summaryrefslogtreecommitdiff
path: root/Xext
diff options
context:
space:
mode:
authorEamon Walsh <ewalsh@tycho.nsa.gov>2008-03-28 14:01:34 -0400
committerEamon Walsh <ewalsh@moss-charon.epoch.ncsc.mil>2008-03-28 14:14:23 -0400
commitb5f98fcea2024c67e598947782913982072cf4fb (patch)
treef0a1b1321cc41ef9f10abada7b12b5777effeab3 /Xext
parent415e49b940bba2d08870db410ebb47d2add5d836 (diff)
XSELinux: Add xorg.conf option for permissive/enforcing/disabled.
Patch by Joe Nall. The option goes in the "extmod" subsection. TODO: Make it easier for extension modules to handle their own options.
Diffstat (limited to 'Xext')
-rw-r--r--Xext/xselinux.c31
1 files changed, 26 insertions, 5 deletions
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 17ce7af10..2e059a4c3 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -37,6 +37,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#include <libaudit.h>
#include <X11/Xatom.h>
+#include "globals.h"
#include "resource.h"
#include "privates.h"
#include "registry.h"
@@ -1891,16 +1892,36 @@ void
SELinuxExtensionInit(INITARGS)
{
ExtensionEntry *extEntry;
- struct selinux_opt options[] = { { SELABEL_OPT_VALIDATE, (char *)1 } };
+ struct selinux_opt selabel_option = { SELABEL_OPT_VALIDATE, (char *)1 };
+ struct selinux_opt avc_option = { AVC_OPT_SETENFORCE, (char *)0 };
security_context_t con;
int ret = TRUE;
- /* Setup SELinux stuff */
+ /* Check SELinux mode on system */
if (!is_selinux_enabled()) {
- ErrorF("SELinux: SELinux not enabled, disabling SELinux support.\n");
+ ErrorF("SELinux: Disabled on system, not enabling in X server\n");
return;
}
+ /* Check SELinux mode in configuration file */
+ switch(selinuxEnforcingState) {
+ case SELINUX_MODE_DISABLED:
+ LogMessage(X_INFO, "SELinux: Disabled in configuration file\n");
+ return;
+ case SELINUX_MODE_ENFORCING:
+ LogMessage(X_INFO, "SELinux: Configured in enforcing mode\n");
+ avc_option.value = (char *)1;
+ break;
+ case SELINUX_MODE_PERMISSIVE:
+ LogMessage(X_INFO, "SELinux: Configured in permissive mode\n");
+ avc_option.value = (char *)0;
+ break;
+ default:
+ avc_option.type = AVC_OPT_UNUSED;
+ break;
+ }
+
+ /* Set up SELinux stuff */
selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback)SELinuxLog);
selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback)SELinuxAudit);
@@ -1912,11 +1933,11 @@ SELinuxExtensionInit(INITARGS)
FatalError("SELinux: Failed to set up security class mapping\n");
}
- if (avc_open(NULL, 0) < 0)
+ if (avc_open(&avc_option, 1) < 0)
FatalError("SELinux: Couldn't initialize SELinux userspace AVC\n");
avc_active = 1;
- label_hnd = selabel_open(SELABEL_CTX_X, options, 1);
+ label_hnd = selabel_open(SELABEL_CTX_X, &selabel_option, 1);
if (!label_hnd)
FatalError("SELinux: Failed to open x_contexts mapping in policy\n");