> Please either make some appropriate -dev package, or perhaps even
> xutils, depend on libselinux-dev, or else stop telling arbitrary
> programs to link with libselinux.
Attached is a reworked patch 099s_selinux_support.diff with all selinux
specific changes moved from Imake.tmpl to xdm Imakefile, as xdm is the
only program affected by selinux addition. This change will prevent
bringing -lselinux into linkflags of programs using xmkmf.
$Id$
Add support for SELinux. Note that this patch only adds source-level
support, and does not actually enable it.
This patch by Manoj Srivastava. As he notes in Debian #233551:
As implemented, the patch merely provides a capability, which
has to be explicitly turned on at compile time with -DHasSELinux=YES.
If one does not compile with -DHasSELinux=YES, the patch is a no-op.
Since none of the code is compiled in, there is no change in
behaviour, nor is there any performance hit.
If you do turn on the SELinux compatibility with -DHasSELinux,
you would need libselinux at build time. In other words, the
mainline X build does not build depend on SELinux; the dependency is
only invoked if you explicitly pass a parameter to imake.
Even when SELinux compatibility is compiled in, on a non
SELinux kernel it is dead code; there is no change in functionality,
apart from a single check to see if SELinux is available at each
login. The SELinux code paths are not exercised on non-SELinux
kernels.
The more permanent way to enable SELinux support is to #define HasSELinux
YES in the relevant distribution-specific section of linux.cf. If that is
done for Debian, the source package will need to add a build-dependency on
the libselinux1-dev package.
Changes by Eugene Konev:
Do not impose selinux on the whole world out there: move selinux
specific changes from config/cf/Imake.tmpl to programs/xdm/Imakefile,
as xdm is the only program affected by this patch.
Not submitted upstream to XFree86 or X.Org.
Index: xc/config/cf/linux.cf
===================================================================
--- xc-old/config/cf/linux.cf 2005-07-21 03:33:06.000000000 +0800
+++ xc/config/cf/linux.cf 2005-07-21 03:34:00.000000000 +0800
@@ -1114,3 +1114,57 @@
#ifndef XFree86ServerOSDefines
# define XFree86ServerOSDefines
#endif
+
+/*
+ * SELinux support
+ */
+#ifndef HasSELinux
+# define HasSELinux YES
+#endif
+
+#ifndef SELinuxDefines
+# if HasSELinux
+# define SELinuxDefines -DHAVE_SELINUX
+# else
+# define SELinuxDefines /**/
+# endif
+#endif
+
+#ifndef SELinuxIncludeFlags
+# if HasSELinux
+# define SELinuxIncludeFlags -I/usr/include/selinux
+# else
+# define SELinuxIncludeFlags /**/
+# endif
+#endif
+
+#ifndef SELinuxCompileFlags
+# define SELinuxCompileFlags /**/
+#endif
+
+#ifndef SELinuxLoadFlags
+# define SELinuxLoadFlags SELinuxCompileFlags
+#endif
+
+#ifndef SELinuxLibraries
+# if HasSELinux
+# define SELinuxLibraries -lselinux
+# else
+# define SELinuxLibraries /**/
+# endif
+#endif
+
+#if HasSELinux
+# ifndef SELINUX_LDFLAGS
+ SELINUX_LDFLAGS = SELinuxLoadFlags
+# endif
+# ifndef SELINUX_INCLUDES
+ SELINUX_INCLUDES = SELinuxIncludeFlags
+# endif
+# ifndef SELINUX_CFLAGS
