is this pretty much it (to patch kdm 3.2.2)?

is this pretty much it (to patch kdm 3.2.2)?

[Luke Kenneth Casson Leighton]

is this pretty much all that's required???  compared to the 2.4 stuff
it's like tiny.

this is all that the patch to wdm does.  i'm just a little surprised
(pleasantly so).

l.

--- client.c.old	2004-05-19 07:40:58.000000000 +0000
+++ kdm/backend/client.c	2004-05-19 07:18:01.000000000 +0000
@@ -44,6 +44,12 @@
 #include <sys/stat.h>
 #include <pwd.h>
 #include <grp.h>
+
+#ifdef WITH_SELINUX
+#include <selinux/get_context_list.h>
+#include <selinux/selinux.h>
+#endif
+
 #ifdef SECURE_RPC
 # include <rpc/rpc.h>
 # include <rpc/key_prot.h>
@@ -1085,6 +1091,24 @@
 	   systemEnviron);
 
     /*
+     * for Security Enhanced Linux,
+     * set the default security context for this user.
+     */
+#ifdef WITH_SELINUX
+   if (is_selinux_enabled())
+   {
+        security_context_t scontext;
+        if (get_default_context(name,NULL,&scontext))
+             LogError("Failed to get default security context for %s.", name);
+        Debug("setting security context to %s", scontext);
+        if (setexeccon(scontext)) {
+             freecon(scontext);
+             LogError("Failed to set exec security context %s for %s.", scontext, name);
+        }
+        freecon(scontext);
+   }
+#endif
+    /*
      * for user-based authorization schemes,
      * add the user to the server's allowed "hosts" list.
      */
-- 
-- 
expecting email to be received and understood is a bit like
picking up the telephone and immediately dialing without
checking for a dial-tone; speaking immediately without listening
for either an answer or ring-tone; hanging up immediately and
believing that you have actually started a conversation.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Thomas Bleher]

* Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-05-19 11:06]:
> is this pretty much all that's required???  compared to the 2.4 stuff
> it's like tiny.
> 
> this is all that the patch to wdm does.  i'm just a little surprised
> (pleasantly so).
> 
> --- client.c.old	2004-05-19 07:40:58.000000000 +0000
> +++ kdm/backend/client.c	2004-05-19 07:18:01.000000000 +0000
<snip patch>

I don't think that even this is required. It should work without
patching, just using pam_selinux.so.

Thomas

--
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Luke Kenneth Casson Leighton]

On Wed, May 19, 2004 at 12:08:22PM +0200, Thomas Bleher wrote:
> * Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-05-19 11:06]:
> > is this pretty much all that's required???  compared to the 2.4 stuff
> > it's like tiny.
> > 
> > this is all that the patch to wdm does.  i'm just a little surprised
> > (pleasantly so).
> > 
> > --- client.c.old	2004-05-19 07:40:58.000000000 +0000
> > +++ kdm/backend/client.c	2004-05-19 07:18:01.000000000 +0000
> <snip patch>
> 
> I don't think that even this is required. It should work without
> patching, just using pam_selinux.so.
 
 oh?

 do you have some example usage that i can try out, and does
 anyone have any advice on how to ensure that installation
 of debian packages (pam and selinux and kde) would result
 in pam being automatically updated?

 sincerely,

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Stephen Smalley]

On Wed, 2004-05-19 at 06:08, Thomas Bleher wrote:
> I don't think that even this is required. It should work without
> patching, just using pam_selinux.so.

At least for gdm, we weren't able to use pam_selinux, because the
pam_open_session is called from the wrong process to set up the exec
context for the desired child.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Stephen Smalley]

On Wed, 2004-05-19 at 03:42, Luke Kenneth Casson Leighton wrote:
> +#ifdef WITH_SELINUX
> +   if (is_selinux_enabled())

Should be if (is_selinux_enabled() > 0)

> +        if (get_default_context(name,NULL,&scontext))
> +             LogError("Failed to get default security context for %s.", name);

Does LogError exit?  If not, you need to return here.

