All of lore.kernel.org
 help / color / mirror / Atom feed
From: Casey Schaufler <rancidfat@yahoo.com>
To: Xavier Toth <txtoth@gmail.com>, Eamon Walsh <ewalsh@tycho.nsa.gov>
Cc: Daniel J Walsh <dwalsh@redhat.com>,
	"Christopher J. PeBenito" <cpebenito@tresys.com>,
	Joe Nall <joe@nall.com>,
	SELinux Mail List <selinux@tycho.nsa.gov>
Subject: Re: rbacsep: collapsing xserver
Date: Fri, 30 May 2008 14:43:14 -0700 (PDT)	[thread overview]
Message-ID: <983301.23467.qm@web36607.mail.mud.yahoo.com> (raw)
In-Reply-To: <cadfc0e40805300758m1fb4c920mb84e49e38a28493a@mail.gmail.com>


--- Xavier Toth <txtoth@gmail.com> wrote:


> >>> From http://www.gnome.org/projects/gdm/docs/2.20/overview.html:
> >>>
> >>> "On Solaris, GDM (since version 2.8.0.3) uses the SDTLOGIN interface
> >>> after user authentication to tell the X server to be restarted as the
> >>> user instead of as root for added security. When the user's session
> >>> exits, the GDM daemon will run the PostSession script as root."
> >>>
> >>> Couldn't we utilize the same functionality on Fedora?
> >>>
> >
> > I've got no problem with doing something like this.  I've already written
> > support for communicating with the X server from pam_selinux.so to set up
> > the user's device labels, so it could also tell the server to setcon
> itself.
> >  That work has stalled because of dependency issues (pam depending on
> > libxcb), getting PAM_XAUTH_DATA support into gdm, and waiting for the next
> > release of libxcb.  But, I can pick up work on it once I finish the X
> Python
> > stuff.
> >
> > With regards to SDTLOGIN, it doesn't look like it restarts the server, only
> > causes it to drop privileges; see
> > http://osdir.com/ml/gnome.gdm.general/2007-10/msg00080.html dated Oct 2007.
> >  The current gdm upstream seems to have dropped support for it.  I did some
> > grepping in the gdm source and couldn't find anything.  It's probably a
> > temporary result of the gdm rewrite.
> >
> 
> Yes, I think Brian mentioned that the server is not actually restarted
> but rather does a setuid/setgid because of the need to be root during
> some portion of the X sever initialization. Hopefully it won't be too
> much trouble to add a setcon too. One question about this is what will
> happen with audit once the X server transition user and context?

Just to offer the other point of view, Trusted Irix restarts the
X server on each login. In addition to how much simpler it makes
the process, doing it this way addresses all object reuse issues
which I dare say calling setcon will not suffice to address.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

      parent reply	other threads:[~2008-05-30 21:43 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-05-28 14:38 rbacsep: collapsing xserver Christopher J. PeBenito
2008-05-28 15:16 ` Joe Nall
2008-05-28 15:27   ` Xavier Toth
2008-05-28 16:07     ` Joe Nall
2008-05-28 16:02   ` Christopher J. PeBenito
2008-05-28 16:42     ` Joe Nall
2008-05-28 18:16       ` Christopher J. PeBenito
2008-05-28 18:27         ` Joe Nall
2008-05-28 18:38           ` Daniel J Walsh
2008-05-30 13:19             ` Xavier Toth
2008-05-30 13:47               ` Christopher J. PeBenito
2008-05-30 15:01                 ` Joe Nall
2008-05-30 23:10                   ` Eamon Walsh
2008-06-02 18:38                     ` Christopher J. PeBenito
2008-05-29 13:04           ` Christopher J. PeBenito
2008-05-28 18:59         ` Eamon Walsh
2008-05-29 16:18           ` Xavier Toth
2008-05-29 19:50             ` Daniel J Walsh
     [not found]               ` <cadfc0e40805291302o18089a33wad0ea0a15e22e93d@mail.gmail.com>
2008-05-29 20:02                 ` Fwd: " Xavier Toth
2008-05-30  1:04               ` Eamon Walsh
2008-05-30 13:09                 ` Xavier Toth
2008-05-30 14:58                 ` Xavier Toth
2008-05-30 15:05                   ` Joe Nall
2008-05-30 21:43                   ` Casey Schaufler [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=983301.23467.qm@web36607.mail.mud.yahoo.com \
    --to=rancidfat@yahoo.com \
    --cc=casey@schaufler-ca.com \
    --cc=cpebenito@tresys.com \
    --cc=dwalsh@redhat.com \
    --cc=ewalsh@tycho.nsa.gov \
    --cc=joe@nall.com \
    --cc=selinux@tycho.nsa.gov \
    --cc=txtoth@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.