From: sds@tycho.nsa.gov (Stephen Smalley) Date: Wed, 09 Sep 2009 11:03:12 -0400 Subject: [refpolicy] opensuse and SELinux = some dbus roblem with xdm/gdm In-Reply-To: <4AA7C0D5.3090706@gmail.com> References: <4AA73E25.7080609@gmail.com> <1252500902.13634.647.camel@moss-pluto.epoch.ncsc.mil> <4AA7C0D5.3090706@gmail.com> Message-ID: <1252508592.13634.708.camel@moss-pluto.epoch.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2009-09-09 at 07:51 -0700, Justin P. Mattock wrote: > Stephen Smalley wrote: > > On Tue, 2009-09-08 at 22:33 -0700, Justin P. Mattock wrote: > > > >> Justin Mattock wrote: > >> > >>> Not sure if this is SELinux/refpolicy > >>> > >>> Out of curiosity I wanted to setup the latest > >>> policy with the latest opensuse. > >>> Seems everything has gone o.k. for the moment. > >>> > >>> The proble Im running into is xdm/gdm seems to crap out > >>> with some dbus error message: > >>> > >>> ** (gdm:1566): WARNING **: Couldn't connect to system bus: An SELinux > >>> policy prevents this sender from sending this message to this recipient > >>> (rejected message had sender "(unset)" interface "freedesktop.DBus" > >>> member "Hello" > >>> error name "(unset)" destination "org.freedesktop.DBus") > >>> > >>> The funny thing with this is with the initial policy load > >>> I hadn't relabeled yet, and the system had loaded the policy > >>> just fine and xdm worked then once I relabeled this appeared and xdm/gdm > >>> just craps out.(the policy is all in permissive mode, giving selinux=0 > >>> makes the system operate as should). > >>> > >>> Also not sure if this matters but in > >>> /etc/pam.d{gdm,login,xdm) I added > >>> pam_selinux.so open/close but had no idea > >>> where they should be placed. > >>> > >>> Any ideas? > >>> > >>> > >>> > >> Shoot I didn't look, but when I do a > >> ldd /usr/sbin/gdm I see nothing with libselinux nor > >> libaudit. > >> > >> loading an ubuntu livecd results in showing > >> libselinux. > >> > >> my guess since this is a development version they haven't > >> enabled SELinux support yet with gdm. > >> > >> ohh well, I guess Ill leave it at that. > >> > > > > The gdm selinux support was obsoleted by the gdm rewrite, so it isn't > > necessary to link it with libselinux anymore. It all gets handled by > > pam_selinux in /etc/pam.d/gdm. In Fedora, /etc/pam.d/gdm looks like > > this: > > #%PAM-1.0 > > auth [success=done ignore=ignore default=bad] pam_selinux_permit.so > > auth required pam_succeed_if.so user != root quiet > > auth required pam_env.so > > auth substack system-auth > > auth optional pam_gnome_keyring.so > > account required pam_nologin.so > > account include system-auth > > password include system-auth > > session required pam_selinux.so close > > session required pam_loginuid.so > > session optional pam_console.so > > session required pam_selinux.so open > > session optional pam_keyinit.so force revoke > > session required pam_namespace.so > > session optional pam_gnome_keyring.so auto_start > > session include system-auth > > > > BTW, I would recommend testing the policy package provided by OpenSUSE > > to see if it works before trying upstream refpolicy. > > > > And report issues with their SELinux integration to their bugzilla, not > > to us. It won't get fixed if you just post it here. > > > > Are you following the guidance at: > > http://en.opensuse.org/SELinux > > > > You have to add an additional repository to pick up their policy and associated packages. > > > > The SELinux integration work seems to be getting tracked on this blog: > > http://thetoms-random-thoughts.blogspot.com/search/label/Security > > > > > So your telling me you can compile this > package without the audit/selinux switches, > and still run a policy? Yes, assuming that they are using the newer gdm. I looked into this earlier this year when investigating a gdm-selinux interaction and found that although gdm is still being linked against libselinux in Fedora, it doesn't actually make any direct calls to it anymore. The linking with libselinux is just a leftover from the prior SELinux support but is no longer required, as all the actual processing has migrated to pam_selinux. That wasn't possible with the original gdm since it did the pam_open_session() from a different process, but works with the new gdm's architecture. You could tell for certain by grabbing their gdm .src.rpm and checking whether it in fact contains any calls to setexeccon(). The old gdm did; the new one does not. > doing a ldd /usr/sbin/gdm > shows nothing with libpam(ubuntu does). > > As of now everything is opensused out > did have userspace put in, but was easily > written over by suse. Ill try > your gdm config for pam.d but Im just not > connecting the dots on this. FWIW heres what > ldd /usr/sbin/gdm has for the libs. > > linux-vdso.so.1 > libXau.so.6 > libdbus-glib-1.so.2 > libgobject-2.0.so.0 > libglib-2.0.so.0 > libdbus-1.so.3 > libpthread.so.0 > libXdmcp.so.6 > libwrap.so.0 > libc.so.6 > libpcre.so.0 > librt.so.1 > ld-linux-x86-64.so.2 > > I suppose I have to reinstall to get things in order. > > Justin P. Mattock -- Stephen Smalley National Security Agency