- make things work better for xguest users (bug 254164)

2007-09-07 16:22:15 +00:00 · 2007-09-07 16:22:15 +00:00 · 949e4f18a9
commit 949e4f18a9
parent 72c9bdbc37
3 changed files with 148 additions and 139 deletions
--- a/gdm-2.19.6-selinux.patch
+++ b/gdm-2.19.6-selinux.patch
@ -1,138 +0,0 @@
-diff -up gdm-2.19.6/configure.ac.selinux gdm-2.19.6/configure.ac
--- gdm-2.19.6/configure.ac.selinux	2007-08-24 11:25:38.000000000 -0400
-+++ gdm-2.19.6/configure.ac	2007-08-24 11:25:54.000000000 -0400
-@@ -72,8 +72,6 @@ AC_ARG_WITH(dmx,
-   [  --with-dmx=[auto/yes/no]  Add DMX (Distributed Multihead X) support [default=auto]],,
-   with_dmx=auto)
- 
-AC_ARG_WITH(selinux, [  --with-selinux  Add SELinux support])
-
- AC_ARG_WITH(console-kit,
-   [  --with-console-kit=[auto/yes/no]  Add ConsoleKit support [default=auto]],,
-   with_console_kit=auto)
-@@ -805,30 +803,6 @@ fi
- 
- 
- #
-# SELinux stuff
-#
-if test "x$with_selinux" = "xyes" ; then
-	echo "SELinux support requested (--with-selinux was given), checking prerequisites"
-	if test -d /usr/local/selinux/include ; then
-		echo "Found /usr/local/selinux/include, will look there for SELinux stuff as well"
-		CFLAGS="$CFLAGS -I/usr/local/selinux/include"
-		LDFLAGS="$LDFLAGS -L/usr/local/selinux/lib"
-	fi
-	AC_CHECK_HEADER(selinux/selinux.h)
-	AC_CHECK_HEADER(selinux/get_context_list.h)
-	AC_CHECK_LIB(attr,attr_get,/bin/true)
-	# I'm anal and I don't know which versions have which symbols,
-	# so I check for all the ones we use
-	AC_CHECK_LIB(selinux,get_ordered_context_list,/bin/true)
-	AC_CHECK_LIB(selinux,freecon,/bin/true)
-	AC_CHECK_LIB(selinux,freeconary,/bin/true)
-	AC_CHECK_LIB(selinux,setexeccon,/bin/true)
-	AC_CHECK_LIB(selinux,is_selinux_enabled,/bin/true)
-	AC_DEFINE(HAVE_SELINUX)
-	EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -lselinux -lattr"
-fi
-
-#
- # ConsoleKit support
- #
- use_console_kit=no
-@@ -1447,13 +1421,6 @@ else
- 	echo "Console helper                        : NO"
- fi
- 
-dnl <= SELinux support =>
-if test "x$with_selinux" = "xyes" ; then
-	echo "SELinux support                       : YES"
-else
-	echo "SELinux support                       : NO"
-fi
-
- dnl <= Solaris Trusted Extensions support =>
- if test "x$found_tsol" = "xyes" ; then
- 	echo "Solaris Trusted Extensions support    : YES"
-diff -up gdm-2.19.6/daemon/slave.c.selinux gdm-2.19.6/daemon/slave.c
--- gdm-2.19.6/daemon/slave.c.selinux	2007-08-24 11:24:34.000000000 -0400
-+++ gdm-2.19.6/daemon/slave.c	2007-08-24 11:24:52.000000000 -0400
-@@ -87,11 +87,6 @@
- #include <user_attr.h>
- #endif
- 
-#ifdef HAVE_SELINUX
-#include <selinux/selinux.h>
-#include <selinux/get_context_list.h>
-#endif /* HAVE_SELINUX */
-
- #include <glib/gi18n.h>
- #include <gdk/gdkx.h>
- #include <gtk/gtk.h>
-@@ -3521,48 +3516,6 @@ open_xsession_errors (struct passwd *pwe
- 	return logfd;
- }
- 
-#ifdef HAVE_SELINUX
-/* This should be run just before we exec the user session */
-static gboolean
-gdm_selinux_setup (const char *login)
-{
-	security_context_t scontext;
-	int ret=-1;
-	char *seuser=NULL;
-	char *level=NULL;
-
-	/* If selinux is not enabled, then we don't do anything */
