summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEamon Walsh <ewalsh@tycho.nsa.gov>2008-03-28 14:01:34 -0400
committerEamon Walsh <ewalsh@moss-charon.epoch.ncsc.mil>2008-03-28 14:14:23 -0400
commitb5f98fcea2024c67e598947782913982072cf4fb (patch)
treef0a1b1321cc41ef9f10abada7b12b5777effeab3
parent415e49b940bba2d08870db410ebb47d2add5d836 (diff)
XSELinux: Add xorg.conf option for permissive/enforcing/disabled.
Patch by Joe Nall. The option goes in the "extmod" subsection. TODO: Make it easier for extension modules to handle their own options.
-rw-r--r--Xext/xselinux.c31
-rw-r--r--hw/xfree86/dixmods/extmod/modinit.c23
-rw-r--r--hw/xfree86/loader/dixsym.c3
-rw-r--r--include/globals.h10
-rw-r--r--mi/miinitext.c8
-rw-r--r--os/utils.c4
6 files changed, 72 insertions, 7 deletions
diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 17ce7af10..2e059a4c3 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -37,6 +37,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#include <libaudit.h>
#include <X11/Xatom.h>
+#include "globals.h"
#include "resource.h"
#include "privates.h"
#include "registry.h"
@@ -1891,16 +1892,36 @@ void
SELinuxExtensionInit(INITARGS)
{
ExtensionEntry *extEntry;
- struct selinux_opt options[] = { { SELABEL_OPT_VALIDATE, (char *)1 } };
+ struct selinux_opt selabel_option = { SELABEL_OPT_VALIDATE, (char *)1 };
+ struct selinux_opt avc_option = { AVC_OPT_SETENFORCE, (char *)0 };
security_context_t con;
int ret = TRUE;
- /* Setup SELinux stuff */
+ /* Check SELinux mode on system */
if (!is_selinux_enabled()) {
- ErrorF("SELinux: SELinux not enabled, disabling SELinux support.\n");
+ ErrorF("SELinux: Disabled on system, not enabling in X server\n");
return;
}
+ /* Check SELinux mode in configuration file */
+ switch(selinuxEnforcingState) {
+ case SELINUX_MODE_DISABLED:
+ LogMessage(X_INFO, "SELinux: Disabled in configuration file\n");
+ return;
+ case SELINUX_MODE_ENFORCING:
+ LogMessage(X_INFO, "SELinux: Configured in enforcing mode\n");
+ avc_option.value = (char *)1;
+ break;
+ case SELINUX_MODE_PERMISSIVE:
+ LogMessage(X_INFO, "SELinux: Configured in permissive mode\n");
+ avc_option.value = (char *)0;
+ break;
+ default:
+ avc_option.type = AVC_OPT_UNUSED;
+ break;
+ }
+
+ /* Set up SELinux stuff */
selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback)SELinuxLog);
selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback)SELinuxAudit);
@@ -1912,11 +1933,11 @@ SELinuxExtensionInit(INITARGS)
FatalError("SELinux: Failed to set up security class mapping\n");
}
- if (avc_open(NULL, 0) < 0)
+ if (avc_open(&avc_option, 1) < 0)
FatalError("SELinux: Couldn't initialize SELinux userspace AVC\n");
avc_active = 1;
- label_hnd = selabel_open(SELABEL_CTX_X, options, 1);
+ label_hnd = selabel_open(SELABEL_CTX_X, &selabel_option, 1);
if (!label_hnd)
FatalError("SELinux: Failed to open x_contexts mapping in policy\n");
diff --git a/hw/xfree86/dixmods/extmod/modinit.c b/hw/xfree86/dixmods/extmod/modinit.c
index d0d892aaf..8c8a4ceeb 100644
--- a/hw/xfree86/dixmods/extmod/modinit.c
+++ b/hw/xfree86/dixmods/extmod/modinit.c
