Re: is this pretty much it (to patch kdm 3.2.2)?

[Luke Kenneth Casson Leighton <lkcl@lkcl.net>]

On Thu, May 20, 2004 at 08:49:40AM -0400, Stephen Smalley wrote:
> On Thu, 2004-05-20 at 08:11, Thomas Bleher wrote:
> > I just rechecked, and it is indeed working fine on a SuSE box
> > (kdebase3-kdm-3.2.2-8) without any patches, just using the selinux pam
> > module.
> 
> Interesting.  We weren't able to use pam_selinux with gdm, as
> pam_open_session was called from a different process.
 
 i _do_ notice in permissive / audit mode that kdeinit attempts to
 do an su:

 May 20 14:53:58 tv kernel: audit(1085064838.508:0): avc:  denied  {
 execute } for  pid=2616 exe=/usr/bin/kdeinit name=su dev=hda5 ino=93620
 scontext=lkcl:user_r:user_t tcontext=system_u:object_r:su_exec_t
 tclass=file

 May 20 14:53:58 tv kernel: audit(1085064838.509:0): avc:  denied  {
 getattr } for  pid=2616 exe=/usr/bin/kdeinit path=/bin/su dev=hda5
 ino=93620 scontext=lkcl:user_r:user_t
 tcontext=system_u:object_r:su_exec_t tclass=file

 this is _without_ doing a pam session, but with a patched
 kdm.

 checking the source code... kdm/process/client.c:StartClient()
 the get_default_context is at line 1102.

 pam_open_session() is at line 1172.

 track track track... oo, wossat?  a fork()???  ah, that's at line 1184.
 
 okay, so i prepare a context, then open the pam session, and _then_
 there's a fork (this is horrible code, btw - really large switch
 statements and yuk indentation: i'm actually giving up looking for
 the end of the switch statement or another case or the default :)

 so, if pam_open_session() does all the work, then i don't need to
 have patched kdm, and a line in /etc/pam.d/kdm to include module
 pam_selinux would do the job just as well.

 oh well :)

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.