-	if (is_selinux_enabled () <= 0)
-		return TRUE;
-
-	if (getseuserbyname(login, &seuser, &level) == 0)
-		ret=get_default_context_with_level(seuser, level, 0, &scontext);
-
-	if (ret < 0) {
-		gdm_error ("SELinux gdm login: unable to obtain default security context for %s.", login);
-		/* note that this will be run when the .xsession-errors
-		   is already being logged, so we can use stderr */
-		gdm_fdprintf (2, "SELinux gdm login: unable to obtain default security context for %s.", login);
- 		return (security_getenforce()==0);
-	}
-
-	gdm_assert (scontext != NULL);
-
-	if (setexeccon (scontext) != 0) {
-		gdm_error ("SELinux gdm login: unable to set executable context %s.",
-			   (char *)scontext);
-		gdm_fdprintf (2, "SELinux gdm login: unable to set executable context %s.",
-			      (char *)scontext);
-		freecon (scontext);
-		return (security_getenforce()==0);
-	}
-
-	freecon (scontext);
-
-	return TRUE;
-}
-#endif /* HAVE_SELINUX */
-
- static void
- session_child_run (struct passwd *pwent,
- 		   int logfd,
-@@ -4048,16 +4001,6 @@ session_child_run (struct passwd *pwent,
- 	}
- #endif
- 
-#ifdef HAVE_SELINUX
-	if ( ! gdm_selinux_setup (pwent->pw_name)) {
-		/* 66 means no "session crashed" examine .xsession-errors
-		   dialog */
-		gdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
-			       _("Error! Unable to set executable context."));
-		_exit (66);
-	}
-#endif
-
-         g_shell_parse_argv (fullexec->str, NULL, &argv, NULL);
- 	VE_IGNORE_EINTR (execv (argv[0], argv));
- 	g_strfreev (argv);
--- a/gdm-2.19.8-selinux.patch
+++ b/gdm-2.19.8-selinux.patch
@ -0,0 +1,144 @@
+diff -up gdm-2.19.8/configure.ac.selinux gdm-2.19.8/configure.ac
+diff -up gdm-2.19.8/daemon/slave.c.selinux gdm-2.19.8/daemon/slave.c
+--- gdm-2.19.8/daemon/slave.c.selinux	2007-09-07 11:40:58.000000000 -0400
+++ gdm-2.19.8/daemon/slave.c	2007-09-07 12:21:37.000000000 -0400
+@@ -89,7 +89,6 @@
+ 
+ #ifdef HAVE_SELINUX
+ #include <selinux/selinux.h>
+-#include <selinux/get_context_list.h>
+ #endif /* HAVE_SELINUX */
+ 
+ #include <glib/gi18n.h>
+@@ -172,6 +171,10 @@ static uid_t logged_in_uid             =
+ static gid_t logged_in_gid             = -1;
+ #endif
+ 
+#ifdef HAVE_SELINUX
+security_context_t logged_in_context   = NULL;
+#endif 
+
+ static int greeter_fd_out              = -1;
+ static int greeter_fd_in               = -1;
+ 
+@@ -2036,6 +2039,7 @@ restart_the_greeter (void)
+ 	gdm_slave_sensitize_config ();
+ }
+ 
+
+ static gboolean
+ play_login_sound (const char *sound_file)
+ {
+@@ -3519,48 +3523,6 @@ open_xsession_errors (struct passwd *pwe
+ 	return logfd;
+ }
+ 
+-#ifdef HAVE_SELINUX
+-/* This should be run just before we exec the user session */
+-static gboolean
+-gdm_selinux_setup (const char *login)
+-{
+-	security_context_t scontext;
+-	int ret=-1;
+-	char *seuser=NULL;
+-	char *level=NULL;
+-
+-	/* If selinux is not enabled, then we don't do anything */
+-	if (is_selinux_enabled () <= 0)
+-		return TRUE;
+-
+-	if (getseuserbyname(login, &seuser, &level) == 0)
+-		ret=get_default_context_with_level(seuser, level, 0, &scontext);
+-
+-	if (ret < 0) {
+-		gdm_error ("SELinux gdm login: unable to obtain default security context for %s.", login);
