the attached patch to kdm/backends/client.c has been updated,
but is not relevant _if_ the line:
session required pam_selinux.so
is added to /etc/pam.d/kdm.
l.
--
--
expecting email to be received and understood is a bit like
picking up the telephone and immediately dialing without
checking for a dial-tone; speaking immediately without listening
for either an answer or ring-tone; hanging up immediately and
believing that you have actually started a conversation.
--
<a href="http://lkcl.net";> lkcl.net </a> <br />
<a href="mailto:[EMAIL PROTECTED]"> [EMAIL PROTECTED] </a> <br />
--- ../client.c 2004-05-20 14:55:49.000000000 +0000
+++ kdm/backend/client.c 2004-05-20 08:51:43.000000000 +0000
@@ -45,6 +45,11 @@
#include <pwd.h>
#include <grp.h>
+#ifdef WITH_SELINUX
+#include <selinux/get_context_list.h>
+#include <selinux/selinux.h>
+#endif
+
#ifdef SECURE_RPC
# include <rpc/rpc.h>
# include <rpc/key_prot.h>
@@ -1086,6 +1091,29 @@
systemEnviron);
/*
+ * for Security Enhanced Linux,
+ * set the default security context for this user.
+ */
+#ifdef WITH_SELINUX
+ if (is_selinux_enabled() > 0)
+ {
+ security_context_t scontext;
+ if (p != NULL && p->pw_name != NULL &&
+ get_default_context(p->pw_name,NULL,&scontext))
+ {
+ LogError("Failed to get default security context for %s.",
curuser);
+ SessionExit (EX_NORMAL);
+ }
+ Debug("setting security context to %s", scontext);
+ if (setexeccon(scontext)) {
+ freecon(scontext);
+ LogError("Failed to set exec security context %s for %s.",
scontext, curuser);
+ SessionExit (EX_NORMAL);
+ }
+ freecon(scontext);
+ }
+#endif
+ /*
* for user-based authorization schemes,
* add the user to the server's allowed "hosts" list.
*/
