diff options
author | Manoj Srivastava <srivasta@golden-gryphon.com> | 2010-01-05 16:40:21 +0000 |
---|---|---|
committer | Julien Cristau <jcristau@debian.org> | 2010-01-12 18:13:23 +0000 |
commit | 6d393844dca10823f85d1ac797879fc6e00eae59 (patch) | |
tree | 86f957dd41971a9329595d6f33bba4f686f15e99 /session.c | |
parent | 90c2cc57cdf911cec2eec185f357868209212c79 (diff) |
xdm: add SELinux support
Initial patch submitted in Debian bug#233551.
Forward-ported to modular X by Eugene Konev (changes: remove Imakefile hunks,
add --with-selinux flag to configure.ac).
Updated to latest SE Linux code by Russell Coker 3rd Aug 2008, with bugfix from
Julien Cristau (Debian bug#493524).
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@sun.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Diffstat (limited to 'session.c')
-rw-r--r-- | session.c | 56 |
1 files changed, 56 insertions, 0 deletions
@@ -33,6 +33,10 @@ from The Open Group. * session.c */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include "dm.h" #include "dm_auth.h" #include "dm_error.h" @@ -67,6 +71,11 @@ extern int key_setnet(struct key_netstarg *arg); # include <prot.h> #endif +#ifdef HAVE_SELINUX +#include <selinux/selinux.h> +#include <selinux/get_context_list.h> +#endif /* HAVE_SELINUX */ + #ifndef GREET_USER_STATIC # include <dlfcn.h> # ifndef RTLD_NOW @@ -74,6 +83,42 @@ extern int key_setnet(struct key_netstarg *arg); # endif #endif +#ifdef HAVE_SELINUX +/* This should be run just before we exec the user session. */ +static int +xdm_selinux_setup (const char *login) + { + security_context_t scontext; + int ret = -1; + char *seuser=NULL; + char *level=NULL; + + /* If SELinux is not enabled, then we don't do anything. */ + if ( is_selinux_enabled () <= 0) + return TRUE; + + if (getseuserbyname(login, &seuser, &level) == 0) { + ret=get_default_context_with_level(seuser, level, 0, &scontext); + free(seuser); + free(level); + } + if (ret < 0 || scontext == NULL) { + LogError ("SELinux: unable to obtain default security context for %s\n", login); + return FALSE; + } + + if (setexeccon (scontext) != 0) { + freecon (scontext); + LogError ("SELinux: unable to set executable context %s\n", + (char *)scontext); + return FALSE; + } + + freecon (scontext); + return TRUE; +} +#endif /* HAVE_SELINUX */ + static int runAndWait (char **args, char **environ); #ifdef HAVE_GRP_H @@ -782,6 +827,17 @@ StartClient ( bzero(passwd, strlen(passwd)); SetUserAuthorization (d, verify); +#ifdef HAVE_SELINUX + /* + * For Security Enhanced Linux: + * set the default security context for this user. + */ + if ( ! xdm_selinux_setup (name)) { + LogError ("failed to set security context\n"); + exit (UNMANAGE_DISPLAY); + return (0); + } +#endif /* HAVE_SELINUX */ home = getEnv (verify->userEnviron, "HOME"); if (home) if (chdir (home) == -1) { |