SELinux with omarine policy: Gnome terminal: Fixing the security context

Gnome terminal is GNOME terminal emulator. It works based on Gnome terminal server using dbus. By default, the bus is the system bus, so if you are currently using seuser user_u with the complete context as user_u:user_r:user_t:SystemLow(s0), you will see the Gnome terminal server running in init_t domain with complete context as follows:

And the current process is in the context system_u:system_r:sysadm_t:SystemLow. Therefore, the terminal process is not the same context for the seuser. That is not desirable. In particular, system_u is never mapped to any Linux user.

Fixing the security context

To fix above, the bus must be the session bus. You need to modify the /usr/share/xsessions/gnome.desktop file, replacing the gnome-session command with the dbus-launch --exit-with-session gnome-session command at the Exec line:

sudo sed -i '/^Exec/c Exec=dbus-launch --exit-with-session gnome-session' \
    /usr/share/xsessions/gnome.desktop

Context is now correct:

Have fun!

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.