Description of problem: When using a strict policy, I can't seem to log in at all using xdm. Changing to permissive mode reveals that the context isn't changed from system and xdm. Version-Release number of selected component (if applicable): xorg-x11-6.8.2-31 selinux-policy-strict-1.23.16-6 How reproducible: Always Steps to Reproduce: 1.Set XDM as display manager (DISPLAYMANAGER="XDM" in /etc/sysconfig/desktop) 2.Select strict policy 3.Try to log in. Actual results: The login screen returns. In permissive mode I'm logged in, but the process tree looks like this: prefdm(3593,`system_u:system_r:initrc_t') ââxdm(3599,`system_u:system_r:xdm_t') ââX(3601,`system_u:system_r:xdm_xserver_t') ââxdm(3822,`system_u:system_r:xdm_t') ââgnome-session(3841,`system_u:system_r:xdm_t') ââssh-agent(3884,`system_u:system_r:xdm_t') Note that gnome-session still has context system_u:system_r:xdm_t Expected results: Something similar to this, which is what you get with the default GDM: prefdm(2185,`system_u:system_r:initrc_t') ââgdm-binary(2333,`system_u:system_r:xdm_t') ââgdm-binary(2383,`system_u:system_r:xdm_t') ââX(2388,`system_u:system_r:xdm_xserver_t') ââgnome-session(2500,`user_u:user_r:user_t') ââssh-agent(2548,`user_u:user_r:user_ssh_agent_t') Additional info: Presumably, xdm should do a set(exec)con somewhere before starting the session.
The problem here is that xdm has not been ported to use SELinux, and it is not using the pam_selinux.so. Try setting up it's pam file like login. I think the only thing we support is gdm for SELinux anyways. Dan
That's what I suspected. Thanks for the info Dan.
Including pam_selinux in /etc/pam.d/xdm in a similar way as in /etc/pam.d/login does indeed seem to help. (nottys rather than multiple, but otherwise the same.) Given the emphasis on SELinux in FC and RHEL nowdays, wouldn't it make sense to do this in the distributed version? It seems all display managers (and other login methods) ought to be SELinux-enabled. At least as long as it is as easy as this fix was.