diff options
author | Eamon Walsh <ewalsh@tycho.nsa.gov> | 2008-03-28 14:01:34 -0400 |
---|---|---|
committer | Eamon Walsh <ewalsh@moss-charon.epoch.ncsc.mil> | 2008-03-28 14:14:23 -0400 |
commit | b5f98fcea2024c67e598947782913982072cf4fb (patch) | |
tree | f0a1b1321cc41ef9f10abada7b12b5777effeab3 /Xext | |
parent | 415e49b940bba2d08870db410ebb47d2add5d836 (diff) |
XSELinux: Add xorg.conf option for permissive/enforcing/disabled.
Patch by Joe Nall.
The option goes in the "extmod" subsection.
TODO: Make it easier for extension modules to handle their own options.
Diffstat (limited to 'Xext')
-rw-r--r-- | Xext/xselinux.c | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/Xext/xselinux.c b/Xext/xselinux.c index 17ce7af10..2e059a4c3 100644 --- a/Xext/xselinux.c +++ b/Xext/xselinux.c @@ -37,6 +37,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #include <libaudit.h> #include <X11/Xatom.h> +#include "globals.h" #include "resource.h" #include "privates.h" #include "registry.h" @@ -1891,16 +1892,36 @@ void SELinuxExtensionInit(INITARGS) { ExtensionEntry *extEntry; - struct selinux_opt options[] = { { SELABEL_OPT_VALIDATE, (char *)1 } }; + struct selinux_opt selabel_option = { SELABEL_OPT_VALIDATE, (char *)1 }; + struct selinux_opt avc_option = { AVC_OPT_SETENFORCE, (char *)0 }; security_context_t con; int ret = TRUE; - /* Setup SELinux stuff */ + /* Check SELinux mode on system */ if (!is_selinux_enabled()) { - ErrorF("SELinux: SELinux not enabled, disabling SELinux support.\n"); + ErrorF("SELinux: Disabled on system, not enabling in X server\n"); return; } + /* Check SELinux mode in configuration file */ + switch(selinuxEnforcingState) { + case SELINUX_MODE_DISABLED: + LogMessage(X_INFO, "SELinux: Disabled in configuration file\n"); + return; + case SELINUX_MODE_ENFORCING: + LogMessage(X_INFO, "SELinux: Configured in enforcing mode\n"); + avc_option.value = (char *)1; + break; + case SELINUX_MODE_PERMISSIVE: + LogMessage(X_INFO, "SELinux: Configured in permissive mode\n"); + avc_option.value = (char *)0; + break; + default: + avc_option.type = AVC_OPT_UNUSED; + break; + } + + /* Set up SELinux stuff */ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback)SELinuxLog); selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback)SELinuxAudit); @@ -1912,11 +1933,11 @@ SELinuxExtensionInit(INITARGS) FatalError("SELinux: Failed to set up security class mapping\n"); } - if (avc_open(NULL, 0) < 0) + if (avc_open(&avc_option, 1) < 0) FatalError("SELinux: Couldn't initialize SELinux userspace AVC\n"); avc_active = 1; - label_hnd = selabel_open(SELABEL_CTX_X, options, 1); + label_hnd = selabel_open(SELABEL_CTX_X, &selabel_option, 1); if (!label_hnd) FatalError("SELinux: Failed to open x_contexts mapping in policy\n"); |