> +        Debug("setting security context to %s", scontext);
> +        if (setexeccon(scontext)) {
> +             freecon(scontext);
> +             LogError("Failed to set exec security context %s for %s.", scontext, name);

As above, does LogError exit?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Luke Kenneth Casson Leighton]

On Wed, May 19, 2004 at 08:34:24AM -0400, Stephen Smalley wrote:
> On Wed, 2004-05-19 at 03:42, Luke Kenneth Casson Leighton wrote:
> > +#ifdef WITH_SELINUX
> > +   if (is_selinux_enabled())
> 
> Should be if (is_selinux_enabled() > 0)

 ah, oops, then the wdm patch needs likewise mods.

> > +        if (get_default_context(name,NULL,&scontext))
> > +             LogError("Failed to get default security context for %s.", name);
> 
> Does LogError exit?  If not, you need to return here.

 no, it's just a printf wrapper.

> > +        Debug("setting security context to %s", scontext);
> > +        if (setexeccon(scontext)) {
> > +             freecon(scontext);
> > +             LogError("Failed to set exec security context %s for %s.", scontext, name);
> 
> As above, does LogError exit?
 
 hm, then does the wdm patch need the same attention?

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Russell Coker]

On Wed, 19 May 2004 17:42, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> is this pretty much all that's required???  compared to the 2.4 stuff
> it's like tiny.

In addition to the issues Steve mentioned, there is (or was) another problem.  
There were compilation problems with the SE Linux headers last time I tried 
to compile kdm.  As kdm is in the middle of a huge package that takes ages to 
compile I hadn't got around to trying to compile it recently.  In your 
message you didn't mention whether you successfully compiled the code with 
the patch in question.  Does it compile?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Luke Kenneth Casson Leighton]

[-- Attachment #1: Type: text/plain, Size: 1940 bytes --]

On Thu, May 20, 2004 at 12:05:52AM +1000, Russell Coker wrote:
> On Wed, 19 May 2004 17:42, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > is this pretty much all that's required??? ?compared to the 2.4 stuff
> > it's like tiny.
> 
> In addition to the issues Steve mentioned, there is (or was) another problem.  
> There were compilation problems with the SE Linux headers last time I tried 
> to compile kdm.  As kdm is in the middle of a huge package that takes ages to 
> compile I hadn't got around to trying to compile it recently.  In your 
> message you didn't mention whether you successfully compiled the code with 
> the patch in question.  Does it compile?
 
 well, it does now, because i cheated.

 i don't have automake-1.8.3 installed and if you install automake 1.8.5
 it corrupts things (misses out a .moc file, aclocal bitches about some
 incompatibilities, and it all just goes horribly pearshaped)

 if you _don't_ run automake then any modifications to Makefile.am
 of course don't get propagated into Makefiles.in and of course
 then configure --enable-selinux doesn't work.


 ... so i cheated:

 after doing an apt-get source kdm and apt-get build-dep kdm:

 1) i installed automake 1.8.5

 2) i made the necessary patches to configure.in, configure.in.in,
 kdm/backend/Makefile.am

 3) i ran aclocal; autoheader; automake --add-missing; autoconf

 4) i made a backup of kdm/backend/Makefile.in and .am and other
    modified fils

 5) i DELETED the entire kdebase-3.2.2 tree

 6) i REINSTALLED the kdebase-3.2.2 tree

 7) i COPIED the backups BACK to their locations

 8) i ran autoconf (NOT automake and NOT aclocal)

 9) i did a dpkg-buildpackage

 repeat 9) darn it to heck because i hadn't added SessionExit at
 the appropriate points if get_default_context() failed, and
 also the username is stored in a variable curuser whereas in
 the wdm patch it's stored in a different local variable arg.

 l.


[-- Attachment #2: g --]
[-- Type: text/plain, Size: 3866 bytes --]

--- ../orig/kdebase-3.2.2/kdm/backend/client.c	2004-02-11 13:42:31.000000000 +0000
+++ kdm/backend/client.c	2004-05-19 13:15:20.000000000 +0000
@@ -44,6 +44,12 @@
 #include <sys/stat.h>
 #include <pwd.h>
 #include <grp.h>
+
+#ifdef WITH_SELINUX
+#include <selinux/get_context_list.h>
+#include <selinux/selinux.h>
+#endif
+
 #ifdef SECURE_RPC
 # include <rpc/rpc.h>
 # include <rpc/key_prot.h>
@@ -1085,6 +1091,28 @@
 	   systemEnviron);
 
