Looks like a cleaner implementation than the earlier one. I take it 
AC_CHECK_HEADER is not anymore needed to detect selinux.h, but why exactly?

Besides that I give this one an ACK.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

> Signed-off-by: Alon Bar-Lev <alon.bar...@gmail.com>
> ---
>  configure.ac            |   35 +++++++++++++++--------------------
>  src/openvpn/Makefile.am |    1 +
>  src/openvpn/init.c      |    4 ++--
>  src/openvpn/options.c   |    6 +++---
>  src/openvpn/options.h   |    2 +-
>  src/openvpn/syshead.h   |    2 +-
>  6 files changed, 23 insertions(+), 27 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 98615c6..2388f17 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -215,7 +215,7 @@ AC_ARG_ENABLE(
>  
>  AC_ARG_ENABLE(
>       [selinux],
> -     [AS_HELP_STRING([--disable-selinux], [disable SELinux support])],
> +     [AS_HELP_STRING([--enable-selinux], [enable SELinux support])],
>       ,
>       [enable_selinux="no"]
>  )
> @@ -619,6 +619,13 @@ AC_CHECK_LIB(
>  )
>  AC_SUBST([SOCKETS_LIBS])
>  
> +AC_CHECK_LIB(
> +     [selinux],
> +     [setcon],
> +     [SELINUX_LIBS="-lselinux"]
> +)
> +AC_SUBST([SELINUX_LIBS])
> +
>  case "${with_mem_check}" in
>       valgrind)
>               AC_CHECK_HEADER(
> @@ -826,25 +833,6 @@ if test "${enable_crypto}" = "yes"; then
>     fi
>  fi
>  
> -dnl
> -dnl check for SELinux library and headers
> -dnl
> -if test "${enable_selinux}" = "yes"; then
> -     AC_CHECK_HEADER(
> -             [selinux/selinux.h],
> -             [AC_CHECK_LIB(
> -                     [selinux],
> -                     [setcon],
> -                     [
> -                             LIBS="${LIBS} -lselinux"
> -                             AC_DEFINE(HAVE_SETCON, 1, [SELinux support])
> -                     ],
> -                     [AC_MSG_RESULT([SELinux library not found.])]
> -             )],
> -             [AC_MSG_ERROR([SELinux headers not found.])]
> -     )
> -fi
> -
>  if test -n "${SP_PLATFORM_WINDOWS}"; then
>       AC_DEFINE_UNQUOTED([PATH_SEPARATOR], ['\\\\'], [Path separator]) #"
>       AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], ["\\\\"], [Path separator]) #"
> @@ -896,6 +884,12 @@ else
>       fi
>  fi
>  
> +if test "${enable_selinux}" = "yes"; then
> +     test -z "${SELINUX_LIBS}" && AC_MSG_ERROR([libselinux required but 
> missing])
> +     OPTIONAL_SELINUX_LIBS="${SELINUX_LIBS}"
> +     AC_DEFINE([ENABLE_SELINUX], [1], [SELinux support])
> +fi
> +
>  if test "${enable_pedantic}" = "yes"; then
>       enable_strict="yes"
>       CFLAGS="${CFLAGS} -ansi -pedantic"
> @@ -922,6 +916,7 @@ AC_SUBST([TAP_WIN_MIN_MAJOR])
>  AC_SUBST([TAP_WIN_MIN_MINOR])
>  
>  AC_SUBST([OPTIONAL_DL_LIBS])
> +AC_SUBST([OPTIONAL_SELINUX_LIBS])
>  
>  AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
>  
> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
> index 86abd09..a3f8b3a 100644
> --- a/src/openvpn/Makefile.am
> +++ b/src/openvpn/Makefile.am
> @@ -97,6 +97,7 @@ openvpn_SOURCES = \
>       cryptoapi.h cryptoapi.c
>  openvpn_LDADD = \
>       $(SOCKETS_LIBS) \
> +     $(OPTIONAL_SELINUX_LIBS) \
>       $(OPTIONAL_DL_LIBS)
>  if WIN32
>  openvpn_SOURCES += openvpn_win32_resources.rc
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index b8f57b2..0c995ff 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -1038,7 +1038,7 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
>       mstats_open(c->options.memstats_fn);
>  #endif
>  
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
>        /* Apply a SELinux context in order to restrict what OpenVPN can do
>         * to _only_ what it is supposed to do after initialization is complete
>         * (basically just network I/O operations). Doing it after chroot
> @@ -2465,7 +2465,7 @@ do_option_warnings (struct context *c)
>      msg (M_WARN, "WARNING: --ping should normally be used with 
> --ping-restart or --ping-exit");
>  
>    if (o->username || o->groupname || o->chroot_dir
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
>        || o->selinux_context
>  #endif
>        )
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index d7f848e..4e95b83 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -316,7 +316,7 @@ static const char usage_message[] =
>    "--user user     : Set UID to user after initialization.\n"
>    "--group group   : Set GID to group after initialization.\n"
>    "--chroot dir    : Chroot to this directory after initialization.\n"
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
>    "--setcon context: Apply this SELinux context after initialization.\n"
>  #endif
>    "--cd dir        : Change to this directory before initialization.\n"
> @@ -1477,7 +1477,7 @@ show_settings (const struct options *o)
>    SHOW_STR (groupname);
>    SHOW_STR (chroot_dir);
>    SHOW_STR (cd_dir);
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
>    SHOW_STR (selinux_context);
>  #endif
>    SHOW_STR (writepid);
> @@ -4525,7 +4525,7 @@ add_option (struct options *options,
>       }
>        options->cd_dir = p[1];
>      }
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
>    else if (streq (p[0], "setcon") && p[1])
>      {
>        VERIFY_PERMISSION (OPT_P_GENERAL);
> diff --git a/src/openvpn/options.h b/src/openvpn/options.h
> index 6af4b3a..57b88b7 100644
> --- a/src/openvpn/options.h
> +++ b/src/openvpn/options.h
> @@ -310,7 +310,7 @@ struct options
>    const char *groupname;
>    const char *chroot_dir;
>    const char *cd_dir;
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
>    char *selinux_context;
>  #endif
>    const char *writepid;
> diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
> index 1ad81d8..cac4757 100644
> --- a/src/openvpn/syshead.h
> +++ b/src/openvpn/syshead.h
> @@ -176,7 +176,7 @@
>  #include <sys/epoll.h>
>  #endif
>  
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
>  #include <selinux/selinux.h>
>  #endif
>  


Reply via email to