[DSE-Dev] Bug#874191: might be a duplicate

Russell Coker russell at coker.com.au
Fri Sep 8 01:32:25 UTC 2017 

On Thursday, 7 September 2017 8:06:12 PM AEST Harlan Lieberman-Berg wrote:
> Hm.  Looking more, you may be right.  What's odd is that some binaries
> that are (presumably) being launched by Gnome are being correctly
> given the right context; for example, gdm and X are running as
> system_u:system_r:xdm_t:s0-s0:c0.c1023.  evolution-calendar, though,
> is system_u:system_r:init_t:s0.  And yet other things that are
> probably also part of my user session are
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023.

gdm has the correct domain.  Maybe pam is not configured correctly.  Below is 
/etc/pam.d/sddm from one of my systems, try making your gdm pam configuration 
more like this and see if things work correctly.

#%PAM-1.0

# Block login if they are globally disabled
auth    requisite       pam_nologin.so
auth    required        pam_succeed_if.so user != root quiet_success

# auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
# gnome_keyring breaks QProcess
-auth   optional        pam_gnome_keyring.so
-auth   optional        pam_kwallet5.so

@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so close
# Create a new session keyring.
session optional        pam_keyinit.so force revoke
session required        pam_limits.so
session required        pam_loginuid.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] 
pam_selinux.so open
-session optional       pam_gnome_keyring.so auto_start
-session optional       pam_kwallet5.so auto_start

@include common-password

# From the pam_env man page
# Since setting of PAM environment variables can have side effects to other 
modules, this module should be the last one on the stack.

# Load environment from /etc/environment
session required        pam_env.so

# Load environment from /etc/default/locale
session required        pam_env.so envfile=/etc/default/locale


-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

More information about the SELinux-devel mailing list