From: Christoph Wickert <christoph.wickert@go...> - 2010-02-19 13:56:48
There are quite a few problems with SELinux and LXDM, but we already
figured most of them out. The remaining bits are:
First the easy one: Is it possible to move lxdm.auth to a custom
directory, say /var/run/lxdm/ instead of just /var/run? we could then
label the whole directory xdm_var_run_t and have less problems then.
The second is more complicated: LXDM directly talks to the tty device,
say /dev/tty7 and relabels it from tty_device_t to user_tty_device_t. Is
this really necessary/intended? It would be better to have a pseudo
terminal like /dev/pts to talk to, just like the other display managers
From: Christoph Wickert <christoph.wickert@go...> - 2010-02-19 16:25:02
Am Samstag, den 20.02.2010, 00:09 +0800 schrieb dgod:
> 1 move lxdm.auth to /var/run/lxdm is easy, if it is nessesary
Thanks, that would be great. You could also move lxdm.pid to that
> 2 I don't know the terminal of linux well, but /dev/pts is likely
> generate by telnet or ssh, lxdm is local used, should not talk
> to /dev/pts.
Each process that needs a pseudo terminal will get it's own
device: /dev/pts/0, /dev/pts/1 and so on.
> you say lxdm relabel the /dev/tty7, as lxdm don't know the selinux,
> why it is bug of lxdm?
Because it requires capabilities (relalbelfrom and relabelto) that
normally it should not be requiring and that are considered dangerous.