fix selinux context after forking session
This should fix unlock on dwalsh's machine
This commit is contained in:
parent
4c7ea00eb6
commit
1504793eaa
116
fix-selinux-context.patch
Normal file
116
fix-selinux-context.patch
Normal file
@ -0,0 +1,116 @@
|
||||
From fd4291d5e4e811a0e484a06d88509f4adfed6a90 Mon Sep 17 00:00:00 2001
|
||||
From: Ray Strode <rstrode@redhat.com>
|
||||
Date: Thu, 6 Sep 2012 17:01:03 -0400
|
||||
Subject: [PATCH 1/2] configure: check for selinux again
|
||||
|
||||
This sort of reverts commit 378390b9b5639bbe37cf4ba06e2e4acf1587e1d8.
|
||||
---
|
||||
configure.ac | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 5283845..af31719 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -142,6 +142,14 @@ AC_SUBST(UPOWER)
|
||||
AC_SUBST(UPOWER_CFLAGS)
|
||||
AC_SUBST(UPOWER_LIBS)
|
||||
|
||||
+PKG_CHECK_MODULES(LIBSELINUX, libselinux, have_selinux=yes, have_selinux=no)
|
||||
+
|
||||
+if test "x$have_selinux" = "xyes" ; then
|
||||
+ AC_DEFINE(HAVE_SELINUX, 1, [Define if have selinux])
|
||||
+fi
|
||||
+AC_SUBST(LIBSELINUX_CFLAGS)
|
||||
+AC_SUBST(LIBSELINUX_LIBS)
|
||||
+
|
||||
PKG_CHECK_MODULES(SIMPLE_GREETER,
|
||||
gtk+-3.0 >= $GTK_REQUIRED_VERSION
|
||||
fontconfig >= $FONTCONFIG_REQUIRED_VERSION
|
||||
@@ -1595,6 +1603,7 @@ fi
|
||||
echo \
|
||||
" Xinerama support: ${XINERAMA_SUPPORT}
|
||||
XDMCP support: ${XDMCP_SUPPORT}
|
||||
+ SELinux support: ${have_selinux}
|
||||
ConsoleKit support: ${use_console_kit}
|
||||
systemd support: ${use_systemd}
|
||||
systemd unit dir: ${with_systemdsystemunitdir}
|
||||
--
|
||||
1.7.12
|
||||
|
||||
|
||||
From d4dbdc8c5a5703f205540d0c39459e1a06faf458 Mon Sep 17 00:00:00 2001
|
||||
From: Ray Strode <rstrode@redhat.com>
|
||||
Date: Thu, 6 Sep 2012 17:14:06 -0400
|
||||
Subject: [PATCH 2/2] daemon: reset exec context after fork()
|
||||
|
||||
When pam_open_session finishes, the session worker
|
||||
is set up such that the next fork()/exec() may transition the
|
||||
user to a user specific context (such as staff_t).
|
||||
|
||||
This makes sense for the first fork()/exec() (which is the user
|
||||
login), but the worker may fork()/exec() other workers after login
|
||||
for unlock operations. These workers need to run in a gdm context
|
||||
not a user context.
|
||||
|
||||
This commit changes gdm-session-worker to manually reset the exec()
|
||||
context after the first fork().
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=683426
|
||||
---
|
||||
daemon/Makefile.am | 2 ++
|
||||
daemon/gdm-session-worker.c | 11 +++++++++++
|
||||
2 files changed, 13 insertions(+)
|
||||
|
||||
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
|
||||
index 8d0cf5e..bb84765 100644
|
||||
--- a/daemon/Makefile.am
|
||||
+++ b/daemon/Makefile.am
|
||||
@@ -27,6 +27,7 @@ AM_CPPFLAGS = \
|
||||
$(WARN_CFLAGS) \
|
||||
$(DEBUG_CFLAGS) \
|
||||
$(SYSTEMD_CFLAGS) \
|
||||
+ $(LIBSELINUX_CFLAGS) \
|
||||
-DLANG_CONFIG_FILE=\"$(LANG_CONFIG_FILE)\" \
|
||||
$(NULL)
|
||||
|
||||
@@ -291,6 +292,7 @@ gdm_session_worker_LDADD = \
|
||||
$(top_builddir)/common/libgdmcommon.la \
|
||||
$(DAEMON_LIBS) \
|
||||
$(SYSTEMD_LIBS) \
|
||||
+ $(LIBSELINUX_LIBS) \
|
||||
$(NULL)
|
||||
|
||||
sbin_PROGRAMS = \
|
||||
diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c
|
||||
index 190123d..1ccc0b7 100644
|
||||
--- a/daemon/gdm-session-worker.c
|
||||
+++ b/daemon/gdm-session-worker.c
|
||||
@@ -46,6 +46,10 @@
|
||||
#include <systemd/sd-daemon.h>
|
||||
#endif
|
||||
|
||||
+#ifdef HAVE_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#endif /* HAVE_SELINUX */
|
||||
+
|
||||
#include "gdm-common.h"
|
||||
#include "gdm-log.h"
|
||||
#include "gdm-session-worker.h"
|
||||
@@ -1876,6 +1880,13 @@ gdm_session_worker_start_session (GdmSessionWorker *worker,
|
||||
_exit (127);
|
||||
}
|
||||
|
||||
+ /* If we end up execing again, make sure we don't use the executable context set up
|
||||
+ * by pam_selinux durin pam_open_session
|
||||
+ */
|
||||
+#ifdef HAVE_SELINUX
|
||||
+ setexeccon (NULL);
|
||||
+#endif
|
||||
+
|
||||
worker->priv->child_pid = session_pid;
|
||||
|
||||
g_debug ("GdmSessionWorker: session opened creating reply...");
|
||||
--
|
||||
1.7.12
|
||||
|
3
gdm.spec
3
gdm.spec
@ -98,6 +98,7 @@ Obsoletes: gdm-plugin-fingerprint < 1:3.2.1
|
||||
Provides: gdm-plugin-fingerprint = %{epoch}:%{version}-%{release}
|
||||
|
||||
Patch0: fix-auto-login.patch
|
||||
Patch1: fix-selinux-context.patch
|
||||
|
||||
%package libs
|
||||
Summary: Client-side library to talk to gdm
|
||||
@ -127,6 +128,7 @@ Development files and headers for writing GDM greeters.
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1 -b .fix-autologin
|
||||
%patch1 -p1 -b .fix-selinux-context
|
||||
|
||||
autoreconf -i -f
|
||||
intltoolize -f
|
||||
@ -359,6 +361,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor >&/dev/null || :
|
||||
%changelog
|
||||
* Fri Sep 07 2012 Ray Strode <rstrode@redhat.com> 1:3.5.91-2
|
||||
- Fix autologin
|
||||
- Fix selinux context after forking session
|
||||
|
||||
* Thu Sep 06 2012 Richard Hughes <hughsient@gmail.com> - 1:3.5.91-1
|
||||
- Update to 3.5.91
|
||||
|
Loading…
Reference in New Issue
Block a user