On Wed, Sep 9, 2009 at 8:38 AM, Justin P. Mattock
<justinmattock@xxxxxxxxx> wrote:
> Stephen Smalley wrote:
>>
>> On Wed, 2009-09-09 at 07:51 -0700, Justin P. Mattock wrote:
>>
>>>
>>> Stephen Smalley wrote:
>>>
>>>>
>>>> On Tue, 2009-09-08 at 22:33 -0700, Justin P. Mattock wrote:
>>>>
>>>>
>>>>>
>>>>> Justin Mattock wrote:
>>>>>
>>>>>
>>>>>>
>>>>>> Not sure if this is SELinux/refpolicy
>>>>>>
>>>>>> Out of curiosity I wanted to setup the latest
>>>>>> policy with the latest opensuse.
>>>>>> Seems everything has gone o.k. for the moment.
>>>>>>
>>>>>> The proble Im running into is xdm/gdm seems to crap out
>>>>>> with some dbus error message:
>>>>>>
>>>>>> ** (gdm:1566): WARNING **: Couldn't connect to system bus: An SELinux
>>>>>> policy prevents this sender from sending this message to this
>>>>>> recipient
>>>>>> (rejected message had sender "(unset)" interface "freedesktop.DBus"
>>>>>> member "Hello"
>>>>>> error name "(unset)" destination "org.freedesktop.DBus")
>>>>>>
>>>>>> The funny thing with this is with the initial policy load
>>>>>> I hadn't relabeled yet, and the system had loaded the policy
>>>>>> just fine and xdm worked then once I relabeled this appeared and
>>>>>> xdm/gdm
>>>>>> just craps out.(the policy is all in permissive mode, giving selinux=0
>>>>>> makes the system operate as should).
>>>>>>
>>>>>> Also not sure if this matters but in
>>>>>> /etc/pam.d{gdm,login,xdm) I added
>>>>>> pam_selinux.so open/close but had no idea
>>>>>> where they should be placed.
>>>>>>
>>>>>> Any ideas?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Shoot I didn't look, but when I do a
>>>>> ldd /usr/sbin/gdm I see nothing with libselinux nor
>>>>> libaudit.
>>>>>
>>>>> loading an ubuntu livecd results in showing
>>>>> libselinux.
>>>>>
>>>>> my guess since this is a development version they haven't
>>>>> enabled SELinux support yet with gdm.
>>>>>
>>>>> ohh well, I guess Ill leave it at that.
>>>>>
>>>>>
>>>>
>>>> The gdm selinux support was obsoleted by the gdm rewrite, so it isn't
>>>> necessary to link it with libselinux anymore. It all gets handled by
>>>> pam_selinux in /etc/pam.d/gdm. In Fedora, /etc/pam.d/gdm looks like
>>>> this:
>>>> #%PAM-1.0
>>>> auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
>>>> auth required pam_succeed_if.so user != root quiet
>>>> auth required pam_env.so
>>>> auth substack system-auth
>>>> auth optional pam_gnome_keyring.so
>>>> account required pam_nologin.so
>>>> account include system-auth
>>>> password include system-auth
>>>> session required pam_selinux.so close
>>>> session required pam_loginuid.so
>>>> session optional pam_console.so
>>>> session required pam_selinux.so open
>>>> session optional pam_keyinit.so force revoke
>>>> session required pam_namespace.so
>>>> session optional pam_gnome_keyring.so auto_start
>>>> session include system-auth
>>>>
>>>> BTW, I would recommend testing the policy package provided by OpenSUSE
>>>> to see if it works before trying upstream refpolicy.
>>>>
>>>> And report issues with their SELinux integration to their bugzilla, not
>>>> to us. It won't get fixed if you just post it here.
>>>>
>>>> Are you following the guidance at:
>>>> http://en.opensuse.org/SELinux
>>>>
>>>> You have to add an additional repository to pick up their policy and
>>>> associated packages.
>>>>
>>>> The SELinux integration work seems to be getting tracked on this blog:
>>>> http://thetoms-random-thoughts.blogspot.com/search/label/Security
>>>>
>>>>
>>>>
>>>
>>> So your telling me you can compile this
>>> package without the audit/selinux switches,
>>> and still run a policy?
>>>
>>
>> Yes, assuming that they are using the newer gdm. I looked into this
>> earlier this year when investigating a gdm-selinux interaction and found
>> that although gdm is still being linked against libselinux in Fedora, it
>> doesn't actually make any direct calls to it anymore. The linking with
>> libselinux is just a leftover from the prior SELinux support but is no
>> longer required, as all the actual processing has migrated to
>> pam_selinux. That wasn't possible with the original gdm since it did
>> the pam_open_session() from a different process, but works with the new
>> gdm's architecture.
>>
>> You could tell for certain by grabbing their gdm .src.rpm and checking
>> whether it in fact contains any calls to setexeccon(). The old gdm did;
>> the new one does not.
>>
>>
>
> ahh probably explains why there's not many links to
> vary many libraries.
> there using the newer version 2.27.4
>
>>> doing a ldd /usr/sbin/gdm
>>> shows nothing with libpam(ubuntu does).
>>>
>>> As of now everything is opensused out
>>> did have userspace put in, but was easily
>>> written over by suse. Ill try
>>> your gdm config for pam.d but Im just not
>>> connecting the dots on this. FWIW heres what
>>> ldd /usr/sbin/gdm has for the libs.
>>>
>>> linux-vdso.so.1
>>> libXau.so.6
>>> libdbus-glib-1.so.2
>>> libgobject-2.0.so.0
>>> libglib-2.0.so.0
>>> libdbus-1.so.3
>>> libpthread.so.0
>>> libXdmcp.so.6
>>> libwrap.so.0
>>> libc.so.6
>>> libpcre.so.0
>>> librt.so.1
>>> ld-linux-x86-64.so.2
>>>
>>> I suppose I have to reinstall to get things in order.
>>>
>>> Justin P. Mattock
>>>
>
> Ill go and clear the board on this one and
> start over, load all of there versions of
> SELinux to see where it takes me.
>
> Justin P. Mattock
Thanks for the info on:
http://thetoms-random-thoughts.blogspot.com/search/label/Security
seems they have been hitting this issue for
quite some time(11.2 4 something).
Anyways like you had requested I'll go and
seek info with this gentlemen.
before posting to SELinux.
--
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
