Bug 160881 - Xdm does not set correct SELinux context
Xdm does not set correct SELinux context
Product: Fedora
Classification: Fedora
Component: xorg-x11 (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: X/OpenGL Maintenance List
David Lawrence
Depends On:
  Show dependency treegraph
Reported: 2005-06-17 19:00 EDT by Göran Uddeborg
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-06-23 07:26:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Göran Uddeborg 2005-06-17 19:00:53 EDT
Description of problem:
When using a strict policy, I can't seem to log in at all using xdm.  Changing
to permissive mode reveals that the context isn't changed from system and xdm.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Set XDM as display manager (DISPLAYMANAGER="XDM" in /etc/sysconfig/desktop)
2.Select strict policy
3.Try to log in.
Actual results:
The login screen returns.  In permissive mode I'm logged in, but the process
tree looks like this:


Note that gnome-session still has context system_u:system_r:xdm_t

Expected results:
Something similar to this, which is what you get with the default GDM:


Additional info:
Presumably, xdm should do a set(exec)con somewhere before starting the session.
Comment 2 Daniel Walsh 2005-06-23 07:26:01 EDT
The problem here is that xdm has not been ported to use SELinux, and it is not
using the pam_selinux.so.  Try setting up it's pam file like login.

I think the only thing we support is gdm for SELinux anyways.

Comment 3 Mike A. Harris 2005-06-23 13:35:54 EDT
That's what I suspected.  Thanks for the info Dan.
Comment 4 Göran Uddeborg 2005-06-27 17:02:59 EDT
Including pam_selinux in /etc/pam.d/xdm in a similar way as in /etc/pam.d/login
does indeed seem to help.  (nottys rather than multiple, but otherwise the same.)

Given the emphasis on SELinux in FC and RHEL nowdays, wouldn't it make sense to
do this in the distributed version?  It seems all display managers (and other
login methods) ought to be SELinux-enabled.  At least as long as it is as easy
as this fix was.

Note You need to log in before you can comment on or make changes to this bug.