On 02/28/12 20:48, Sven Vermeulen wrote: > On Tue, Feb 28, 2012 at 06:47:02PM +0200, Cor Legmaat wrote: >> ~ #ls -Z /usr/sbin/gdm >> system_u:object_r:bin_t /usr/sbin/gdm >> >> selinux-xserver wasn't installed, I installed it now. > Explains why it is mislabeled; the xdm_exec_t label can only be used (and > set) when that module is loaded. > >> ~ #semodule -l | grep xserver >> xserver 3.6.0 >> ~ #ls -Z /usr/sbin/gdm >> system_u:object_r:bin_t /usr/sbin/gdm > Installing selinux-xserver doesn't automatically relabel files. That's what > the chcon (temporily) or rlpkg (reset towards the correct one, permanently) > is for. > > And since it wasn't installed, it might be a good idea to relabel the entire > system (rlpkg -a -r) as other files might be missing the correct labels as > well. I'll see to it that selinux-xserver is installed when xorg-server is. > >> ~ #chcon -t xdm_exec_t /usr/sbin/gdm >> ~ #ls -Z /usr/sbin/gdm >> system_u:object_r:bin_t /usr/sbin/gdm > That's weird, the label should be set correctly. > >> ~ # rlpkg gdm >> Relabeling: gnome-base/gdm-3.2.1.1-r2 >> /sbin/restorecon: lstat(/var/run/gdm/greeter) failed: No such file or >> directory >> Error relabeling: 256 > After this, what is the context of /usr/sbin/gdm? > >> after that with gnome-terminal: >> ~ # id -Z >> system_u:system_r:xdm_t >> >> Also made pam_selinux.so required but that didn't change any thing. > At least we're a step further. I think, once you have gdm running in the > xdm_t domain, it is a matter of making sure that a logon through xdm > triggers a change in context. That is what pam is (usually) for. > > What file have you edited? /etc/pam.d/gdm? Is there an xdm file as well? > Perhaps that one is used? > > Wkr, > Sven Vermeulen > > > After the changes the context of /usr/sbin/gdm stays the same.
Relabeled the whole file-system without any success. I added the pam_selinux.so module to /etc/pam.d/gdm-password witch solved the problem. It seems to get it right the pam_selinux.so module should be added to all of /etc/pam.d/gdm /etc/pam.d/gdm-autologin /etc/pam.d/gdm-fingerprint /etc/pam.d/gdm-password /etc/pam.d/gdm-smartcard /etc/pam.d/gdm-welcome. Now with gnome-terminal: ~ #id -Z staff_u:staff_r:staff_t Tnx for your help Sven. Regards: Cor
signature.asc
Description: OpenPGP digital signature
