Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 377217 - Display manager does not set up proper context for new sessions
Summary: Display manager does not set up proper context for new sessions
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: AMD64 Linux
: Normal normal
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-01 03:35 UTC by Michael Edenfield
Modified: 2012-10-27 12:35 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Edenfield 2011-08-01 03:35:24 UTC 
When logging in via kdm or gdm (using either strict or targeted policies), the new session and all processes that are spawned by it are inheriting the security context of the display manager, instead of being in the appropriate user domain (e.g. staff_r or unconfined_r).

This does not occur when logging in via a getty or ssh.

There are no AVC denials relating to gdm/kdm or xdm_t until I start trying to run things like newrole or chromium, nor are there any errors from gdm/kdm in the system logs.

Reproducible: Always

Steps to Reproduce:
1. Switch to the amd64 hardened+selinux profile
2. Rebuild all packages, incl. gdm & kdm
3. Log in via display manager
4. Launch a console window
Actual Results:  
kutulu@platypus ~ # id -Z
system_u:system_r:xdm_t


Expected Results:  
kutulu@platypus ~ $ id -Z
unconfined_u:unconfined_r:unconfined_t


Portage 2.2.0_alpha47 (hardened/linux/amd64/selinux, gcc-4.5.2, glibc-2.13-r4, 2.6.39-hardened-r7-platypus-2 x86_64)
=================================================================
System uname: Linux-2.6.39-hardened-r7-platypus-2-x86_64-Intel-R-_Core-TM-2_Duo_CPU_T6400_@_2.00GHz-with-gentoo-2.0.3
Timestamp of tree: Mon, 25 Jul 2011 01:00:01 +0000
app-shells/bash:          4.2_p10
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.7.2-r2, 3.2-r2
dev-util/cmake:           2.8.5-r2
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.8.3-r1
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.9.6-r3, 1.10.3, 1.11.1-r1
sys-devel/binutils:       2.21.1
sys-devel/gcc:            4.5.2
sys-devel/gcc-config:     1.4.1-r1
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r1
sys-kernel/linux-headers: 2.6.38 (virtual/os-headers)
sys-libs/glibc:           2.13-r4
Repositories: gentoo java-overlay gnome kde lisp hardened-dev
Installed sets: 
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=core2 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=core2 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS=""
GENTOO_MIRRORS="http://gentoo.mirrors.easynews.com/linux/gentoo/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/java-overlay /var/lib/layman/gnome /var/lib/layman/kde /var/lib/layman/lisp /var/lib/layman/hardened-development"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X alsa amd64 bash-completion berkdb bluetooth bzip2 cdr cli consolekit cracklib crypt cups cxx dbus dri dvd gdbm gif gnome gnome-keyring gpm gtk gtk2 gtk3 hardened iconv icu introspection jpeg justify kde kerberos ldap lzma mmx modules mp3 mpeg mudflap multilib ncurses nls nptl nptlonly ogg open_perms opengl openmp pam pcre pdf peer_perms perl png policykit pppd python qt qt3support qt4 readline samba selinux semantic-desktop session sse sse2 ssl sysfs tcpd theora threads tiff truetype ubac udev unicode urandom vim-syntax vorbis xorg zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" CALLIGRA_FEATURES="braindump flow karbon kexi kpresenter krita tables words" CAMERAS="ptp2" ELIBC="glibc" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LINGUAS="en" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" SANE_BACKENDS="net" USERLAND="GNU" VIDEO_CARDS="fbdev intel vesa" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS


kutulu@platypus ~ $ ps axZ | grep gdm
system_u:system_r:xdm_t          2907 ?        Ssl    0:00 /usr/bin/gdm
system_u:system_r:xdm_t          2911 ?        Sl     0:00 /usr/libexec/gdm-simple-slave --display-id /org/gnome/DisplayManager/Display1
system_u:system_r:xserver_t      2945 tty7     Ss+    0:17 /usr/bin/Xorg :0 -br -verbose -auth /var/run/gdm/auth-for-gdm-f8Sxbp/database -nolisten tcp vt7
system_u:system_r:xdm_t          3283 ?        Sl     0:00 /usr/libexec/gdm-session-worker
system_u:system_r:xdm_t          5284 pts/1    S+     0:00 grep --colour=auto gdm


kutulu@platypus ~ $ ps Z
LABEL                             PID TTY      STAT   TIME COMMAND
system_u:system_r:xdm_t          3725 pts/1    Ss     0:00 /bin/bash
system_u:system_r:xdm_t          5313 pts/1    R+     0:00 ps Z


kutulu@platypus ~ $ ps xZ
LABEL                             PID TTY      STAT   TIME COMMAND
system_u:system_r:xdm_t          3500 ?        Ss     0:00 /bin/sh /usr/bin/startkde
system_u:system_r:xdm_t          3518 ?        S      0:00 /usr/bin/dbus-launch --exit-with-session /usr/bin/ssh-agent -- /usr/bin/startkde
system_u:system_r:xdm_t          3519 ?        Ssl    0:02 /usr/bin/dbus-daemon --fork --print-pid 5 --print-address 7 --session
system_u:system_r:xdm_t          3576 ?        Ss     0:00 kdeinit4: kdeinit4 Running...     
system_u:system_r:xdm_t          3577 ?        S      0:00 kdeinit4: klauncher [kdeinit] --fd=8
system_u:system_r:xdm_t          3579 ?        Sl     0:00 kdeinit4: kded4 [kdeinit]         
system_u:system_r:xdm_t          3587 ?        S      0:00 kdeinit4: kglobalaccel [kdeinit]  
system_u:system_r:xdm_t          3592 ?        S      0:00 kwrapper4 ksmserver
system_u:system_r:xdm_t          3595 ?        Sl     0:00 kdeinit4: ksmserver [kdeinit]     
(...)

platypus kutulu # ls -Z `which kdm`
system_u:object_r:xdm_exec_t /usr/bin/kdm

platypus kutulu # ls -Z `which gdm-binary`
system_u:object_r:xdm_exec_t /usr/sbin/gdm-binary
Comment 1 Michael Edenfield 2011-08-01 03:45:42 UTC 
Forgot to mention: I'm running ~arch with the gnome overlay, so my gdm is gdm-3.0.4. It has an selinux USE flag, and configure goes through the normal gyrations of validating the selinux libraries are present and accounted for, so I don't think that should matter.
Comment 2 Dave 2011-08-01 12:32:18 UTC 
Confirmed. 

Using not xdm as the display manager and removing it from default runlevel but changing /etc/inittab to 'c2:2345:respawn:/sbin/mingetty --autologin user tty2' and having a .xinitrc in home dir with 'exec startkde'. Then KDE starts with 'startx' and the security contexts are as expected.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-10-19 08:28:53 UTC 
Can you check if the following FAQ helps?

http://www.gentoo.org/proj/en/hardened/selinux-faq.xml#xdm