Ubuntu
gdm package

gdm login context incorrect

Bug #430205 reported by Caleb Case on 2009-09-15

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	gdm (Ubuntu)	Fix Released	Medium	Kees Cook	Ubuntu ubuntu-9.10

Bug Description

Binary package hint: gdm

To replicate:

* apt-get install selinux
* reboot
* login
* open a terminal and check your context (id -Z)

The context should be unconfined_t, however, because the new GDM handles SELinux differently the context will end up being gdm_t. GDM now handles transitions via PAM: http://marc.info/?l=selinux&m=125250111327104&w=2

Related branches

lp:~ubuntu-desktop/gdm/ubuntu

lp:ubuntu/lucid/gdm

Revision history for this message

Caleb Case (calebcase) wrote on 2009-09-15:

#1

gdm_2.27.90-0ubuntu6.debdiff Edit (2.0 KiB, text/plain)

Changed in gdm (Ubuntu):
status:	New → In Progress

Revision history for this message

Sebastien Bacher (seb128) wrote on 2009-09-15:

#2

Thank you for your bug report, I don't know enough about selinux to understand the issue but setting the priority to low since that doesn't seem something any standard user will notice

Changed in gdm (Ubuntu):
importance:	Undecided → Low
summary:	- [karmic] gdm login context incorrect + gdm login context incorrect

Revision history for this message

Kees Cook (kees) wrote on 2009-09-20:

#3

This may need some adjustment. I will be reviewing this early next week for Karmic. Thanks for the patch!

Changed in gdm (Ubuntu):
assignee:	nobody → Kees Cook (kees)
milestone:	none → ubuntu-9.10-beta

Revision history for this message

Steve Langasek (vorlon) wrote on 2009-09-23:

#4

The proposed PAM config uses pam_sepermit for auth in gdm. Why is this needed, when login doesn't use this? Should SELinux handling not be identical between login and gdm?

Can this be generalized to other services as well (i.e., put it in as a PAM profile hooked into pam-auth-update)?

Revision history for this message

Martin Pitt (pitti) wrote on 2009-10-01:

#5

Unsubscribing sponsors for now, while this is being reviewed by Kees, and there are some open questions.

Kees Cook (kees) on 2009-10-06

Changed in gdm (Ubuntu):
milestone:	ubuntu-9.10-beta → ubuntu-9.10
importance:	Low → Medium

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-10-07:

#6

This bug was fixed in the package gdm - 2.28.0-0ubuntu13

---------------
gdm (2.28.0-0ubuntu13) karmic; urgency=low

* debian/gdm{,-autologin}.pam: correctly handle SELinux transitions,
thanks to Caleb Case (LP: #430205).

-- Kees Cook <email address hidden> Tue, 06 Oct 2009 16:49:25 -0700

Changed in gdm (Ubuntu):
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

gdm_2.27.90-0ubuntu6.debdiff Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.