All of lore.kernel.org
 help / color / mirror / Atom feed
* KDM login trouble
@ 2003-01-17 12:51 Tom
  0 siblings, 0 replies; 3+ messages in thread
From: Tom @ 2003-01-17 12:51 UTC (permalink / raw)
  To: selinux

For the first time since I started working with SELinux I've done it to
a desktop machine today.

Works fine, except for kdm. For one thing, run_init /etc/init.d/kdm
exits immediately. doh.
On boot, however, kdm fires up just right.

But, it doesn't let anyone log in. The logfile says
UNABLE TO GET VALID SID for ...

Even though all users, including root, can log on just fine one the
console, so they _do_ have valid SIDs. And I'm still running in
permissive mode. No denied log entries, either.

What am I missing?

This is a Debian woody system with kdm 2.2.2-14.se2.bam


-- 
PGP/GPG key: http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: KDM login trouble
@ 2003-01-17 14:18 Stephen D. Smalley
  2003-01-19 17:10 ` Russell Coker
  0 siblings, 1 reply; 3+ messages in thread
From: Stephen D. Smalley @ 2003-01-17 14:18 UTC (permalink / raw)
  To: selinux, tom


> For the first time since I started working with SELinux I've done it to
> a desktop machine today.
> 
> Works fine, except for kdm. For one thing, run_init /etc/init.d/kdm
> exits immediately. doh.
> On boot, however, kdm fires up just right.
> 
> But, it doesn't let anyone log in. The logfile says
> UNABLE TO GET VALID SID for ...
> 
> Even though all users, including root, can log on just fine one the
> console, so they _do_ have valid SIDs. And I'm still running in
> permissive mode. No denied log entries, either.
> 
> What am I missing?

Offhand, I would guess that the SELinux patch for kdm was never updated
for the newer libsecure functions and default_contexts configuration,
so it is still looking for the old (and no longer existing)
default_context configuration.  See
http://marc.theaimsgroup.com/?l=selinux&m=103772416731711&w=2 for a
discussion of this change, which was introduced in the October 2002
release.  We updated the components in our tree (login, sshd, crond),
but not external components like the patched kdm.

Alternatively, if the kdm patch was updated, then I would guess that
kdm is not running the right domain.   Check the ps -e --context output
to see the domain on the kdm process.  If it isn't correct, check the
type on the executable.


--
Stephen Smalley, NSA
sds@epoch.ncsc.mil


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-01-19 17:10 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-17 12:51 KDM login trouble Tom
  -- strict thread matches above, loose matches on Subject: below --
2003-01-17 14:18 Stephen D. Smalley
2003-01-19 17:10 ` Russell Coker

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.