     /*
+     * for Security Enhanced Linux,
+     * set the default security context for this user.
+     */
+#ifdef WITH_SELINUX
+   if (is_selinux_enabled() > 0)
+   {
+        security_context_t scontext;
+        if (get_default_context(curuser,NULL,&scontext))
+		{
+             LogError("Failed to get default security context for %s.", curuser);
+             SessionExit (EX_NORMAL);
+		}
+        Debug("setting security context to %s", scontext);
+        if (setexeccon(scontext)) {
+             freecon(scontext);
+             LogError("Failed to set exec security context %s for %s.", scontext, curuser);
+             SessionExit (EX_NORMAL);
+        }
+        freecon(scontext);
+   }
+#endif
+    /*
      * for user-based authorization schemes,
      * add the user to the server's allowed "hosts" list.
      */
--- ../orig/kdebase-3.2.2/configure.in.in	2004-01-09 15:20:36.000000000 +0000
+++ configure.in.in	2004-05-19 12:36:01.000000000 +0000
@@ -196,3 +196,24 @@
 #define AVOID_XKB                 /* for konsole to avoid XKB and XTEST */
 #endif
 ])
+
+AC_MSG_CHECKING(for SELinux support)
+AC_ARG_ENABLE(selinux,
+   AC_HELP_STRING([--enable-selinux], [enable SELinux support]),
+   [
+       AC_MSG_RESULT(yes)
+       AC_CHECK_LIB(selinux, is_selinux_enabled, [SELINUX_LDFLAGS="-lselinux"
+           AC_DEFINE_UNQUOTED(HAVE_SELINUX_LIB, 1, [Define if libselinux is installed])
+               AC_DEFINE(WITH_SELINUX, 1, [Define if you want wdm to be compiled with SELinux support])
+               SELINUX_CFLAGS="-DWITH_SELINUX -I/usr/include/selinux"
+               ],
+               [
+               AC_MSG_WARN([libselinux not found, compiling without SELinux support])
+               ])
+   ],
+   [
+       AC_MSG_RESULT(no)
+   ])
+AC_SUBST(SELINUX_LDFLAGS)
+AC_SUBST(SELINUX_CFLAGS)
+
--- ../orig/kdebase-3.2.2/configure.in	2004-04-09 06:43:53.000000000 +0000
+++ configure.in	2004-05-19 12:36:23.000000000 +0000
@@ -261,6 +263,27 @@
 #define AVOID_XKB                 /* for konsole to avoid XKB and XTEST */
 #endif
 ])
+
+AC_MSG_CHECKING(for SELinux support)
+AC_ARG_ENABLE(selinux,
+   AC_HELP_STRING([--enable-selinux], [enable SELinux support]),
+   [
+       AC_MSG_RESULT(yes)
+       AC_CHECK_LIB(selinux, is_selinux_enabled, [SELINUX_LDFLAGS="-lselinux"
+           AC_DEFINE_UNQUOTED(HAVE_SELINUX_LIB, 1, [Define if libselinux is installed])
+               AC_DEFINE(WITH_SELINUX, 1, [Define if you want wdm to be compiled with SELinux support])
+               SELINUX_CFLAGS="-DWITH_SELINUX -I/usr/include/selinux"
+               ],
+               [
+               AC_MSG_WARN([libselinux not found, compiling without SELinux support])
+               ])
+   ],
+   [
+       AC_MSG_RESULT(no)
+   ])
+AC_SUBST(SELINUX_LDFLAGS)
+AC_SUBST(SELINUX_CFLAGS)
+
 dnl =======================================================
 dnl FILE: ./kappfinder/configure.in.in
 dnl =======================================================
--- ../orig/kdebase-3.2.2/debian/rules	2004-02-27 22:11:15.000000000 +0000
+++ debian/rules	2004-05-19 12:45:04.000000000 +0000
@@ -72,7 +72,7 @@
 
 	# run configure with build tree $(objdir)
 	cd $(objdir) && \
-	../configure $(configkde) --enable-final \
+	../configure $(configkde) --enable-final --enable-selinux \
 	--with-shadow --without-java \
 	--with-pam=kde --with-kcp-pam=kcheckpass \
 	--with-kdm-pam=kdm --with-kss-pam=kscreensaver

kdm 3.2.2 and kernel image 2.6.6 selinux .debs available

[Luke Kenneth Casson Leighton]

> > compile I hadn't got around to trying to compile it recently.  In your 
> > message you didn't mention whether you successfully compiled the code with 
> > the patch in question.  Does it compile?

