So. I've got vanilla FC2 with SELinux loaded and the standard policy sources loaded on my laptop. For various reasons (low memory and a general dislike for all things GNOME; primarily), I'm trying to make good old xdm work and start boring old twm. This requires a little bit of manhandling within /etc/X11/xdm/Xsession and /etc/inittab. No big deal here.
As packaged, the policy sets up xdm running as system_u:system_r:xdm_t. This starts a copy of X which is transitioned into system_u:system_r:xdm_xserver_t. Then there's a display ":0" sitting around on a third pid running as system_u:system_r:xdm_t. Fine.
Logging in as my user (which results in a nice clean emf:user_r:user_t on the console) launches a twm as system_u:system_r:xdm_t, and then when I attempt to run an Xterm; i get the following avc denies:
avc: denied { read write } for pid=3793 exe=/usr/bin/xterm name=ptmx dev=hda2 ino=134859 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:ptmx_t tclass=chr_file
avc: denied { search } for pid=3793 exe=/usr/bin/xterm dev= ino=1 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:devpts_t tclass=dir avc: denied { search } for pid=3793 exe=/usr/bin/xterm dev= ino=1 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:devpts_t tclass=dir
and xterm promptly exits since it can't get a pty, and everything is still running as system_r:xdm_t; the real issue here.
/etc/security/default_contexts does have an entry for: system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
I even tried changing that to read: system_r:xdm_t user_r:user_t
At this point, I started flailing around a little bit and created an Xwm.{te|fc} pair:
type Xwm_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(xdm_t,Xwm_exec_t,user_t)
/usr/X11R6/bin/twm system_u:object_r:Xwm_exec_t
reloaded the policy, and relabelled twm. Alles gut, ya? Nein!
Now, when xdm->Xsession fires off twm, i get this:
security_compute_sid: invalid context system_u:system_r:user_t for scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:Xwm_exec_t tclass=process
and twm exits. Clearly, that wasn't the answer.
So..... Questions are:
1) why doesn't default_contexts appear to have any influence upon xdm? 1a) is there a way to force it?
2) what am I supposed to do to get my window manager and its children into user_r:user_t ?
Thanks in advance...
On Mon, 2004-05-31 at 15:08, Erik Fichtner wrote:
So. I've got vanilla FC2 with SELinux loaded and the standard policy sources loaded on my laptop. For various reasons (low memory and a general dislike for all things GNOME; primarily), I'm trying to make good old xdm work and start boring old twm. This requires a little bit of manhandling within /etc/X11/xdm/Xsession and /etc/inittab. No big deal here.
[xgk]dm need to be modified to set the SELinux security context for the session. SELinux support has been upstreamed in gdm. Patches for other *dm programs have been floating around for some time, e.g. see http://marc.theaimsgroup.com/?l=selinux&m=107031914600885&w=2. The other alternative is to try to use pam_selinux, but that wouldn't work for gdm (pam_open_session is called from the wrong process to set up the context).
selinux@lists.fedoraproject.org