[ubuntu-hardened] SELinux on Karmic?

Caleb Case calebcase at gmail.com
Tue Sep 15 19:32:14 BST 2009 

On Mon, Sep 14, 2009 at 2:56 PM, John Dong <jdong at ubuntu.com> wrote:
> Thanks for your insight, Caleb!
>
> I've gotten to the point where I can reproduce ending up as xdm_t; I'm
> glad to know that it's not just me going crazy :)

Heh :o)

Alright it appears that others have run into this before:

http://marc.info/?l=selinux&m=125250111327104&w=2

If I change the /etc/pam.d/gdm to:

#%PAM-1.0
auth    [success=ok ignore=ignore module_unknown=ignore default=bad]
 pam_sepermit.so close
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth    optional        pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]
 pam_selinux.so close
session required        pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad]
 pam_selinux.so open
session optional        pam_gnome_keyring.so auto_start
@include common-password

My login is unconfined_t (as it should be). The same kinds of changes
would need to also happen to /etc/pam.d/gdm-autologin.

I've opened this bug for it: https://bugs.launchpad.net/bugs/430205

>
>
>
> On Sep 14, 2009, at 2:53 PM, Caleb Case wrote:
>
>> On Fri, Sep 4, 2009 at 12:52 PM, John Dong <jdong at ubuntu.com> wrote:
>>> Indeed security=selinux worked as expected!
>>>
>>> Our selinux-policy-ubuntu still doesn't properly support X/GDM
>>> sessions right? After enabling selinux I noticed post-login I was in
>>> some weird system_u context.
>>
>> The selinux-policy-ubuntu should support X/GDM (at least it did on
>> Hardy). There appears to be two things conspiring to make your login
>> incorrect (both stemming from your system not getting relabeled
>> correctly). The /etc/init.d/selinux script does not recognize ext4 as
>> a good fs for relabeling (which is the default for karmic). Someone
>> already posted a fix for this in:
>> https://bugs.launchpad.net/bugs/371075. The other is that setfiles now
>> does some additional checking itself to see if the filesystem supports
>> relabeling. Unfortunately this checking not work if selinux is
>> disabled. In fact, in this case it silently will fail to relabel. You
>> can remedy the situation by scheduling a relabel and rebooting:
>>
>> /etc/init.d/selinux relabel
>> reboot
>>
>> This is of course non-ideal.
>>
>> I have opened 2 bugs related to your report:
>>
>> https://bugs.launchpad.net/ubuntu/+source/selinux/+bug/428007
>> https://bugs.launchpad.net/ubuntu/+source/policycoreutils/+bug/428043
>>
>> Unfortunately even after fixing these something else is wrong >.< as I
>> end up in xdm_t on a graphical login. I'll have to take a closer look
>> at the policy to find out why the proper transitions are not
>> happening.
>>
>> Thanks!
>>
>> Caleb
>>
>> --
>> ubuntu-hardened mailing list
>> ubuntu-hardened at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>
>
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>

More information about the ubuntu-hardened mailing list