apply the SELinux patch, taking care not to break the string freeze.

Thu Sep 18 16:15:38 2003  George Lebl <jirka@5z.com>

	* configure.in, acconfig.h, daemon/slave.c: apply the SELinux patch,
	  taking care not to break the string freeze.

4 files changed, 93 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index a6281974..9cf7d9c0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Thu Sep 18 16:15:38 2003  George Lebl <jirka@5z.com>
+
+	* configure.in, acconfig.h, daemon/slave.c: apply the SELinux patch,
+	  taking care not to break the string freeze.
+
 Thu Sep 18 13:53:37 2003  George Lebl <jirka@5z.com>
 
 	* configure.in: update version
diff --git a/acconfig.h b/acconfig.h
index 363294bc..b4e0000e 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -38,3 +38,4 @@
 #undef HAVE_LOGINCAP
 #undef HAVE_SYS_SOCKIO_H
 #undef HAVE_SCHED_YIELD
+#undef HAVE_SELINUX
diff --git a/configure.in b/configure.in
index 0237a3df..bcb83c3e 100644
--- a/configure.in
+++ b/configure.in
@@ -65,6 +65,8 @@ AC_ARG_WITH(tcp-wrappers,
   [  --with-tcp-wrappers=[auto/yes/no]  Use TCP Wrappers [default=auto]],,
   with_tcp_wrappers=auto)
 
+AC_ARG_WITH(selinux, [  --with-selinux  Add SELinux support])
+
 dnl
 dnl PAM prefix
 dnl
@@ -440,6 +442,29 @@ fi
 AC_SUBST(XINERAMA_LIBS)
 CPPFLAGS="$xinerama_save_cppflags"
 
+#
+# SELinux stuff
+#
+if test "x$with_selinux" = "xyes" ; then
+	echo "SELinux support requested (--with-selinux was given), checking prerequisites"
+	if test -d /usr/local/selinux/include ; then
+		echo "Found /usr/local/selinux/include, will look there for SELinux stuff as well"
+		CFLAGS="$CFLAGS -I/usr/local/selinux/include"
+		LDFLAGS="$LDFLAGS -L/usr/local/selinux/lib"
+	fi
+	AC_CHECK_HEADER(selinux/selinux.h)
+	AC_CHECK_HEADER(selinux/get_context_list.h)
+	AC_CHECK_LIB(attr,attr_get,/bin/true)
+	# I'm anal and I don't know which versions have which symbols,
+	# so I check for all the ones we use
+	AC_CHECK_LIB(selinux,get_ordered_context_list,/bin/true)
+	AC_CHECK_LIB(selinux,freecon,/bin/true)
+	AC_CHECK_LIB(selinux,freeconary,/bin/true)
+	AC_CHECK_LIB(selinux,setexeccon,/bin/true)
+	AC_CHECK_LIB(selinux,is_selinux_enabled,/bin/true)
+	AC_DEFINE(HAVE_SELINUX)
+	EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -lselinux -lattr"
+fi
 
 #
 # Subst the extra libs
@@ -504,7 +529,7 @@ EXPANDED_LOGDIR=`eval echo $LOGDIR_TMP`
 AC_SUBST(EXPANDED_LOGDIR)
 AC_DEFINE_UNQUOTED(EXPANDED_LOGDIR,"$EXPANDED_LOGDIR")
 
-AC_MSG_CHECKING(for fbconsole)
+AC_MSG_CHECKING(for fbconsole (for Solaris))
 if test -x /usr/openwin/bin/fbconsole; then
    AC_DEFINE(HAVE_FBCONSOLE)
    AC_MSG_RESULT(yes)
@@ -654,6 +679,13 @@ else
 	echo "Console helper                    : NO"
 fi
 
+dnl <= SELinux support =>
+if test "x$with_selinux" = "xyes" ; then
+	echo "SELinux support                   : YES"
+else
+	echo "SELinux support                   : NO"
+fi
+
 
 dnl <= Authentication scheme =>
 echo "Authentication scheme             : $VRFY"
diff --git a/daemon/slave.c b/daemon/slave.c
index 100838a7..466f28a1 100644
--- a/daemon/slave.c
+++ b/daemon/slave.c
@@ -56,6 +56,11 @@
 #include <time.h>
 #include <syslog.h>
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+#endif /* HAVE_SELINUX */
+
 #include <vicious.h>
 
 #include "gdm.h"
@@ -2996,6 +3001,41 @@ open_xsession_errors (struct passwd *pwent,
 	return logfd;
 }
 
+#ifdef HAVE_SELINUX
+/* This should be run just before we exec the user session */
+static gboolean
+gdm_selinux_setup (const char *login)
+{
+	security_context_t scontext;
+
+	/* If selinux is not enabled, then we don't do anything */
+	if ( ! is_selinux_enabled ())
+		return TRUE;
+
+	if (get_default_context((char*) login,0, &scontext) < 0) {
+		gdm_error ("SELinux gdm login: unable to obtain default security context for %s.", login);
+		/* note that this will be run when the .xsession-errors
+		   is already being logged, so we can use stderr */
+		gdm_fdprintf (2, "SELinux gdm login: unable to obtain default security context for %s.", login);
+		return FALSE;
+	}
+
+	gdm_assert (scontext != NULL);
+
+	if (setexeccon (scontext) != 0) {
+		gdm_error ("SELinux gdm login: unable to set executable context %s.",
+			  (char *)scontext);
+		gdm_fdprintf (2, "SELinux gdm login: unable to set executable context %s.",
+			      (char *)scontext);
+		return FALSE;
+	}
+
+	freecon (scontext);
+
+	return TRUE;
+}
+#endif /* HAVE_SELINUX */
+
 static void
 session_child_run (struct passwd *pwent,
 		   int logfd,
@@ -3306,6 +3346,20 @@ session_child_run (struct passwd *pwent,
 		_exit (66);
 	}
 
+#ifdef HAVE_SELINUX
+	if ( ! gdm_selinux_setup (pwent->pw_name)) {
+		/* 66 means no "session crashed" examine .xsession-errors
+		   dialog */
+		/* FIXME: do this when we get out of string freeze */
+		/*
+		gdm_error_box (d, GTK_MESSAGE_ERROR, _("Error! Unable to set executable context."));
+		_exit (66);
+		*/
+		/* errors have alredy been logged to .xsession-errors */
+		_exit (1);
+	}
+#endif
+
 	IGNORE_EINTR (execv (argv[0], argv));
 
 	/* will go to .xsession-errors */