Gnome wrong Selinux user role.

> On Mon, Feb 27, 2012 at 09:36:55PM +0200, Cor Legmaat wrote:
>> Hi all:
>>
>> I have an Selinux enabled system running gnome 3.2 and gdm. My whole
>> profile is mapped to staff_u as recommended by the Selinux manual. When
>> I login true gdm I am logged in as system_u and when I login true ssh it
>> is correct.
>>
>> This is what I get with gnome-terminal:
>>> cor@k53s ~ $ id -Z
>>> system_u:system_r:initrc_t
>>> cor@k53s ~ $ ssh 127.0.0.1
>>> Last login: Mon Feb 27 20:01:41 SAST 2012 from k53s.cor.za.net on pts/1
>>> cor@k53s ~ $ id -Z
>>> staff_u:staff_r:staff_t
>> Any ideas?
> See if there is a /etc/pam.d/gdm file (and if not, try to find out which PAM
> configuration file your graphical login application uses). Then add a line
> similar to https://393329.bugs.gentoo.org/attachment.cgi?id=294905
>
> Wkr,
> Sven Vermeulen

> On 27.02.2012 21:15, Sven Vermeulen wrote:
> > On Mon, Feb 27, 2012 at 09:53:41PM +0200, Cor Legmaat wrote:
> >>>> This is what I get with gnome-terminal:
> >>>>> cor@k53s ~ $ id -Z system_u:system_r:initrc_t cor@k53s ~ $
> >>>>> ssh 127.0.0.1 Last login: Mon Feb 27 20:01:41 SAST 2012
> >>>>> from k53s.cor.za.net on pts/1 cor@k53s ~ $ id -Z
> >>>>> staff_u:staff_r:staff_t
> > [...]
>
> > Hmm, being in initrc_t isn't correct either; I'd at least expect it
> > to be xdm_t.
>
> > Can you check the file context of your gdm binary?
>
> > ~# ls -Z /usr/sbin/gdm
>
> > It should be xdm_exec_t (yes, xdm_exec_t, not gdm_exec_t). If not,
> > set it that way (and tell me which path the binary is at so I can
> > update the policy).
>
> > ~# chcon -t xdm_exec_t /usr/sbin/gdm
>
> > If the system complains about an unknown type, make sure you have
> > the xserver module loaded:
>
> > ~# emerge selinux-xserver ~# semodule -l | grep xserver ~# rlpkg
> > gdm ~# ls -Z /usr/sbin/gdm
>
> > Wkr, Sven Vermeulen
>
>
> If have had problems with this myself. Making pam_selinux.so required
> in the gdm pam file changed it for me most of the time.
> Sometimes I seem to hit some kind of race condition though which
> requires me to restart xdm before getting the right context. It's kind
> of anoying...
>

> On Tue, Feb 28, 2012 at 06:47:02PM +0200, Cor Legmaat wrote:
>> ~ #ls -Z /usr/sbin/gdm
>> system_u:object_r:bin_t /usr/sbin/gdm
>>
>> selinux-xserver wasn't installed, I installed it now.
> Explains why it is mislabeled; the xdm_exec_t label can only be used (and
> set) when that module is loaded.
>
>> ~ #semodule -l | grep xserver
>> xserver    3.6.0
>> ~ #ls -Z /usr/sbin/gdm
>> system_u:object_r:bin_t /usr/sbin/gdm
> Installing selinux-xserver doesn't automatically relabel files. That's what
> the chcon (temporily) or rlpkg (reset towards the correct one, permanently)
> is for.
>
> And since it wasn't installed, it might be a good idea to relabel the entire
> system (rlpkg -a -r) as other files might be missing the correct labels as
> well. I'll see to it that selinux-xserver is installed when xorg-server is.
>
>> ~ #chcon -t xdm_exec_t /usr/sbin/gdm
>> ~ #ls -Z /usr/sbin/gdm
>> system_u:object_r:bin_t /usr/sbin/gdm
> That's weird, the label should be set correctly.
>
>> ~ # rlpkg gdm
>> Relabeling: gnome-base/gdm-3.2.1.1-r2
>> /sbin/restorecon:  lstat(/var/run/gdm/greeter) failed:  No such file or
>> directory
>> Error relabeling: 256
> After this, what is the context of /usr/sbin/gdm?
>
>> after that with gnome-terminal:
>> ~ # id -Z
>> system_u:system_r:xdm_t
>>
>> Also made pam_selinux.so required but that didn't change any thing.
> At least we're a step further. I think, once you have gdm running in the
> xdm_t domain, it is a matter of making sure that a logon through xdm
> triggers a change in context. That is what pam is (usually) for.
>
> What file have you edited? /etc/pam.d/gdm? Is there an xdm file as well?
> Perhaps that one is used?
>
> Wkr,
> Sven Vermeulen
>
>
>