Author: branden Date: 2005-01-12 14:56:03 -0500 (Wed, 12 Jan 2005) New Revision: 2133
Added: trunk/debian/patches/099s_selinux_support.diff Modified: trunk/debian/CHANGESETS trunk/debian/TODO trunk/debian/changelog Log: Add patch from Manoj Srivastava that implements support for SELinux in imake and xdm. (Note that this patch only adds source-level support, and does not actually enable it.) Thanks, Manoj! (Closes: #233551) Modified: trunk/debian/CHANGESETS =================================================================== --- trunk/debian/CHANGESETS 2005-01-12 07:11:51 UTC (rev 2132) +++ trunk/debian/CHANGESETS 2005-01-12 19:56:03 UTC (rev 2133) @@ -132,4 +132,9 @@ operational error, not a user-input error. 2128, 2129, 2130 +Add patch from Manoj Srivastava that implements support for SELinux in +imake and xdm. (Note that this patch only adds source-level support, and +does not actually enable it.) Thanks, Manoj! (Closes: #233551) + 2133 + vim:set ai et sts=4 sw=4 tw=80: Modified: trunk/debian/TODO =================================================================== --- trunk/debian/TODO 2005-01-12 07:11:51 UTC (rev 2132) +++ trunk/debian/TODO 2005-01-12 19:56:03 UTC (rev 2133) @@ -50,7 +50,6 @@ port. See <URL: http://lists.debian.org/debian-68k/2004/08/msg00392.html>. * #245541: Evaluate Sven Luther's driver DDK package patch: http://lists.debian.org/debian-x/2003/debian-x-200311/msg00002.html -* #233551: add SELinux support to xdm Post 4.3.0-1 ------------ Modified: trunk/debian/changelog =================================================================== --- trunk/debian/changelog 2005-01-12 07:11:51 UTC (rev 2132) +++ trunk/debian/changelog 2005-01-12 19:56:03 UTC (rev 2133) @@ -105,8 +105,12 @@ XOpenDisplay() fails. Being unable to connect to the X server is an operational error, not a user-input error. - -- Branden Robinson <[EMAIL PROTECTED]> Tue, 11 Jan 2005 01:17:16 -0500 + * Add patch from Manoj Srivastava that implements support for SELinux in + imake and xdm. (Note that this patch only adds source-level support, and + does not actually enable it.) Thanks, Manoj! (Closes: #233551) + -- Branden Robinson <[EMAIL PROTECTED]> Wed, 12 Jan 2005 14:54:44 -0500 + xfree86 (4.3.0.dfsg.1-10) unstable; urgency=medium * Upload urgency set to medium due to fix for stable-release-critical bugs Added: trunk/debian/patches/099s_selinux_support.diff =================================================================== --- trunk/debian/patches/099s_selinux_support.diff 2005-01-12 07:11:51 UTC (rev 2132) +++ trunk/debian/patches/099s_selinux_support.diff 2005-01-12 19:56:03 UTC (rev 2133) @@ -0,0 +1,186 @@ +$Id$ + +Add support for SELinux. Note that this patch only adds source-level +support, and does not actually enable it. + +This patch by Manoj Srivastava. As he notes in Debian #233551: + + As implemented, the patch merely provides a capability, which + has to be explicitly turned on at compile time with -DHasSELinux=YES. + If one does not compile with -DHasSELinux=YES, the patch is a no-op. + Since none of the code is compiled in, there is no change in + behaviour, nor