Package: xdm Version: 1:1.1.8-3 Severity: normal The SE Linux patch was written for an older release of SE Linux and doesn't work properly with the latest code base (gets the wrong login context).
Below is a modified patch to make it work correctly. Could you please build with this patch ASAP so we can try and get it into Lenny? # HG changeset patch # User [EMAIL PROTECTED] # Node ID 4403c371616cc416a83156451f1afd293aff0e16 # Parent 28b3145223134d9d9a32202d0bae2036572e560a Ported 099s_selinux_support.diff (changes: remove Imakefile hunks, add --with-selinux flag to configure.ac. Updated to latest SE Linux code by Russell Coker 3rd Aug 2008 diff -ru xdm-1.1.8-prese/configure.ac xdm-1.1.8/configure.ac --- xdm-1.1.8-prese/configure.ac 2008-05-22 04:24:55.000000000 +1000 +++ xdm-1.1.8/configure.ac 2008-08-03 07:37:02.000000000 +1000 @@ -116,6 +116,23 @@ fi]) fi +use_selinux_default=no +# Check for selinux support +AC_ARG_WITH(selinux, AC_HELP_STRING([--with-selinux],[Add support for selinux]), + [USE_SELINUX=$withval], [USE_SELINUX=$use_selinux_default]) +if test "x$USE_SELINUX" != "xno" ; then + old_LIBS="$LIBS" + LIBS="" + AC_SEARCH_LIBS(is_selinux_enabled,[selinux]) + AC_CHECK_FUNC(is_selinux_enabled, + [AC_DEFINE(HAVE_SELINUX,1,[Add support for selinux])], + [if test "x$USE_SELINUX" != "xtry" ; then + AC_MSG_ERROR(["selinux support requested, but is_selinux_enabled not found."]) + fi]) + XDM_LIBS="$XDM_LIBS $LIBS" + LIBS="$old_LIBS" +fi + # FIXME: Find better test for which OS'es use su -m - for now, just try to # mirror the Imakefile setting of: # if defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) || defined(FreeBSDArchitecture) || defined(DarwinArchitecture) diff -ru xdm-1.1.8-prese/session.c xdm-1.1.8/session.c --- xdm-1.1.8-prese/session.c 2008-08-03 07:36:02.000000000 +1000 +++ xdm-1.1.8/session.c 2008-08-03 08:16:22.000000000 +1000 @@ -36,6 +36,10 @@ * session.c */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include "dm.h" #include "dm_auth.h" #include "dm_error.h" @@ -70,6 +74,11 @@ #include <prot.h> #endif +#ifdef HAVE_SELINUX +#include <selinux/selinux.h> +#include <selinux/get_context_list.h> +#endif /* HAVE_SELINUX */ + #ifndef GREET_USER_STATIC # include <dlfcn.h> # ifndef RTLD_NOW @@ -77,6 +86,39 @@ # endif #endif +#ifdef HAVE_SELINUX +/* This should be run just before we exec the user session. */ +static int +xdm_selinux_setup (const char *login) + { + security_context_t scontext; + int ret = -1; + char *seuser=NULL; + char *level=NULL; + + /* If SELinux is not enabled, then we don't do anything. */ + if ( is_selinux_enabled () <= 0) + return TRUE; + + if (getseuserbyname(login, &seuser, &level) == 0) + ret=get_default_context_with_level(seuser, level, 0, &scontext); + if (ret < 0 || scontext == NULL) { + LogError ("SELinux: unable to obtain default security context for %s\n", login); + return FALSE; + } + + if (setexeccon (scontext) != 0) { + freecon (scontext); + LogError ("SELinux: unable to set executable context %s\n", + (char *)scontext); + return FALSE; + } + + freecon (scontext); + return TRUE; +} +#endif /* HAVE_SELINUX */ + static int runAndWait (char **args, char **environ); #ifdef HAVE_GRP_H @@ -785,6 +827,17 @@ bzero(passwd, strlen(passwd)); SetUserAuthorization (d, verify); +#ifdef HAVE_SELINUX + /* + * For Security Enhanced Linux: + * set the default security context for this user. + */ + if ( ! xdm_selinux_setup (name)) { + LogError ("failed to set security context\n"); + exit (UNMANAGE_DISPLAY); + return (0); + } +#endif /* HAVE_SELINUX */ home = getEnv (verify->userEnviron, "HOME"); if (home) if (chdir (home) == -1) { -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]