pam_nologin.so

account include system-login

password include system-login

session include system-auth
session optional pam_gnome_keyring.so auto_start
session optional pam_selinux.so

But problem still exist.

Regards:
Cor

Sven Vermeulen 02-27-2012 07:15 PM

Gnome wrong Selinux user role.
 
On Mon, Feb 27, 2012 at 09:53:41PM +0200, Cor Legmaat wrote:
> >> This is what I get with gnome-terminal:
> >>> cor@k53s ~ $ id -Z
> >>> system_u:system_r:initrc_t
> >>> cor@k53s ~ $ ssh 127.0.0.1
> >>> Last login: Mon Feb 27 20:01:41 SAST 2012 from k53s.cor.za.net on pts/1
> >>> cor@k53s ~ $ id -Z
> >>> staff_u:staff_r:staff_t
[...]

Hmm, being in initrc_t isn't correct either; I'd at least expect it to be
xdm_t.

Can you check the file context of your gdm binary?

~# ls -Z /usr/sbin/gdm

It should be xdm_exec_t (yes, xdm_exec_t, not gdm_exec_t). If not, set it that
way (and tell me which path the binary is at so I can update the policy).

~# chcon -t xdm_exec_t /usr/sbin/gdm

If the system complains about an unknown type, make sure you have the
xserver module loaded:

~# emerge selinux-xserver
~# semodule -l | grep xserver
~# rlpkg gdm
~# ls -Z /usr/sbin/gdm

Wkr,
Sven Vermeulen

Hinnerk van Bruinehsen 02-27-2012 08:57 PM

Gnome wrong Selinux user role.
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 27.02.2012 21:15, Sven Vermeulen wrote:
> On Mon, Feb 27, 2012 at 09:53:41PM +0200, Cor Legmaat wrote:
>>>> This is what I get with gnome-terminal:
>>>>> cor@k53s ~ $ id -Z system_u:system_r:initrc_t cor@k53s ~ $
>>>>> ssh 127.0.0.1 Last login: Mon Feb 27 20:01:41 SAST 2012
>>>>> from k53s.cor.za.net on pts/1 cor@k53s ~ $ id -Z
>>>>> staff_u:staff_r:staff_t
> [...]
>
> Hmm, being in initrc_t isn't correct either; I'd at least expect it
> to be xdm_t.
>
> Can you check the file context of your gdm binary?
>
> ~# ls -Z /usr/sbin/gdm
>
> It should be xdm_exec_t (yes, xdm_exec_t, not gdm_exec_t). If not,
> set it that way (and tell me which path the binary is at so I can
> update the policy).
>
> ~# chcon -t xdm_exec_t /usr/sbin/gdm
>
> If the system complains about an unknown type, make sure you have
> the xserver module loaded:
>
> ~# emerge selinux-xserver ~# semodule -l | grep xserver ~# rlpkg
> gdm ~# ls -Z /usr/sbin/gdm
>
> Wkr, Sven Vermeulen
>

If have had problems with this myself. Making pam_selinux.so required
in the gdm pam file changed it for me most of the time.
Sometimes I seem to hit some kind of race condition though which
requires me to restart xdm before getting the right context. It's kind
of anoying...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPS/w7AAoJEJwwOFaNFkYc598H/1BRHhw7DdQcEKlzJ/btqAhv
Lx362lccBtv78JAVVuPJnE0Al+/IpKecPfB3/YVYi+x9Yg6rENqUaeGXsVvBuarh
5lWFgzV7O+AXvgI3kc7cXfG27joiWdOZ2BMd3BRv3aZ+5H+pqz wPBmeI6jightGI
EK9TO/FWnCcEeKnAzlY3nbIfwZMuIYIKTp2csLdCFYf6TaYrSJJz+SeI GUUh/QeA
WmHJp4Vydtm1JhIK3ceRZ9fPDzcQnDqZEUj38jB9rGtqPl4aeq 25ofdP4svpr26n
zLCFJo3/CeVB0kRglbaVFrmVwKYHzdFauWoHB4zS7TK8nBYbrMq1KcHssQ eAiQw=
=NxbC
-----END PGP SIGNATURE-----

Cor Legmaat 02-28-2012 03:47 PM

Gnome wrong Selinux user role.
 
