Bug 160881

Summary: Xdm does not set correct SELinux context
Product: [Fedora] Fedora Reporter: Göran Uddeborg <goeran>
Component: xorg-x11Assignee: X/OpenGL Maintenance List <xgl-maint>
Status: CLOSED NOTABUG QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: djuran, dwalsh, rcoker
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-06-23 11:26:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Göran Uddeborg 2005-06-17 23:00:53 UTC
Description of problem:
When using a strict policy, I can't seem to log in at all using xdm.  Changing
to permissive mode reveals that the context isn't changed from system and xdm.

Version-Release number of selected component (if applicable):
xorg-x11-6.8.2-31
selinux-policy-strict-1.23.16-6

How reproducible:
Always

Steps to Reproduce:
1.Set XDM as display manager (DISPLAYMANAGER="XDM" in /etc/sysconfig/desktop)
2.Select strict policy
3.Try to log in.
  
Actual results:
The login screen returns.  In permissive mode I'm logged in, but the process
tree looks like this:

prefdm(3593,`system_u:system_r:initrc_t')
 ââxdm(3599,`system_u:system_r:xdm_t')
    ââX(3601,`system_u:system_r:xdm_xserver_t')
    ââxdm(3822,`system_u:system_r:xdm_t')
       ââgnome-session(3841,`system_u:system_r:xdm_t')
          ââssh-agent(3884,`system_u:system_r:xdm_t')

Note that gnome-session still has context system_u:system_r:xdm_t

Expected results:
Something similar to this, which is what you get with the default GDM:

prefdm(2185,`system_u:system_r:initrc_t')
 ââgdm-binary(2333,`system_u:system_r:xdm_t')
    ââgdm-binary(2383,`system_u:system_r:xdm_t')
       ââX(2388,`system_u:system_r:xdm_xserver_t')
       ââgnome-session(2500,`user_u:user_r:user_t')
          ââssh-agent(2548,`user_u:user_r:user_ssh_agent_t')


Additional info:
Presumably, xdm should do a set(exec)con somewhere before starting the session.

Comment 2 Daniel Walsh 2005-06-23 11:26:01 UTC
The problem here is that xdm has not been ported to use SELinux, and it is not
using the pam_selinux.so.  Try setting up it's pam file like login.

I think the only thing we support is gdm for SELinux anyways.

Dan

Comment 3 Mike A. Harris 2005-06-23 17:35:54 UTC
That's what I suspected.  Thanks for the info Dan.

Comment 4 Göran Uddeborg 2005-06-27 21:02:59 UTC
Including pam_selinux in /etc/pam.d/xdm in a similar way as in /etc/pam.d/login
does indeed seem to help.  (nottys rather than multiple, but otherwise the same.)

Given the emphasis on SELinux in FC and RHEL nowdays, wouldn't it make sense to
do this in the distributed version?  It seems all display managers (and other
login methods) ought to be SELinux-enabled.  At least as long as it is as easy
as this fix was.