[refpolicy] pam_selinux(gdm-password:session): Security Context justin:staff_r:insmod_t:s0 Assigned

Guido Trentalancia guido at trentalancia.com
Fri Sep 16 11:30:14 CDT 2011


On Fri, 2011-09-16 at 09:24 -0700, Justin P. Mattock wrote:
> On 09/16/2011 09:02 AM, Guido Trentalancia wrote: 
> > On Fri, 2011-09-16 at 08:22 -0700, Justin P. Mattock wrote:
> > > On 09/16/2011 07:59 AM, Daniel J Walsh wrote:
> > > > ps -eZ |grep sshd
> > > I dont have sshd running, but here is ps auxZ to give you an idea of 
> > > what I am seeing:
> > > http://fpaste.org/u6IB/
> > Graphical environment is not running in the proper context.
> > 
> > Not even init has transitioned properly to its own context.
> > 
> > > if I adjust /etc/pam.d/login and add select_context to pam_selinux.so 
> > > then do init 3 in lilo I am able to have the context
> > > justin:staff_r:staff_t:s0  the way it should. but as soon as I init 5 
> > > gdm starts up, and everything goes back to name:staff_r:insmod_t:s0
> > > 
> > > I think I am either missing a boolean to have the transisiton runing 
> > Why don't you post the booleans that you're using then:
> > 
> > getsebool -a
> > 
> > For example, what are you using for init ? If you're using upstart, have
> > you set init_upstart=on ?
> > 
> > > properly, and/or pam.d or some config file somewhere needs to be adjusted.
> > > keep in mind refpolicy has no patches added to it(not sure if I need any 
> > > for systemd), just plain git pull  etc...
> > So are you using systemd for init ? There is a boolean called
> > init_systemd which possibly is similar to the above mentioned one for
> > upstart.
> > 
> > Start from tackling init running in the kernel context and not
> > transitioning to init_t. The rest might be mostly due to that: personal
> > experience.
> > 
> > > Justin P. Mattock
> > Guido
> > 
> 
> looking more into fedora(s) structure of what they have:
> /sbin/init -> ../bin/systemd
> 
>  ls -lZ /sbin/init
> lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /sbin/init
> -> ../bin/systemd
> [justin at Linux-2 ~]$ ls -lZ /bin/systemd
> -rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /bin/systemd

Excellent.

> using chcon on:
> chcon system_u:object_r:init_exec_t:s0 /sbin/init
> seems to not change this for whatever the reason.

That's just the link, don't worry about that. The important is the label
on the target.

>  keep in mind I am not sure how systemd runs or is setup.

Now move onto the next enabler:

setsebool -P init_systemd=on

In my previous message I did forget the "-P" option, that's vital.

> Justin P. Mattock

Guido



More information about the refpolicy mailing list