On 02/27/12 23:57, Hinnerk van Bruinehsen wrote:
> On 27.02.2012 21:15, Sven Vermeulen wrote:
> > On Mon, Feb 27, 2012 at 09:53:41PM +0200, Cor Legmaat wrote:
> >>>> This is what I get with gnome-terminal:
> >>>>> cor@k53s ~ $ id -Z system_u:system_r:initrc_t cor@k53s ~ $
> >>>>> ssh 127.0.0.1 Last login: Mon Feb 27 20:01:41 SAST 2012
> >>>>> from k53s.cor.za.net on pts/1 cor@k53s ~ $ id -Z
> >>>>> staff_u:staff_r:staff_t
> > [...]
>
> > Hmm, being in initrc_t isn't correct either; I'd at least expect it
> > to be xdm_t.
>
> > Can you check the file context of your gdm binary?
>
> > ~# ls -Z /usr/sbin/gdm
>
> > It should be xdm_exec_t (yes, xdm_exec_t, not gdm_exec_t). If not,
> > set it that way (and tell me which path the binary is at so I can
> > update the policy).
>
> > ~# chcon -t xdm_exec_t /usr/sbin/gdm
>
> > If the system complains about an unknown type, make sure you have
> > the xserver module loaded:
>
> > ~# emerge selinux-xserver ~# semodule -l | grep xserver ~# rlpkg
> > gdm ~# ls -Z /usr/sbin/gdm
>
> > Wkr, Sven Vermeulen
>
>
> If have had problems with this myself. Making pam_selinux.so required
> in the gdm pam file changed it for me most of the time.
> Sometimes I seem to hit some kind of race condition though which
> requires me to restart xdm before getting the right context. It's kind
> of anoying...
>
~ #ls -Z /usr/sbin/gdm
system_u:object_r:bin_t /usr/sbin/gdm

selinux-xserver wasn't installed, I installed it now.

~ #semodule -l | grep xserver
xserver 3.6.0
~ #ls -Z /usr/sbin/gdm
system_u:object_r:bin_t /usr/sbin/gdm

~ #chcon -t xdm_exec_t /usr/sbin/gdm
~ #ls -Z /usr/sbin/gdm
system_u:object_r:bin_t /usr/sbin/gdm

~ # rlpkg gdm
Relabeling: gnome-base/gdm-3.2.1.1-r2
/sbin/restorecon: lstat(/var/run/gdm/greeter) failed: No such file or
directory
Error relabeling: 256

after that with gnome-terminal:
~ # id -Z
system_u:system_r:xdm_t

Also made pam_selinux.so required but that didn't change any thing.

Regards:
Cor

Sven Vermeulen 02-28-2012 05:48 PM

Gnome wrong Selinux user role.
 
On Tue, Feb 28, 2012 at 06:47:02PM +0200, Cor Legmaat wrote:
> ~ #ls -Z /usr/sbin/gdm
> system_u:object_r:bin_t /usr/sbin/gdm
>
> selinux-xserver wasn't installed, I installed it now.

Explains why it is mislabeled; the xdm_exec_t label can only be used (and
set) when that module is loaded.

> ~ #semodule -l | grep xserver
> xserver 3.6.0
> ~ #ls -Z /usr/sbin/gdm
> system_u:object_r:bin_t /usr/sbin/gdm

Installing selinux-xserver doesn't automatically relabel files. That's what
the chcon (temporily) or rlpkg (reset towards the correct one, permanently)
is for.

And since it wasn't installed, it might be a good idea to relabel the entire
system (rlpkg -a -r) as other files might be missing the correct labels as
well. I'll see to it that selinux-xserver is installed when xorg-server is.

