145 lines
3.9 KiB
Diff
145 lines
3.9 KiB
Diff
|
diff -up gdm-2.19.8/configure.ac.selinux gdm-2.19.8/configure.ac
|
||
|
diff -up gdm-2.19.8/daemon/slave.c.selinux gdm-2.19.8/daemon/slave.c
|
||
|
--- gdm-2.19.8/daemon/slave.c.selinux 2007-09-07 11:40:58.000000000 -0400
|
||
|
+++ gdm-2.19.8/daemon/slave.c 2007-09-07 12:21:37.000000000 -0400
|
||
|
@@ -89,7 +89,6 @@
|
||
|
|
||
|
#ifdef HAVE_SELINUX
|
||
|
#include <selinux/selinux.h>
|
||
|
-#include <selinux/get_context_list.h>
|
||
|
#endif /* HAVE_SELINUX */
|
||
|
|
||
|
#include <glib/gi18n.h>
|
||
|
@@ -172,6 +171,10 @@ static uid_t logged_in_uid =
|
||
|
static gid_t logged_in_gid = -1;
|
||
|
#endif
|
||
|
|
||
|
+#ifdef HAVE_SELINUX
|
||
|
+security_context_t logged_in_context = NULL;
|
||
|
+#endif
|
||
|
+
|
||
|
static int greeter_fd_out = -1;
|
||
|
static int greeter_fd_in = -1;
|
||
|
|
||
|
@@ -2036,6 +2039,7 @@ restart_the_greeter (void)
|
||
|
gdm_slave_sensitize_config ();
|
||
|
}
|
||
|
|
||
|
+
|
||
|
static gboolean
|
||
|
play_login_sound (const char *sound_file)
|
||
|
{
|
||
|
@@ -3519,48 +3523,6 @@ open_xsession_errors (struct passwd *pwe
|
||
|
return logfd;
|
||
|
}
|
||
|
|
||
|
-#ifdef HAVE_SELINUX
|
||
|
-/* This should be run just before we exec the user session */
|
||
|
-static gboolean
|
||
|
-gdm_selinux_setup (const char *login)
|
||
|
-{
|
||
|
- security_context_t scontext;
|
||
|
- int ret=-1;
|
||
|
- char *seuser=NULL;
|
||
|
- char *level=NULL;
|
||
|
-
|
||
|
- /* If selinux is not enabled, then we don't do anything */
|
||
|
- if (is_selinux_enabled () <= 0)
|
||
|
- return TRUE;
|
||
|
-
|
||
|
- if (getseuserbyname(login, &seuser, &level) == 0)
|
||
|
- ret=get_default_context_with_level(seuser, level, 0, &scontext);
|
||
|
-
|
||
|
- if (ret < 0) {
|
||
|
- gdm_error ("SELinux gdm login: unable to obtain default security context for %s.", login);
|
||
|
- /* note that this will be run when the .xsession-errors
|
||
|
- is already being logged, so we can use stderr */
|
||
|
- gdm_fdprintf (2, "SELinux gdm login: unable to obtain default security context for %s.", login);
|
||
|
- return (security_getenforce()==0);
|
||
|
- }
|
||
|
-
|
||
|
- gdm_assert (scontext != NULL);
|
||
|
-
|
||
|
- if (setexeccon (scontext) != 0) {
|
||
|
- gdm_error ("SELinux gdm login: unable to set executable context %s.",
|
||
|
- (char *)scontext);
|
||
|
- gdm_fdprintf (2, "SELinux gdm login: unable to set executable context %s.",
|
||
|
- (char *)scontext);
|
||
|
- freecon (scontext);
|
||
|
- return (security_getenforce()==0);
|
||
|
- }
|
||
|
-
|
||
|
- freecon (scontext);
|
||
|
-
|
||
|
- return TRUE;
|
||
|
-}
|
||
|
-#endif /* HAVE_SELINUX */
|
||
|
-
|
||
|
static void
|
||
|
session_child_run (struct passwd *pwent,
|
||
|
int logfd,
|
||
|
@@ -3801,6 +3763,10 @@ session_child_run (struct passwd *pwent,
|
||
|
close (iceauth_fd);
|
||
|
}
|
||
|
|
||
|
+#ifdef HAVE_SELINUX
|
||
|
+ setexeccon (logged_in_context);
|
||
|
+#endif
|
||
|
+
|
||
|
NEVER_FAILS_setegid (pwent->pw_gid);
|
||
|
#ifdef HAVE_LOGINCAP
|
||
|
if (setusercontext (NULL, pwent, pwent->pw_uid,
|
||
|
@@ -4046,16 +4012,6 @@ session_child_run (struct passwd *pwent,
|
||
|
}
|
||
|
#endif
|
||
|
|
||
|
-#ifdef HAVE_SELINUX
|
||
|
- if ( ! gdm_selinux_setup (pwent->pw_name)) {
|
||
|
- /* 66 means no "session crashed" examine .xsession-errors
|
||
|
- dialog */
|
||
|
- gdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
|
||
|
- _("Error! Unable to set executable context."));
|
||
|
- _exit (66);
|
||
|
- }
|
||
|
-#endif
|
||
|
-
|
||
|
g_shell_parse_argv (fullexec->str, NULL, &argv, NULL);
|
||
|
VE_IGNORE_EINTR (execv (argv[0], argv));
|
||
|
g_strfreev (argv);
|
||
|
@@ -4741,6 +4697,11 @@ gdm_slave_session_start (void)
|
||
|
|
||
|
NEVER_FAILS_root_set_euid_egid (0, gdm_daemon_config_get_gdmgid ());
|
||
|
|
||
|
+#ifdef HAVE_SELINUX
|
||
|
+ getexeccon (&logged_in_context);
|
||
|
+ setexeccon (NULL);
|
||
|
+#endif
|
||
|
+
|
||
|
if G_UNLIKELY ( ! authok) {
|
||
|
gdm_debug ("gdm_slave_session_start: Auth not OK");
|
||
|
|
||
|
@@ -5009,6 +4970,10 @@ gdm_slave_session_stop (gboolean run_pos
|
||
|
seteuid (0);
|
||
|
setegid (0);
|
||
|
|
||
|
+#ifdef HAVE_SELINUX
|
||
|
+ setexeccon (NULL);
|
||
|
+#endif
|
||
|
+
|
||
|
gdm_slave_send_num (GDM_SOP_SESSPID, 0);
|
||
|
|
||
|
/* Now still as root make the system authfile not readable by others,
|
||
|
@@ -5069,6 +5034,12 @@ gdm_slave_session_stop (gboolean run_pos
|
||
|
logged_in_uid = -1;
|
||
|
logged_in_gid = -1;
|
||
|
|
||
|
+#ifdef HAVE_SELINUX
|
||
|
+ setexeccon (logged_in_context);
|
||
|
+ freecon (logged_in_context);
|
||
|
+ logged_in_context = NULL;
|
||
|
+#endif
|
||
|
+
|
||
|
/* things are going to be killed, so ignore errors */
|
||
|
XSetErrorHandler (ignore_xerror_handler);
|
||
|
|