diff options
author | Manoj Srivastava <srivasta@golden-gryphon.com> | 2010-01-05 16:40:21 +0000 |
---|---|---|
committer | Julien Cristau <jcristau@debian.org> | 2010-01-12 18:13:23 +0000 |
commit | 6d393844dca10823f85d1ac797879fc6e00eae59 (patch) | |
tree | 86f957dd41971a9329595d6f33bba4f686f15e99 | |
parent | 90c2cc57cdf911cec2eec185f357868209212c79 (diff) |
xdm: add SELinux support
Initial patch submitted in Debian bug#233551.
Forward-ported to modular X by Eugene Konev (changes: remove Imakefile hunks,
add --with-selinux flag to configure.ac).
Updated to latest SE Linux code by Russell Coker 3rd Aug 2008, with bugfix from
Julien Cristau (Debian bug#493524).
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@sun.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r-- | configure.ac | 17 | ||||
-rw-r--r-- | session.c | 56 |
2 files changed, 73 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac index 09c6019..aaf6730 100644 --- a/configure.ac +++ b/configure.ac @@ -130,6 +130,23 @@ if test "x$USE_PAM" != "xno" ; then fi]) fi +use_selinux_default=no +# Check for selinux support +AC_ARG_WITH(selinux, AC_HELP_STRING([--with-selinux],[Add support for selinux]), + [USE_SELINUX=$withval], [USE_SELINUX=$use_selinux_default]) +if test "x$USE_SELINUX" != "xno" ; then + old_LIBS="$LIBS" + LIBS="" + AC_SEARCH_LIBS(is_selinux_enabled,[selinux]) + AC_CHECK_FUNC(is_selinux_enabled, + [AC_DEFINE(HAVE_SELINUX,1,[Add support for selinux])], + [if test "x$USE_SELINUX" != "xtry" ; then + AC_MSG_ERROR(["selinux support requested, but is_selinux_enabled not found."]) + fi]) + XDM_LIBS="$XDM_LIBS $LIBS" + LIBS="$old_LIBS" +fi + # FIXME: Find better test for which OS'es use su -m - for now, just try to # mirror the Imakefile setting of: # if defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) || defined(FreeBSDArchitecture) || defined(DarwinArchitecture) @@ -33,6 +33,10 @@ from The Open Group. * session.c */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include "dm.h" #include "dm_auth.h" #include "dm_error.h" @@ -67,6 +71,11 @@ extern int key_setnet(struct key_netstarg *arg); # include <prot.h> #endif +#ifdef HAVE_SELINUX +#include <selinux/selinux.h> +#include <selinux/get_context_list.h> +#endif /* HAVE_SELINUX */ + #ifndef GREET_USER_STATIC # include <dlfcn.h> # ifndef RTLD_NOW @@ -74,6 +83,42 @@ extern int key_setnet(struct key_netstarg *arg); # endif #endif +#ifdef HAVE_SELINUX +/* This should be run just before we exec the user session. */ +static int +xdm_selinux_setup (const char *login) + { + security_context_t scontext; + int ret = -1; + char *seuser=NULL; + char *level=NULL; + + /* If SELinux is not enabled, then we don't do anything. */ + if ( is_selinux_enabled () <= 0) + return TRUE; + + if (getseuserbyname(login, &seuser, &level) == 0) { + ret=get_default_context_with_level(seuser, level, 0, &scontext); + free(seuser); + free(level); + } + if (ret < 0 || scontext == NULL) { + LogError ("SELinux: unable to obtain default security context for %s\n", login); + return FALSE; + } + + if (setexeccon (scontext) != 0) { + freecon (scontext); + LogError ("SELinux: unable to set executable context %s\n", + (char *)scontext); + return FALSE; + } + + freecon (scontext); + return TRUE; +} +#endif /* HAVE_SELINUX */ + static int runAndWait (char **args, char **environ); #ifdef HAVE_GRP_H @@ -782,6 +827,17 @@ StartClient ( bzero(passwd, strlen(passwd)); SetUserAuthorization (d, verify); +#ifdef HAVE_SELINUX + /* + * For Security Enhanced Linux: + * set the default security context for this user. + */ + if ( ! xdm_selinux_setup (name)) { + LogError ("failed to set security context\n"); + exit (UNMANAGE_DISPLAY); + return (0); + } +#endif /* HAVE_SELINUX */ home = getEnv (verify->userEnviron, "HOME"); if (home) if (chdir (home) == -1) { |