i have uploaded the kdm 3.2.2 selinux .deb to:

	http://open.hands.com/selinux

i forgot: i hadn't added -se onto the package name/description.
i _really_ can't face doing another 2 hour build.
apologies in advance.

l.

p.s. a kernel-image-2.6.6-selinux1 .deb is also on its way to the
     same location.

p.p.s. anyone using these is obviously and entirely responsible for
       their own actions and decisions.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: kdm 3.2.2 and kernel image 2.6.6 selinux .debs available

[Luke Kenneth Casson Leighton]

On Wed, May 19, 2004 at 05:23:36PM +0000, Luke Kenneth Casson Leighton wrote:
> > > compile I hadn't got around to trying to compile it recently.  In your 
> > > message you didn't mention whether you successfully compiled the code with 
> > > the patch in question.  Does it compile?
> 
> i have uploaded the kdm 3.2.2 selinux .deb to:
> 
> 	http://open.hands.com/selinux
 
 that's http://hands.com/~lkcl/selinux.

 oops :)


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Thomas Bleher]

[-- Attachment #1: Type: text/plain, Size: 1404 bytes --]

* Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-05-19 15:13]:
> On Wed, May 19, 2004 at 12:08:22PM +0200, Thomas Bleher wrote:
> > * Luke Kenneth Casson Leighton <lkcl@lkcl.net> [2004-05-19 11:06]:
> > > is this pretty much all that's required???  compared to the 2.4 stuff
> > > it's like tiny.
> > > 
> > > this is all that the patch to wdm does.  i'm just a little surprised
> > > (pleasantly so).
> > > 
> > > --- client.c.old	2004-05-19 07:40:58.000000000 +0000
> > > +++ kdm/backend/client.c	2004-05-19 07:18:01.000000000 +0000
> > <snip patch>
> > 
> > I don't think that even this is required. It should work without
> > patching, just using pam_selinux.so.

I just rechecked, and it is indeed working fine on a SuSE box
(kdebase3-kdm-3.2.2-8) without any patches, just using the selinux pam
module.

>  oh?
> 
>  do you have some example usage that i can try out, and does
>  anyone have any advice on how to ensure that installation
>  of debian packages (pam and selinux and kde) would result
>  in pam being automatically updated?

echo "session  required       pam_selinux.so" >> /etc/pam.d/kdm
should do it.
/etc/pam.d/kdm is a conffile AFAIK, so there should be no problems when
updating packages.

HTH,
Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: is this pretty much it (to patch kdm 3.2.2)?

[Stephen Smalley]

On Thu, 2004-05-20 at 08:11, Thomas Bleher wrote:
> I just rechecked, and it is indeed working fine on a SuSE box
> (kdebase3-kdm-3.2.2-8) without any patches, just using the selinux pam
> module.

Interesting.  We weren't able to use pam_selinux with gdm, as
pam_open_session was called from a different process.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Luke Kenneth Casson Leighton]

On Thu, May 20, 2004 at 08:49:40AM -0400, Stephen Smalley wrote:
> On Thu, 2004-05-20 at 08:11, Thomas Bleher wrote:
> > I just rechecked, and it is indeed working fine on a SuSE box
> > (kdebase3-kdm-3.2.2-8) without any patches, just using the selinux pam
> > module.
> 
> Interesting.  We weren't able to use pam_selinux with gdm, as
> pam_open_session was called from a different process.
 
 i _do_ notice in permissive / audit mode that kdeinit attempts to
 do an su:

 May 20 14:53:58 tv kernel: audit(1085064838.508:0): avc:  denied  {
 execute } for  pid=2616 exe=/usr/bin/kdeinit name=su dev=hda5 ino=93620
 scontext=lkcl:user_r:user_t tcontext=system_u:object_r:su_exec_t
 tclass=file

 May 20 14:53:58 tv kernel: audit(1085064838.509:0): avc:  denied  {
 getattr } for  pid=2616 exe=/usr/bin/kdeinit path=/bin/su dev=hda5
 ino=93620 scontext=lkcl:user_r:user_t
 tcontext=system_u:object_r:su_exec_t tclass=file

 this is _without_ doing a pam session, but with a patched
 kdm.

 checking the source code... kdm/process/client.c:StartClient()
 the get_default_context is at line 1102.

 pam_open_session() is at line 1172.

 track track track... oo, wossat?  a fork()???  ah, that's at line 1184.
 
 okay, so i prepare a context, then open the pam session, and _then_
 there's a fork (this is horrible code, btw - really large switch
 statements and yuk indentation: i'm actually giving up looking for
 the end of the switch statement or another case or the default :)

 so, if pam_open_session() does all the work, then i don't need to
 have patched kdm, and a line in /etc/pam.d/kdm to include module
 pam_selinux would do the job just as well.

 oh well :)

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Russell Coker]

On Fri, 21 May 2004 00:52, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
>  i _do_ notice in permissive / audit mode that kdeinit attempts to
>  do an su:

Which program was it?  Almost every KDE program runs as kdeinit as an attempt 
at optimising load performance.

It would be nice if we could turn off the kdeinit functionality and have KDE 
use exec like everything else.

-- 
http://apac.redhat.com/disclaimer
See above URL for disclaimer.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Luke Kenneth Casson Leighton]

On Fri, May 21, 2004 at 01:39:49AM +1000, Russell Coker wrote:
> On Fri, 21 May 2004 00:52, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> >  i _do_ notice in permissive / audit mode that kdeinit attempts to
> >  do an su:
> 
> Which program was it?  Almost every KDE program runs as kdeinit as an attempt 
> at optimising load performance.
 
 sadly i cannot tell.  i have been meaning to ask:

 is it possible to run things to present more debug info at the TIME
 that an avc message is placed in the logs?

 for example, when the above kdeinit occurs, to do, oh, i dunno,
 a ps -ax --forest.

 i don't really care how long it takes, what i care about is identifying
 the parent process(es).

 ... alternatively, do you know how could i tell?

 l.

-- 
-- 
expecting email to be received and understood is a bit like
picking up the telephone and immediately dialing without
checking for a dial-tone; speaking immediately without listening
for either an answer or ring-tone; hanging up immediately and
believing that you have actually started a conversation.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Stephen Smalley]

On Thu, 2004-05-20 at 12:14, Luke Kenneth Casson Leighton wrote:
>  sadly i cannot tell.  i have been meaning to ask:
> 
>  is it possible to run things to present more debug info at the TIME
>  that an avc message is placed in the logs?

You might get more information by enabling syscall auditing in your
kernel.  Boot with audit=1.

You could patch the audit daemon (if you are running one) or syslogd to
run whatever you want as it receives audit messages.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Luke Kenneth Casson Leighton]

On Thu, May 20, 2004 at 12:26:26PM -0400, Stephen Smalley wrote:
> On Thu, 2004-05-20 at 12:14, Luke Kenneth Casson Leighton wrote:
> >  sadly i cannot tell.  i have been meaning to ask:
> > 
> >  is it possible to run things to present more debug info at the TIME
> >  that an avc message is placed in the logs?
> 
> You might get more information by enabling syscall auditing in your
> kernel.  Boot with audit=1.

 ta.

> You could patch the audit daemon (if you are running one) or syslogd to
> run whatever you want as it receives audit messages.
 
  ah ha!


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Luke Kenneth Casson Leighton]

On Fri, May 21, 2004 at 01:39:49AM +1000, Russell Coker wrote:
> On Fri, 21 May 2004 00:52, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> >  i _do_ notice in permissive / audit mode that kdeinit attempts to
> >  do an su:
> 
> Which program was it?  Almost every KDE program runs as kdeinit as an attempt 
> at optimising load performance.
 
 konsole --session 01012120310231203



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: is this pretty much it (to patch kdm 3.2.2)?

[Luke Kenneth Casson Leighton]

On Fri, May 21, 2004 at 01:39:49AM +1000, Russell Coker wrote:
> On Fri, 21 May 2004 00:52, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> >  i _do_ notice in permissive / audit mode that kdeinit attempts to
> >  do an su:
> 
> Which program was it?  Almost every KDE program runs as kdeinit as an attempt 
> at optimising load performance.
 
 okay, it's kconsole, which execs commands.

 it's actually possible to configure KDE to use something - anything -
 via the "Exec" config option ... uhmmm.. track track track...
 /usr/share/apps/konsole/shell.desktop

 so in theeoorry, it should be possible to specify a wrapper command
 under which the command will be exec'd (in this case "su something")

 e.g. runcon?

 oo.  *wobble*.  don't know what to doo.

 ... clues, anyone?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.