So. I've got vanilla FC2 with SELinux loaded and the standard
policy sources loaded on my laptop. For various reasons (low memory
and a general dislike for all things GNOME; primarily), I'm trying to
make good old xdm work and start boring old twm. This requires a
little bit of manhandling within /etc/X11/xdm/Xsession and /etc/inittab.
No big deal here.
As packaged, the policy sets up xdm running as system_u:system_r:xdm_t.
This starts a copy of X which is transitioned into
system_u:system_r:xdm_xserver_t. Then there's a display ":0" sitting
around on a third pid running as system_u:system_r:xdm_t. Fine.
Logging in as my user (which results in a nice clean emf:user_r:user_t
on the console) launches a twm as system_u:system_r:xdm_t, and then
when I attempt to run an Xterm; i get the following avc denies:
avc: denied { read write } for pid=3793 exe=/usr/bin/xterm name=ptmx dev=hda2 ino=134859 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:ptmx_t tclass=chr_file
avc: denied { search } for pid=3793 exe=/usr/bin/xterm dev= ino=1 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:devpts_t tclass=dir
avc: denied { search } for pid=3793 exe=/usr/bin/xterm dev= ino=1 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:devpts_t tclass=dir
and xterm promptly exits since it can't get a pty, and everything is
still running as system_r:xdm_t; the real issue here.
/etc/security/default_contexts does have an entry for:
system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
I even tried changing that to read:
system_r:xdm_t user_r:user_t
At this point, I started flailing around a little bit and created an
Xwm.{te|fc} pair:
type Xwm_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(xdm_t,Xwm_exec_t,user_t)
/usr/X11R6/bin/twm system_u:object_r:Xwm_exec_t
reloaded the policy, and relabelled twm. Alles gut, ya? Nein!
Now, when xdm->Xsession fires off twm, i get this:
security_compute_sid: invalid context system_u:system_r:user_t for scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:Xwm_exec_t tclass=process
and twm exits. Clearly, that wasn't the answer.
So..... Questions are:
1) why doesn't default_contexts appear to have any influence upon xdm?
1a) is there a way to force it?
2) what am I supposed to do to get my window manager and its children
into user_r:user_t ?
Thanks in advance...
--
Erik Fichtner; Unix Ronin
