GNOME Bugzilla – Bug 683426
need to add back selinux code
Last modified: 2012-09-06 21:31:26 UTC
A long time ago we had custom code in GDM to do manage selinux context transitions explicitly. We were able to remove that code when it got moved into a PAM module. Now that we do unlock within GDM again, we're going to need to add back a bit of that selinux code again. This is because the pam session stack changes the exec context of the worker process to a user context (in preparation for fork()/exec() of the user session). Now the worker process is forking more than just the user session though. it also forks a subworker process for unlock. We need to make sure that that worker process is fully privileged and not confined by the user context. We can acheive that by adding a setexeccon with a NULL context in the parent after the session fork().
The following fixes have been pushed: d4dbdc8 daemon: reset exec context after fork() fd4291d configure: check for selinux again
Created attachment 223713 [details] [review] daemon: reset exec context after fork() When pam_open_session finishes, the session worker is set up such that the next fork()/exec() may transition the user to a user specific context (such as staff_t). This makes sense for the first fork()/exec() (which is the user login), but the worker may fork()/exec() other workers after login for unlock operations. These workers need to run in a gdm context not a user context. This commit changes gdm-session-worker to manually reset the exec() context after the first fork().
Created attachment 223714 [details] [review] configure: check for selinux again This sort of reverts commit 378390b9b5639bbe37cf4ba06e2e4acf1587e1d8.