[ubuntu-hardened] SELinux on Karmic?
John Dong
jdong at ubuntu.com
Mon Sep 14 19:56:07 BST 2009
Thanks for your insight, Caleb!
I've gotten to the point where I can reproduce ending up as xdm_t; I'm
glad to know that it's not just me going crazy :)
On Sep 14, 2009, at 2:53 PM, Caleb Case wrote:
> On Fri, Sep 4, 2009 at 12:52 PM, John Dong <jdong at ubuntu.com> wrote:
>> Indeed security=selinux worked as expected!
>>
>> Our selinux-policy-ubuntu still doesn't properly support X/GDM
>> sessions right? After enabling selinux I noticed post-login I was in
>> some weird system_u context.
>
> The selinux-policy-ubuntu should support X/GDM (at least it did on
> Hardy). There appears to be two things conspiring to make your login
> incorrect (both stemming from your system not getting relabeled
> correctly). The /etc/init.d/selinux script does not recognize ext4 as
> a good fs for relabeling (which is the default for karmic). Someone
> already posted a fix for this in:
> https://bugs.launchpad.net/bugs/371075. The other is that setfiles now
> does some additional checking itself to see if the filesystem supports
> relabeling. Unfortunately this checking not work if selinux is
> disabled. In fact, in this case it silently will fail to relabel. You
> can remedy the situation by scheduling a relabel and rebooting:
>
> /etc/init.d/selinux relabel
> reboot
>
> This is of course non-ideal.
>
> I have opened 2 bugs related to your report:
>
> https://bugs.launchpad.net/ubuntu/+source/selinux/+bug/428007
> https://bugs.launchpad.net/ubuntu/+source/policycoreutils/+bug/428043
>
> Unfortunately even after fixing these something else is wrong >.< as I
> end up in xdm_t on a graphical login. I'll have to take a closer look
> at the policy to find out why the proper transitions are not
> happening.
>
> Thanks!
>
> Caleb
>
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
More information about the ubuntu-hardened
mailing list