is there any performance hit. + + If you do turn on the SELinux compatibility with -DHasSELinux, + you would need libselinux at build time. In other words, the + mainline X build does not build depend on SELinux; the dependency is + only invoked if you explicitly pass a parameter to imake. + + Even when SELinux compatibility is compiled in, on a non + SELinux kernel it is dead code; there is no change in functionality, + apart from a single check to see if SELinux is available at each + login. The SELinux code paths are not exercised on non-SELinux + kernels. + +The more permanent way to enable SELinux support is to #define HasSELinux +YES in the relevant distribution-specific section of linux.cf. If that is +done for Debian, the source package will need to add a build-dependency on +the libselinux1-dev package. + +Not submitted upstream to XFree86 or X.Org. + +--- xc/config/cf/Imake.tmpl~ 2005-01-12 11:55:51.000000000 -0500 ++++ xc/config/cf/Imake.tmpl 2005-01-12 11:56:26.000000000 -0500 +@@ -2033,17 +2033,21 @@ + * EXTRA_INCLUDES contains project-specific includes set in project incfiles + * INCLUDES contains client-specific includes set in Imakefile + * LOCAL_LDFLAGS contains client-specific ld flags flags set in Imakefile ++ * SELINUX_INCLUDES contains SELinux-specific includes set in the appropriate .cf file ++ * SELINUX_LDFLAGS contains SELinux-specific ld flags set in the appropriate .cf file ++ * SELINUX_CFLAGS contains SELinux-specific compiler flags set in the .cf file ++ * SELINUX_LIBS contains SELinux-specific libraries to link with set in the .cf file + */ +- ALLINCLUDES = $(INCLUDES) $(EXTRA_INCLUDES) $(TOP_INCLUDES) $(INSTALLED_INCLUDES) $(STD_INCLUDES) ++ ALLINCLUDES = $(INCLUDES) $(EXTRA_INCLUDES) $(TOP_INCLUDES) $(INSTALLED_INCLUDES) $(STD_INCLUDES) $(SELINUX_INCLUDES) + ALLDEFINES = $(ALLINCLUDES) $(STD_DEFINES) $(PROTO_DEFINES) $(THREADS_DEFINES) $(MODULE_DEFINES) $(DEFINES) $(EXTRA_DEFINES) +- CFLAGS = $(CDEBUGFLAGS) $(CCOPTIONS) $(THREADS_CFLAGS) $(MODULE_CFLAGS) $(ALLDEFINES) ++ CFLAGS = $(CDEBUGFLAGS) $(CCOPTIONS) $(THREADS_CFLAGS) $(SELINUX_CFLAGS) $(MODULE_CFLAGS) $(ALLDEFINES) + LINTFLAGS = $(LINTOPTS) -DLINT $(ALLDEFINES) $(DEPEND_DEFINES) + LDPRELIB = LdPreLib $(INSTALLED_LIBS) + LDPOSTLIB = LdPostLib +- LDOPTIONS = $(CDEBUGFLAGS) $(CCOPTIONS) $(EXTRA_LDOPTIONS) $(THREADS_LDFLAGS) $(LOCAL_LDFLAGS) $(LDPRELIBS) ++ LDOPTIONS = $(CDEBUGFLAGS) $(CCOPTIONS) $(EXTRA_LDOPTIONS) $(THREADS_LDFLAGS) $(SELINUX_LDFLAGS) $(LOCAL_LDFLAGS) $(LDPRELIBS) + CXXLDOPTIONS = $(CXXDEBUGFLAGS) $(CXXOPTIONS) $(EXTRA_LDOPTIONS) $(THREADS_CXXLDFLAGS) $(LOCAL_LDFLAGS) $(LDPRELIBS) + +- LDLIBS = $(LDPOSTLIBS) $(THREADS_LIBS) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) ++ LDLIBS = $(LDPOSTLIBS) $(THREADS_LIBS) $(SELINUX_LIBS) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES) + #if HasBrokenCCForLink + CCLINK = LdCmd + #else +--- xc/config/cf/linux.cf~ 2005-01-12 11:55:59.000000000 -0500 ++++ xc/config/cf/linux.cf 2005-01-12 11:56:26.000000000 -0500 +@@ -1036,3 +1036,57 @@ + #ifndef XFree86ServerOSDefines + # define XFree86ServerOSDefines + #endif ++ ++/* ++ * SELinux support ++ */ ++#ifndef HasSELinux ++# define HasSELinux NO ++#endif ++ ++#ifndef SELinuxDefines ++# if HasSELinux ++# define SELinuxDefines -DHAVE_SELINUX ++# else ++# define SELinuxDefines /**/ ++# endif ++#endif ++ ++#ifndef SELinuxIncludeFlags ++# if HasSELinux ++# define SELinuxIncludeFlags -I/usr/include/selinux ++# else ++# define SELinuxIncludeFlags /**/ ++# endif ++#endif ++ ++#ifndef SELinuxCompileFlags ++# define SELinuxCompileFlags /**/ ++#endif ++ ++#ifndef SELinuxLoadFlags ++# define SELinuxLoadFlags SELinuxCompileFlags ++#endif ++ ++#ifndef SELinuxLibraries ++# if HasSELinux ++# define SELinuxLibraries -lselinux ++# else ++# define SELinuxLibraries /**/ ++# endif ++#endif ++ ++#if HasSELinux ++# ifndef SELINUX_LDFLAGS ++ SELINUX_LDFLAGS = SELinuxLoadFlags ++# endif ++# ifndef SELINUX_INCLUDES ++ SELINUX_INCLUDES = SELinuxIncludeFlags ++# endif ++# ifndef SELINUX_CFLAGS ++ SELINUX_CFLAGS = SELinuxCompileFlags SELinuxDefines ++# endif ++# ifndef SELINUX_LIBS ++ SELINUX_LIBS = SELinuxLibraries ++# endif ++#endif +--- xc/programs/xdm/session.c~ 2005-01-12 11:56:06.000000000 -0500 ++++ xc/programs/xdm/session.c 2005-01-12 12:01:56.000000000 -0500 +@@ -60,6 +60,11 @@ + # include <krb5/krb5.h> + #endif + ++#ifdef HAVE_SELINUX ++#include <selinux/selinux.h> ++#include <selinux/get_context_list.h> ++#endif /* HAVE_SELINUX */ ++ + #ifndef GREET_USER_STATIC + # include <dlfcn.h> + # ifndef RTLD_NOW +@@ -241,6 +246,34 @@ + SessionExit (d, RESERVER_DISPLAY, TRUE); + } + ++#ifdef HAVE_SELINUX ++/* This should be run just before we exec the user session. */ ++static int ++xdm_selinux_setup (const char *login) ++{ ++ security_context_t scontext; ++ /* If SELinux is not enabled, then we don't do anything. */ ++ if ( ! is_selinux_enabled ()) ++ return TRUE; ++ ++ if (get_default_context((char*) login,0, &scontext) < 0) { ++ LogError ("SELinux: unable to obtain default security context for %s\n", ++ login); ++ return FALSE; ++ } ++ ++ if (setexeccon (scontext) != 0) { ++ freecon (scontext); ++ LogError ("SELinux: unable to set executable context %s\n", ++ (char *)scontext); ++ return FALSE; ++ } ++ ++ freecon (scontext); ++ return TRUE; ++} ++#endif /* HAVE_SELINUX */ ++ + /* + * We need our own error handlers because we can't be sure what exit code Xlib + * will use, and our Xlib does exit(1) which matches REMANAGE_DISPLAY, which +@@ -725,6 +758,17 @@ + #endif /* K5AUTH */ + bzero (passwd, strlen (passwd)); + SetUserAuthorization (d, verify); ++#ifdef HAVE_SELINUX ++ /* ++ * For Security Enhanced Linux: ++ * set the default security context for this user. ++ */ ++ if ( ! xdm_selinux_setup (name)) { ++ LogError ("failed to set security context\n"); ++ exit (UNMANAGE_DISPLAY); ++ return (0); ++ } ++#endif /* HAVE_SELINUX */ + home = getEnv (verify->userEnviron, "HOME"); + if (home) + if (chdir (home) == -1) { Property changes on: trunk/debian/patches/099s_selinux_support.diff ___________________________________________________________________ Name: svn:keywords + Id -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]