> ~ #chcon -t xdm_exec_t /usr/sbin/gdm
> ~ #ls -Z /usr/sbin/gdm
> system_u:object_r:bin_t /usr/sbin/gdm

That's weird, the label should be set correctly.

> ~ # rlpkg gdm
> Relabeling: gnome-base/gdm-3.2.1.1-r2
> /sbin/restorecon: lstat(/var/run/gdm/greeter) failed: No such file or
> directory
> Error relabeling: 256

After this, what is the context of /usr/sbin/gdm?

> after that with gnome-terminal:
> ~ # id -Z
> system_u:system_r:xdm_t
>
> Also made pam_selinux.so required but that didn't change any thing.

At least we're a step further. I think, once you have gdm running in the
xdm_t domain, it is a matter of making sure that a logon through xdm
triggers a change in context. That is what pam is (usually) for.

What file have you edited? /etc/pam.d/gdm? Is there an xdm file as well?
Perhaps that one is used?

Wkr,
Sven Vermeulen

Cor Legemaat 02-29-2012 04:23 PM

Gnome wrong Selinux user role.
 
On 02/28/12 20:48, Sven Vermeulen wrote:
> On Tue, Feb 28, 2012 at 06:47:02PM +0200, Cor Legmaat wrote:
>> ~ #ls -Z /usr/sbin/gdm
>> system_u:object_r:bin_t /usr/sbin/gdm
>>
>> selinux-xserver wasn't installed, I installed it now.
> Explains why it is mislabeled; the xdm_exec_t label can only be used (and
> set) when that module is loaded.
>
>> ~ #semodule -l | grep xserver
>> xserver 3.6.0
>> ~ #ls -Z /usr/sbin/gdm
>> system_u:object_r:bin_t /usr/sbin/gdm
> Installing selinux-xserver doesn't automatically relabel files. That's what
> the chcon (temporily) or rlpkg (reset towards the correct one, permanently)
> is for.
>
> And since it wasn't installed, it might be a good idea to relabel the entire
> system (rlpkg -a -r) as other files might be missing the correct labels as
> well. I'll see to it that selinux-xserver is installed when xorg-server is.
>
>> ~ #chcon -t xdm_exec_t /usr/sbin/gdm
>> ~ #ls -Z /usr/sbin/gdm
>> system_u:object_r:bin_t /usr/sbin/gdm
> That's weird, the label should be set correctly.
>
>> ~ # rlpkg gdm
>> Relabeling: gnome-base/gdm-3.2.1.1-r2
>> /sbin/restorecon: lstat(/var/run/gdm/greeter) failed: No such file or
>> directory
>> Error relabeling: 256
> After this, what is the context of /usr/sbin/gdm?
>
>> after that with gnome-terminal:
>> ~ # id -Z
>> system_u:system_r:xdm_t
>>
>> Also made pam_selinux.so required but that didn't change any thing.
> At least we're a step further. I think, once you have gdm running in the
> xdm_t domain, it is a matter of making sure that a logon through xdm
> triggers a change in context. That is what pam is (usually) for.
>
> What file have you edited? /etc/pam.d/gdm? Is there an xdm file as well?
> Perhaps that one is used?
>
> Wkr,
> Sven Vermeulen
>
>
>
After the changes the context of /usr/sbin/gdm stays the same.

Relabeled the whole file-system without any success.

I added the pam_selinux.so module to /etc/pam.d/gdm-password witch
solved the problem. It seems to get it right the pam_selinux.so module
should be added to all of /etc/pam.d/gdm /etc/pam.d/gdm-autologin
/etc/pam.d/gdm-fingerprint /etc/pam.d/gdm-password
/etc/pam.d/gdm-smartcard /etc/pam.d/gdm-welcome.

Now with gnome-terminal:
~ #id -Z
staff_u:staff_r:staff_t

Tnx for your help Sven.

Regards:
Cor


All times are GMT. The time now is 01:56 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.