Commit daff5de7 authored by Jiri (George) Lebl's avatar Jiri (George) Lebl Committed by George Lebl

apply the SELinux patch, taking care not to break the string freeze.


Thu Sep 18 16:15:38 2003  George Lebl <jirka@5z.com>

	* configure.in, acconfig.h, daemon/slave.c: apply the SELinux patch,
	  taking care not to break the string freeze.
parent a8dc2c4e
Thu Sep 18 16:15:38 2003 George Lebl <jirka@5z.com>
* configure.in, acconfig.h, daemon/slave.c: apply the SELinux patch,
taking care not to break the string freeze.
Thu Sep 18 13:53:37 2003 George Lebl <jirka@5z.com>
* configure.in: update version
......
......@@ -38,3 +38,4 @@
#undef HAVE_LOGINCAP
#undef HAVE_SYS_SOCKIO_H
#undef HAVE_SCHED_YIELD
#undef HAVE_SELINUX
......@@ -65,6 +65,8 @@ AC_ARG_WITH(tcp-wrappers,
[ --with-tcp-wrappers=[auto/yes/no] Use TCP Wrappers [default=auto]],,
with_tcp_wrappers=auto)
AC_ARG_WITH(selinux, [ --with-selinux Add SELinux support])
dnl
dnl PAM prefix
dnl
......@@ -440,6 +442,29 @@ fi
AC_SUBST(XINERAMA_LIBS)
CPPFLAGS="$xinerama_save_cppflags"
#
# SELinux stuff
#
if test "x$with_selinux" = "xyes" ; then
echo "SELinux support requested (--with-selinux was given), checking prerequisites"
if test -d /usr/local/selinux/include ; then
echo "Found /usr/local/selinux/include, will look there for SELinux stuff as well"
CFLAGS="$CFLAGS -I/usr/local/selinux/include"
LDFLAGS="$LDFLAGS -L/usr/local/selinux/lib"
fi
AC_CHECK_HEADER(selinux/selinux.h)
AC_CHECK_HEADER(selinux/get_context_list.h)
AC_CHECK_LIB(attr,attr_get,/bin/true)
# I'm anal and I don't know which versions have which symbols,
# so I check for all the ones we use
AC_CHECK_LIB(selinux,get_ordered_context_list,/bin/true)
AC_CHECK_LIB(selinux,freecon,/bin/true)
AC_CHECK_LIB(selinux,freeconary,/bin/true)
AC_CHECK_LIB(selinux,setexeccon,/bin/true)
AC_CHECK_LIB(selinux,is_selinux_enabled,/bin/true)
AC_DEFINE(HAVE_SELINUX)
EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -lselinux -lattr"
fi
#
# Subst the extra libs
......@@ -504,7 +529,7 @@ EXPANDED_LOGDIR=`eval echo $LOGDIR_TMP`
AC_SUBST(EXPANDED_LOGDIR)
AC_DEFINE_UNQUOTED(EXPANDED_LOGDIR,"$EXPANDED_LOGDIR")
AC_MSG_CHECKING(for fbconsole)
AC_MSG_CHECKING(for fbconsole (for Solaris))
if test -x /usr/openwin/bin/fbconsole; then
AC_DEFINE(HAVE_FBCONSOLE)
AC_MSG_RESULT(yes)
......@@ -654,6 +679,13 @@ else
echo "Console helper : NO"
fi
dnl <= SELinux support =>
if test "x$with_selinux" = "xyes" ; then
echo "SELinux support : YES"
else
echo "SELinux support : NO"
fi
dnl <= Authentication scheme =>
echo "Authentication scheme : $VRFY"
......
......@@ -56,6 +56,11 @@
#include <time.h>
#include <syslog.h>
#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#include <selinux/get_context_list.h>
#endif /* HAVE_SELINUX */
#include <vicious.h>
#include "gdm.h"
......@@ -2996,6 +3001,41 @@ open_xsession_errors (struct passwd *pwent,
return logfd;
}
#ifdef HAVE_SELINUX
/* This should be run just before we exec the user session */
static gboolean
gdm_selinux_setup (const char *login)
{
security_context_t scontext;
/* If selinux is not enabled, then we don't do anything */
if ( ! is_selinux_enabled ())
return TRUE;
if (get_default_context((char*) login,0, &scontext) < 0) {
gdm_error ("SELinux gdm login: unable to obtain default security context for %s.", login);
/* note that this will be run when the .xsession-errors
is already being logged, so we can use stderr */
gdm_fdprintf (2, "SELinux gdm login: unable to obtain default security context for %s.", login);
return FALSE;
}
gdm_assert (scontext != NULL);
if (setexeccon (scontext) != 0) {
gdm_error ("SELinux gdm login: unable to set executable context %s.",
(char *)scontext);
gdm_fdprintf (2, "SELinux gdm login: unable to set executable context %s.",
(char *)scontext);
return FALSE;
}
freecon (scontext);
return TRUE;
}
#endif /* HAVE_SELINUX */
static void
session_child_run (struct passwd *pwent,
int logfd,
......@@ -3306,6 +3346,20 @@ session_child_run (struct passwd *pwent,
_exit (66);
}
#ifdef HAVE_SELINUX
if ( ! gdm_selinux_setup (pwent->pw_name)) {
/* 66 means no "session crashed" examine .xsession-errors
dialog */
/* FIXME: do this when we get out of string freeze */
/*
gdm_error_box (d, GTK_MESSAGE_ERROR, _("Error! Unable to set executable context."));
_exit (66);
*/
/* errors have alredy been logged to .xsession-errors */
_exit (1);
}
#endif
IGNORE_EINTR (execv (argv[0], argv));
/* will go to .xsession-errors */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment