Red Hat Bugzilla – Bug 160881
Xdm does not set correct SELinux context
Last modified: 2007-11-30 17:11:08 EST
Description of problem:
When using a strict policy, I can't seem to log in at all using xdm. Changing
to permissive mode reveals that the context isn't changed from system and xdm.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.Set XDM as display manager (DISPLAYMANAGER="XDM" in /etc/sysconfig/desktop)
2.Select strict policy
3.Try to log in.
The login screen returns. In permissive mode I'm logged in, but the process
tree looks like this:
Note that gnome-session still has context system_u:system_r:xdm_t
Something similar to this, which is what you get with the default GDM:
Presumably, xdm should do a set(exec)con somewhere before starting the session.
The problem here is that xdm has not been ported to use SELinux, and it is not
using the pam_selinux.so. Try setting up it's pam file like login.
I think the only thing we support is gdm for SELinux anyways.
That's what I suspected. Thanks for the info Dan.
Including pam_selinux in /etc/pam.d/xdm in a similar way as in /etc/pam.d/login
does indeed seem to help. (nottys rather than multiple, but otherwise the same.)
Given the emphasis on SELinux in FC and RHEL nowdays, wouldn't it make sense to
do this in the distributed version? It seems all display managers (and other
login methods) ought to be SELinux-enabled. At least as long as it is as easy
as this fix was.