XSELinux: Add xorg.conf option for permissive/enforcing/disabled.

Patch by Joe Nall. The option goes in the "extmod" subsection. TODO: Make it easier for extension modules to handle their own options. (cherry picked from commit b5f98fcea2024c67e598947782913982072cf4fb)
author: Eamon Walsh <ewalsh@tycho.nsa.gov> 2008-03-28 14:01:34 -0400
committer: Eamon Walsh <ewalsh@moss-charon.epoch.ncsc.mil> 2008-03-28 14:24:06 -0400
commit: c26bccf4173a037aa403c511dd08fd63cbbed87a (patch)
tree: 32fa604c3245855ae0c0808e7d09e47969cc3426 /Xext
parent: ae8edf3ee78ec1786c71b60ac0a5c9a2efb4e857 (diff)
1 files changed, 26 insertions, 5 deletions
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 17ce7af10..2e059a4c3 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -37,6 +37,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #include <libaudit.h>
 
 #include <X11/Xatom.h>
+#include "globals.h"
 #include "resource.h"
 #include "privates.h"
 #include "registry.h"
@@ -1891,16 +1892,36 @@ void
 SELinuxExtensionInit(INITARGS)
 {
     ExtensionEntry *extEntry;
-    struct selinux_opt options[] = { { SELABEL_OPT_VALIDATE, (char *)1 } };
+    struct selinux_opt selabel_option = { SELABEL_OPT_VALIDATE, (char *)1 };
+    struct selinux_opt avc_option = { AVC_OPT_SETENFORCE, (char *)0 };
     security_context_t con;
     int ret = TRUE;
 
-    /* Setup SELinux stuff */
+    /* Check SELinux mode on system */
     if (!is_selinux_enabled()) {
-	ErrorF("SELinux: SELinux not enabled, disabling SELinux support.\n");
+	ErrorF("SELinux: Disabled on system, not enabling in X server\n");
 	return;
     }
 
+    /* Check SELinux mode in configuration file */
+    switch(selinuxEnforcingState) {
+    case SELINUX_MODE_DISABLED:
+	LogMessage(X_INFO, "SELinux: Disabled in configuration file\n");
+	return;
+    case SELINUX_MODE_ENFORCING:
+	LogMessage(X_INFO, "SELinux: Configured in enforcing mode\n");
+	avc_option.value = (char *)1;
+	break;
+    case SELINUX_MODE_PERMISSIVE:
+	LogMessage(X_INFO, "SELinux: Configured in permissive mode\n");
+	avc_option.value = (char *)0;
+	break;
+    default:
+	avc_option.type = AVC_OPT_UNUSED;
+	break;
+    }
+
+    /* Set up SELinux stuff */
     selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback)SELinuxLog);
     selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback)SELinuxAudit);
 
@@ -1912,11 +1933,11 @@ SELinuxExtensionInit(INITARGS)
 	FatalError("SELinux: Failed to set up security class mapping\n");
     }
 
-    if (avc_open(NULL, 0) < 0)
+    if (avc_open(&avc_option, 1) < 0)
 	FatalError("SELinux: Couldn't initialize SELinux userspace AVC\n");
     avc_active = 1;
 
-    label_hnd = selabel_open(SELABEL_CTX_X, options, 1);
+    label_hnd = selabel_open(SELABEL_CTX_X, &selabel_option, 1);
     if (!label_hnd)
 	FatalError("SELinux: Failed to open x_contexts mapping in policy\n");
author	Eamon Walsh <ewalsh@tycho.nsa.gov>	2008-03-28 14:01:34 -0400
committer	Eamon Walsh <ewalsh@moss-charon.epoch.ncsc.mil>	2008-03-28 14:24:06 -0400
commit	c26bccf4173a037aa403c511dd08fd63cbbed87a (patch)
tree	32fa604c3245855ae0c0808e7d09e47969cc3426 /Xext
parent	ae8edf3ee78ec1786c71b60ac0a5c9a2efb4e857 (diff)