@@ -42,7 +42,7 @@ static ExtensionModule extensionModules[] = {
{
SELinuxExtensionInit,
SELINUX_EXTENSION_NAME,
- NULL,
+ &noSELinuxExtension,
NULL,
NULL
},
@@ -258,6 +258,27 @@ extmodSetup(pointer module, pointer opts, int *errmaj, int *errmin)
}
}
}
+
+#ifdef XSELINUX
+ if (! strcmp(SELINUX_EXTENSION_NAME, extensionModules[i].name)) {
+ pointer o;
+ selinuxEnforcingState = SELINUX_MODE_DEFAULT;
+
+ if ((o = xf86FindOption(opts, "SELinux mode disabled"))) {
+ xf86MarkOptionUsed(o);
+ selinuxEnforcingState = SELINUX_MODE_DISABLED;
+ }
+ if ((o = xf86FindOption(opts, "SELinux mode permissive"))) {
+ xf86MarkOptionUsed(o);
+ selinuxEnforcingState = SELINUX_MODE_PERMISSIVE;
+ }
+ if ((o = xf86FindOption(opts, "SELinux mode enforcing"))) {
+ xf86MarkOptionUsed(o);
+ selinuxEnforcingState = SELINUX_MODE_ENFORCING;
+ }
+ }
+#endif
+
LoadExtension(&extensionModules[i], FALSE);
}
/* Need a non-NULL return */
diff --git a/hw/xfree86/loader/dixsym.c b/hw/xfree86/loader/dixsym.c
index d035c762f..d6d22c4b9 100644
--- a/hw/xfree86/loader/dixsym.c
+++ b/hw/xfree86/loader/dixsym.c
@@ -440,6 +440,9 @@ _X_HIDDEN void *dixLookupTab[] = {
#ifdef XIDLE
SYMVAR(noXIdleExtension)
#endif
+#ifdef XSELINUX
+ SYMVAR(noSELinuxExtension)
+#endif
#ifdef XV
SYMVAR(noXvExtension)
#endif
diff --git a/include/globals.h b/include/globals.h
index b230dfc37..2ca9531d9 100644
--- a/include/globals.h
+++ b/include/globals.h
@@ -175,6 +175,16 @@ extern Bool noXInputExtension;
extern Bool noXIdleExtension;
#endif
+#ifdef XSELINUX
+extern Bool noSELinuxExtension;
+
+#define SELINUX_MODE_DEFAULT 0
+#define SELINUX_MODE_DISABLED 1
+#define SELINUX_MODE_PERMISSIVE 2
+#define SELINUX_MODE_ENFORCING 3
+extern int selinuxEnforcingState;
+#endif
+
#ifdef XV
extern Bool noXvExtension;
#endif
diff --git a/mi/miinitext.c b/mi/miinitext.c
index 3c55eebb3..cc4c15c9d 100644
--- a/mi/miinitext.c
+++ b/mi/miinitext.c
@@ -215,6 +215,9 @@ extern Bool noXInputExtension;
#ifdef XIDLE
extern Bool noXIdleExtension;
#endif
+#ifdef XSELINUX
+extern Bool noSELinuxExtension;
+#endif
#ifdef XV
extern Bool noXvExtension;
#endif
@@ -488,6 +491,9 @@ static ExtensionToggle ExtensionToggleList[] =
#ifdef XKB
{ "XKEYBOARD", &noXkbExtension },
#endif
+#ifdef XSELINUX
+ { "SELinux", &noSELinuxExtension },
+#endif
{ "XTEST", &noTestExtensions },
#ifdef XV
{ "XVideo", &noXvExtension },
@@ -597,7 +603,7 @@ InitExtensions(argc, argv)
if (!noSecurityExtension) SecurityExtensionInit();
#endif
#ifdef XSELINUX
- SELinuxExtensionInit();
+ if (!noSELinuxExtension) SELinuxExtensionInit();
#endif
#ifdef XPRINT
XpExtensionInit(); /* server-specific extension, cannot be disabled */
diff --git a/os/utils.c b/os/utils.c
index 4041028a3..57293ab6f 100644
--- a/os/utils.c
+++ b/os/utils.c
@@ -232,6 +232,10 @@ _X_EXPORT Bool noXInputExtension = FALSE;
#ifdef XIDLE
_X_EXPORT Bool noXIdleExtension = FALSE;
#endif
+#ifdef XSELINUX
+_X_EXPORT Bool noSELinuxExtension = FALSE;
+_X_EXPORT int selinuxEnforcingState = SELINUX_MODE_DEFAULT;
+#endif
#ifdef XV
_X_EXPORT Bool noXvExtension = FALSE;
#endif