Package: xdm
Version: 1:1.1.8-3
Severity: normal
The SE Linux patch was written for an older release of SE Linux and
doesn't work properly with the latest code base (gets the wrong
login context).
Below is a modified patch to make it work correctly.
Could you please build with this patch ASAP so we can try and get it
into Lenny?
# HG changeset patch
# User [EMAIL PROTECTED]
# Node ID 4403c371616cc416a83156451f1afd293aff0e16
# Parent 28b3145223134d9d9a32202d0bae2036572e560a
Ported 099s_selinux_support.diff (changes: remove Imakefile hunks, add
--with-selinux flag to configure.ac.
Updated to latest SE Linux code by Russell Coker 3rd Aug 2008
diff -ru xdm-1.1.8-prese/configure.ac xdm-1.1.8/configure.ac
--- xdm-1.1.8-prese/configure.ac2008-05-22 04:24:55.0 +1000
+++ xdm-1.1.8/configure.ac 2008-08-03 07:37:02.0 +1000
@@ -116,6 +116,23 @@
fi])
fi
+use_selinux_default=no
+# Check for selinux support
+AC_ARG_WITH(selinux, AC_HELP_STRING([--with-selinux],[Add support for
selinux]),
+ [USE_SELINUX=$withval], [USE_SELINUX=$use_selinux_default])
+if test x$USE_SELINUX != xno ; then
+ old_LIBS=$LIBS
+ LIBS=
+ AC_SEARCH_LIBS(is_selinux_enabled,[selinux])
+ AC_CHECK_FUNC(is_selinux_enabled,
+ [AC_DEFINE(HAVE_SELINUX,1,[Add support for selinux])],
+ [if test x$USE_SELINUX != xtry ; then
+ AC_MSG_ERROR([selinux support requested, but
is_selinux_enabled not found.])
+fi])
+ XDM_LIBS=$XDM_LIBS $LIBS
+ LIBS=$old_LIBS
+fi
+
# FIXME: Find better test for which OS'es use su -m - for now, just try to
# mirror the Imakefile setting of:
# if defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) ||
defined(FreeBSDArchitecture) || defined(DarwinArchitecture)
diff -ru xdm-1.1.8-prese/session.c xdm-1.1.8/session.c
--- xdm-1.1.8-prese/session.c 2008-08-03 07:36:02.0 +1000
+++ xdm-1.1.8/session.c 2008-08-03 08:16:22.0 +1000
@@ -36,6 +36,10 @@
* session.c
*/
+#ifdef HAVE_CONFIG_H
+# include config.h
+#endif
+
#include dm.h
#include dm_auth.h
#include dm_error.h
@@ -70,6 +74,11 @@
#include prot.h
#endif
+#ifdef HAVE_SELINUX
+#include selinux/selinux.h
+#include selinux/get_context_list.h
+#endif /* HAVE_SELINUX */
+
#ifndef GREET_USER_STATIC
# include dlfcn.h
# ifndef RTLD_NOW
@@ -77,6 +86,39 @@
# endif
#endif
+#ifdef HAVE_SELINUX
+/* This should be run just before we exec the user session. */
+static int
+xdm_selinux_setup (const char *login)
+ {
+ security_context_t scontext;
+ int ret = -1;
+ char *seuser=NULL;
+ char *level=NULL;
+
+ /* If SELinux is not enabled, then we don't do anything. */
+ if ( is_selinux_enabled () = 0)
+ return TRUE;
+
+ if (getseuserbyname(login, seuser, level) == 0)
+ ret=get_default_context_with_level(seuser, level, 0, scontext);
+ if (ret 0 || scontext == NULL) {
+ LogError (SELinux: unable to obtain default security context
for %s\n, login);
+ return FALSE;
+ }
+
+ if (setexeccon (scontext) != 0) {
+ freecon (scontext);
+ LogError (SELinux: unable to set executable context %s\n,
+ (char *)scontext);
+ return FALSE;
+ }
+
+ freecon (scontext);
+ return TRUE;
+}
+#endif /* HAVE_SELINUX */
+
static int runAndWait (char **args, char **environ);
#ifdef HAVE_GRP_H
@@ -785,6 +827,17 @@
bzero(passwd, strlen(passwd));
SetUserAuthorization (d, verify);
+#ifdef HAVE_SELINUX
+ /*
+* For Security Enhanced Linux:
+* set the default security context for this user.
+*/
+ if ( ! xdm_selinux_setup (name)) {
+ LogError (failed to set security context\n);
+ exit (UNMANAGE_DISPLAY);
+ return (0);
+ }
+#endif /* HAVE_SELINUX */
home = getEnv (verify-userEnviron, HOME);
if (home)
if (chdir (home) == -1) {
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
