On Wed, 2004-12-08 at 18:09, Nalin Dahyabhai wrote: > I think some piece of code (pam_selinux maybe?) is assuming that > prepending "/dev/" to the value of the PAM_TTY item results in a path > which can be relabeled. I think gdm sets it to ":0" on at least some > platforms, for example. > > Is there a particular command or program being run when this happens, or > is it happening when you log in? Hmm...I thought that the SELinux patch for gdm was upstreamed and that it no longer needed to use pam_selinux (and I seem to recall pam_selinux not working for gdm anyway since the pam_open_session call was made from the wrong process to set up the exec context), but I still see a pam_selinux entry in /etc/pam.d/gdmsetup. Ok, looking at the gdm SRPM, there is definitely SELinux code in daemon/slave.c to get the user's default context and set the exec context, so I don't see why you'd need pam_selinux for it. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