+ SELINUX_CFLAGS = SELinuxCompileFlags SELinuxDefines
+# endif
+# ifndef SELINUX_LIBS
+ SELINUX_LIBS = SELinuxLibraries
+# endif
+#endif
Index: xc/programs/xdm/session.c
===================================================================
--- xc-old/programs/xdm/session.c 2005-07-21 03:33:06.000000000 +0800
+++ xc/programs/xdm/session.c 2005-07-21 03:34:00.000000000 +0800
@@ -61,6 +61,11 @@
# include <krb5/krb5.h>
#endif
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+#endif /* HAVE_SELINUX */
+
#ifndef GREET_USER_STATIC
# include <dlfcn.h>
# ifndef RTLD_NOW
@@ -68,6 +73,34 @@
# endif
#endif
+#ifdef HAVE_SELINUX
+/* This should be run just before we exec the user session. */
+static int
+xdm_selinux_setup (const char *login)
+ {
+ security_context_t scontext;
+ /* If SELinux is not enabled, then we don't do anything. */
+ if ( ! is_selinux_enabled ())
+ return TRUE;
+
+ if (get_default_context((char*) login,0, &scontext) < 0) {
+ LogError ("SELinux: unable to obtain default security context for %s\n",
+ login);
+ return FALSE;
+ }
+
+ if (setexeccon (scontext) != 0) {
+ freecon (scontext);
+ LogError ("SELinux: unable to set executable context %s\n",
+ (char *)scontext);
+ return FALSE;
+ }
+
+ freecon (scontext);
+ return TRUE;
+}
+#endif /* HAVE_SELINUX */
+
static int runAndWait (char **args, char **environ);
#if defined(CSRG_BASED) || defined(__osf__) || defined(__DARWIN__) ||
defined(__QNXNTO__) || defined(sun) || defined(__GLIBC__)
@@ -726,6 +759,17 @@
#endif /* K5AUTH */
bzero(passwd, strlen(passwd));
SetUserAuthorization (d, verify);
+#ifdef HAVE_SELINUX
+ /*
+ * For Security Enhanced Linux:
+ * set the default security context for this user.
+ */
+ if ( ! xdm_selinux_setup (name)) {
+ LogError ("failed to set security context\n");
+ exit (UNMANAGE_DISPLAY);
+ return (0);
+ }
+#endif /* HAVE_SELINUX */
home = getEnv (verify->userEnviron, "HOME");
if (home)
if (chdir (home) == -1) {
Index: xc/programs/xdm/Imakefile
===================================================================
--- xc-old/programs/xdm/Imakefile 2005-07-21 03:33:06.000000000 +0800
+++ xc/programs/xdm/Imakefile 2005-07-21 03:34:00.000000000 +0800
@@ -200,12 +200,13 @@
XDMCONFIGDIR = XdmConfigurationSubdirectory
SUBDIRS = $(GREET_DIR) $(XDMCONFIGDIR)
-INCLUDES = $(KRB5_INCLUDE)
+INCLUDES = $(KRB5_INCLUDE) $(SELINUX_INCLUDES)
DEPLIBS = $(DEPXMULIB) $(DEPXTOOLLIB) $(DEPXLIB) $(DEPXAUTHLIB) \
$(DEPXDMCPLIB) $(XINDEPLIBS)
+LOCAL_LDFLAGS = $(SELINUX_LDFLAGS)
LOCAL_LIBRARIES = $(GREETLIBS) $(XMULIB) $(XTOOLLIB) $(XLIB) $(XAUTHLIB) \
$(XDMCPLIB) $(RPCLIB) $(PAM_LIBRARIES) $(DLLIBRARY) \
- $(CRYPT_LIBRARIES) $(KRBIVLIB) $(XINLIBS)
+ $(CRYPT_LIBRARIES) $(KRBIVLIB) $(XINLIBS) $(SELINUX_LIBS)
SRCS1 = auth.c daemon.c server.c dpylist.c dm.c error.c file.c \
netaddr.c reset.c resource.c protodpy.c policy.c \
@@ -330,6 +331,7 @@
SpecialCObjectRule(socket,$(ICONFIGFILES),$(SOCK_DEFINES))
SpecialCObjectRule(xdmcp,$(ICONFIGFILES),$(SOCK_DEFINES))
SpecialCObjectRule(xdmshell,$(ICONFIGFILES),$(VFORK_DEFINES))
+SpecialCObjectRule(session,,$(SELINUX_CFLAGS))
#if !SharedLibXdmGreet
LinkSourceFile(greet.c,greeter)
