Package: kdm Severity: wishlist
this is pretty much it, believe it or not. of course configure --enable-selinux is required (in debian/rules). the debian package should have --enable-selinux ON by default. if you are considering _not_ applying this patch, then consider this: a large number of packages have already accepted, upstream, the selinux patches, including logrotate and gdm. therefore, libselinux, like libacl, is pretty much going to become a part of the base linux install. also, the patch has ZERO effect on a system which has neither selinux enabled at boot-time nor selinux compiled/modules _in_ the kernel. --- client.c.old 2004-05-19 07:40:58.000000000 +0000 +++ kdm/backend/client.c 2004-05-19 07:18:01.000000000 +0000 @@ -44,6 +44,12 @@ #include <sys/stat.h> #include <pwd.h> #include <grp.h> + +#ifdef WITH_SELINUX +#include <selinux/get_context_list.h> +#include <selinux/selinux.h> +#endif + #ifdef SECURE_RPC # include <rpc/rpc.h> # include <rpc/key_prot.h> @@ -1085,6 +1091,24 @@ systemEnviron); /* + * for Security Enhanced Linux, + * set the default security context for this user. + */ +#ifdef WITH_SELINUX + if (is_selinux_enabled()) + { + security_context_t scontext; + if (get_default_context(name,NULL,&scontext)) + LogError("Failed to get default security context for %s.", name); + Debug("setting security context to %s", scontext); + if (setexeccon(scontext)) { + freecon(scontext); + LogError("Failed to set exec security context %s for %s.", scontext, name); + } + freecon(scontext); + } +#endif + /* * for user-based authorization schemes, * add the user to the server's allowed "hosts" list. */ --- configure.in.in.old 2004-05-19 07:43:37.000000000 +0000 +++ configure.in.in 2004-05-19 07:18:15.000000000 +0000 @@ -197,3 +197,23 @@ #endif ]) +AC_MSG_CHECKING(for SELinux support) +AC_ARG_ENABLE(selinux, + AC_HELP_STRING([--enable-selinux], [enable SELinux support]), + [ + AC_MSG_RESULT(yes) + AC_CHECK_LIB(selinux, is_selinux_enabled, [SELINUX_LDFLAGS="-lselinux" + AC_DEFINE_UNQUOTED(HAVE_SELINUX_LIB, 1, [Define if libselinux is installed]) + AC_DEFINE(WITH_SELINUX, 1, [Define if you want wdm to be compiled with SELinux support]) + SELINUX_CFLAGS="-DWITH_SELINUX -I/usr/include/selinux" + ], + [ + AC_MSG_WARN([libselinux not found, compiling without SELinux support]) + ]) + ], + [ + AC_MSG_RESULT(no) + ]) +AC_SUBST(SELINUX_LDFLAGS) +AC_SUBST(SELINUX_CFLAGS) + --- Makefile.am.old 2004-05-19 07:46:07.000000000 +0000 +++ kdm/backend/Makefile.am 2004-05-19 07:18:31.000000000 +0000 @@ -8,6 +8,10 @@ $(LIB_LIBS) $(KRB4_LIBS) $(KRB5_LIBS) $(LIBSOCKET) $(LIBRESOLV) \ $(LIBUCB) $(LIBUTIL) +CPPFLAGS = $(CPPFLAGS) $(SELINUX_CFLAGS) +CFLAGS = $(CFLAGS) $(SELINUX_CFLAGS) +LDFLAGS = $(LDFLAGS) $(SELINUX_LDFLAGS) + bin_PROGRAMS = kdm kdm_SOURCES = \ access.c \ -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux highfield 2.6.6-selinux1 #5 Tue May 18 16:33:29 GMT 2004 i686 Locale: LANG=C, LC_CTYPE=C