+-		/* note that this will be run when the .xsession-errors
+-		   is already being logged, so we can use stderr */
+-		gdm_fdprintf (2, "SELinux gdm login: unable to obtain default security context for %s.", login);
+- 		return (security_getenforce()==0);
+-	}
+-
+-	gdm_assert (scontext != NULL);
+-
+-	if (setexeccon (scontext) != 0) {
+-		gdm_error ("SELinux gdm login: unable to set executable context %s.",
+-			   (char *)scontext);
+-		gdm_fdprintf (2, "SELinux gdm login: unable to set executable context %s.",
+-			      (char *)scontext);
+-		freecon (scontext);
+-		return (security_getenforce()==0);
+-	}
+-
+-	freecon (scontext);
+-
+-	return TRUE;
+-}
+-#endif /* HAVE_SELINUX */
+-
+ static void
+ session_child_run (struct passwd *pwent,
+ 		   int logfd,
+@@ -3801,6 +3763,10 @@ session_child_run (struct passwd *pwent,
+                         close (iceauth_fd);
+         }
+ 
+#ifdef HAVE_SELINUX
+        setexeccon (logged_in_context);
+#endif
+
+ 	NEVER_FAILS_setegid (pwent->pw_gid);
+ #ifdef HAVE_LOGINCAP
+ 	if (setusercontext (NULL, pwent, pwent->pw_uid,
+@@ -4046,16 +4012,6 @@ session_child_run (struct passwd *pwent,
+ 	}
+ #endif
+ 
+-#ifdef HAVE_SELINUX
+-	if ( ! gdm_selinux_setup (pwent->pw_name)) {
+-		/* 66 means no "session crashed" examine .xsession-errors
+-		   dialog */
+-		gdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
+-			       _("Error! Unable to set executable context."));
+-		_exit (66);
+-	}
+-#endif
+-
+         g_shell_parse_argv (fullexec->str, NULL, &argv, NULL);
+ 	VE_IGNORE_EINTR (execv (argv[0], argv));
+ 	g_strfreev (argv);
+@@ -4741,6 +4697,11 @@ gdm_slave_session_start (void)
+ 
+ 	NEVER_FAILS_root_set_euid_egid (0, gdm_daemon_config_get_gdmgid ());
+ 
+#ifdef HAVE_SELINUX
+        getexeccon (&logged_in_context);
+        setexeccon (NULL);
+#endif
+
+ 	if G_UNLIKELY ( ! authok) {
+ 		gdm_debug ("gdm_slave_session_start: Auth not OK");
+ 
+@@ -5009,6 +4970,10 @@ gdm_slave_session_stop (gboolean run_pos
+ 	seteuid (0);
+ 	setegid (0);
+ 
+#ifdef HAVE_SELINUX
+        setexeccon (NULL);
+#endif
+
+ 	gdm_slave_send_num (GDM_SOP_SESSPID, 0);
+ 
+ 	/* Now still as root make the system authfile not readable by others,
+@@ -5069,6 +5034,12 @@ gdm_slave_session_stop (gboolean run_pos
+ 	logged_in_uid = -1;
+ 	logged_in_gid = -1;
+ 
+#ifdef HAVE_SELINUX
+        setexeccon (logged_in_context);
+	freecon (logged_in_context);
+	logged_in_context = NULL;
+#endif
+
+ 	/* things are going to be killed, so ignore errors */
+ 	XSetErrorHandler (ignore_xerror_handler);
+ 
--- a/gdm.spec
+++ b/gdm.spec
@ -53,7 +53,7 @@ Patch33: gdm-2.19.6-pass-ats-to-session.patch
 Patch35: gdmsetup-path.patch

 # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=254164
-Patch37: gdm-2.19.6-selinux.patch
+Patch37: gdm-2.19.8-selinux.patch

 Patch100: gdm-2.19.6-change-defaults.patch

@ -348,6 +348,9 @@ fi
 %{_datadir}/pixmaps/faces/extras/*.jpg

 %changelog
+* Fri Sep  7 2007 Ray Strode <rstrode@redhat.com> - 1:2.19.8-2
+- make things work better for xguest users (bug 254164)
+
 * Fri Sep  7 2007 Matthias Clasen <mclasen@redhat.com> - 1:2.19.8-1
 - Update to 2.19.8