On Tue, Feb 28, 2012 at 06:47:02PM +0200, Cor Legmaat wrote:
> ~ #ls -Z /usr/sbin/gdm
> system_u:object_r:bin_t /usr/sbin/gdm
>
> selinux-xserver wasn't installed, I installed it now.
Explains why it is mislabeled; the xdm_exec_t label can only be used (and
set) when that module is loaded.
> ~ #semodule -l | grep xserver
> xserver 3.6.0
> ~ #ls -Z /usr/sbin/gdm
> system_u:object_r:bin_t /usr/sbin/gdm
Installing selinux-xserver doesn't automatically relabel files. That's what
the chcon (temporily) or rlpkg (reset towards the correct one, permanently)
is for.
And since it wasn't installed, it might be a good idea to relabel the entire
system (rlpkg -a -r) as other files might be missing the correct labels as
well. I'll see to it that selinux-xserver is installed when xorg-server is.
> ~ #chcon -t xdm_exec_t /usr/sbin/gdm
> ~ #ls -Z /usr/sbin/gdm
> system_u:object_r:bin_t /usr/sbin/gdm
That's weird, the label should be set correctly.
> ~ # rlpkg gdm
> Relabeling: gnome-base/gdm-3.2.1.1-r2
> /sbin/restorecon: lstat(/var/run/gdm/greeter) failed: No such file or
> directory
> Error relabeling: 256
After this, what is the context of /usr/sbin/gdm?
> after that with gnome-terminal:
> ~ # id -Z
> system_u:system_r:xdm_t
>
> Also made pam_selinux.so required but that didn't change any thing.
At least we're a step further. I think, once you have gdm running in the
xdm_t domain, it is a matter of making sure that a logon through xdm
triggers a change in context. That is what pam is (usually) for.
What file have you edited? /etc/pam.d/gdm? Is there an xdm file as well?
Perhaps that one is used?
Wkr,
Sven Vermeulen
