Looks like a cleaner implementation than the earlier one. I take it
AC_CHECK_HEADER is not anymore needed to detect selinux.h, but why exactly?
Besides that I give this one an ACK.
--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc
irc freenode net: mattock
> Signed-off-by: Alon Bar-Lev <alon.bar...@gmail.com>
> ---
> configure.ac | 35 +++++++++++++++--------------------
> src/openvpn/Makefile.am | 1 +
> src/openvpn/init.c | 4 ++--
> src/openvpn/options.c | 6 +++---
> src/openvpn/options.h | 2 +-
> src/openvpn/syshead.h | 2 +-
> 6 files changed, 23 insertions(+), 27 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 98615c6..2388f17 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -215,7 +215,7 @@ AC_ARG_ENABLE(
>
> AC_ARG_ENABLE(
> [selinux],
> - [AS_HELP_STRING([--disable-selinux], [disable SELinux support])],
> + [AS_HELP_STRING([--enable-selinux], [enable SELinux support])],
> ,
> [enable_selinux="no"]
> )
> @@ -619,6 +619,13 @@ AC_CHECK_LIB(
> )
> AC_SUBST([SOCKETS_LIBS])
>
> +AC_CHECK_LIB(
> + [selinux],
> + [setcon],
> + [SELINUX_LIBS="-lselinux"]
> +)
> +AC_SUBST([SELINUX_LIBS])
> +
> case "${with_mem_check}" in
> valgrind)
> AC_CHECK_HEADER(
> @@ -826,25 +833,6 @@ if test "${enable_crypto}" = "yes"; then
> fi
> fi
>
> -dnl
> -dnl check for SELinux library and headers
> -dnl
> -if test "${enable_selinux}" = "yes"; then
> - AC_CHECK_HEADER(
> - [selinux/selinux.h],
> - [AC_CHECK_LIB(
> - [selinux],
> - [setcon],
> - [
> - LIBS="${LIBS} -lselinux"
> - AC_DEFINE(HAVE_SETCON, 1, [SELinux support])
> - ],
> - [AC_MSG_RESULT([SELinux library not found.])]
> - )],
> - [AC_MSG_ERROR([SELinux headers not found.])]
> - )
> -fi
> -
> if test -n "${SP_PLATFORM_WINDOWS}"; then
> AC_DEFINE_UNQUOTED([PATH_SEPARATOR], ['\\\\'], [Path separator]) #"
> AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], ["\\\\"], [Path separator]) #"
> @@ -896,6 +884,12 @@ else
> fi
> fi
>
> +if test "${enable_selinux}" = "yes"; then
> + test -z "${SELINUX_LIBS}" && AC_MSG_ERROR([libselinux required but
> missing])
> + OPTIONAL_SELINUX_LIBS="${SELINUX_LIBS}"
> + AC_DEFINE([ENABLE_SELINUX], [1], [SELinux support])
> +fi
> +
> if test "${enable_pedantic}" = "yes"; then
> enable_strict="yes"
> CFLAGS="${CFLAGS} -ansi -pedantic"
> @@ -922,6 +916,7 @@ AC_SUBST([TAP_WIN_MIN_MAJOR])
> AC_SUBST([TAP_WIN_MIN_MINOR])
>
> AC_SUBST([OPTIONAL_DL_LIBS])
> +AC_SUBST([OPTIONAL_SELINUX_LIBS])
>
> AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
>
> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
> index 86abd09..a3f8b3a 100644
> --- a/src/openvpn/Makefile.am
> +++ b/src/openvpn/Makefile.am
> @@ -97,6 +97,7 @@ openvpn_SOURCES = \
> cryptoapi.h cryptoapi.c
> openvpn_LDADD = \
> $(SOCKETS_LIBS) \
> + $(OPTIONAL_SELINUX_LIBS) \
> $(OPTIONAL_DL_LIBS)
> if WIN32
> openvpn_SOURCES += openvpn_win32_resources.rc
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index b8f57b2..0c995ff 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -1038,7 +1038,7 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
> mstats_open(c->options.memstats_fn);
> #endif
>
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
> /* Apply a SELinux context in order to restrict what OpenVPN can do
> * to _only_ what it is supposed to do after initialization is complete
> * (basically just network I/O operations). Doing it after chroot
> @@ -2465,7 +2465,7 @@ do_option_warnings (struct context *c)
> msg (M_WARN, "WARNING: --ping should normally be used with
> --ping-restart or --ping-exit");
>
> if (o->username || o->groupname || o->chroot_dir
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
> || o->selinux_context
> #endif
> )
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index d7f848e..4e95b83 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -316,7 +316,7 @@ static const char usage_message[] =
> "--user user : Set UID to user after initialization.\n"
> "--group group : Set GID to group after initialization.\n"
> "--chroot dir : Chroot to this directory after initialization.\n"
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
> "--setcon context: Apply this SELinux context after initialization.\n"
> #endif
> "--cd dir : Change to this directory before initialization.\n"
> @@ -1477,7 +1477,7 @@ show_settings (const struct options *o)
> SHOW_STR (groupname);
> SHOW_STR (chroot_dir);
> SHOW_STR (cd_dir);
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
> SHOW_STR (selinux_context);
> #endif
> SHOW_STR (writepid);
> @@ -4525,7 +4525,7 @@ add_option (struct options *options,
> }
> options->cd_dir = p[1];
> }
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
> else if (streq (p[0], "setcon") && p[1])
> {
> VERIFY_PERMISSION (OPT_P_GENERAL);
> diff --git a/src/openvpn/options.h b/src/openvpn/options.h
> index 6af4b3a..57b88b7 100644
> --- a/src/openvpn/options.h
> +++ b/src/openvpn/options.h
> @@ -310,7 +310,7 @@ struct options
> const char *groupname;
> const char *chroot_dir;
> const char *cd_dir;
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
> char *selinux_context;
> #endif
> const char *writepid;
> diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
> index 1ad81d8..cac4757 100644
> --- a/src/openvpn/syshead.h
> +++ b/src/openvpn/syshead.h
> @@ -176,7 +176,7 @@
> #include <sys/epoll.h>
> #endif
>
> -#ifdef HAVE_SETCON
> +#ifdef ENABLE_SELINUX
> #include <selinux/selinux.h>
> #endif
>
