- use pam_selinux instead of home grown selinux code (bug 254164)

gdm-2.19.6-selinux.patch

@@ -0,0 +1,138 @@
+diff -up gdm-2.19.6/configure.ac.selinux gdm-2.19.6/configure.ac
+--- gdm-2.19.6/configure.ac.selinux	2007-08-24 11:25:38.000000000 -0400
++++ gdm-2.19.6/configure.ac	2007-08-24 11:25:54.000000000 -0400
+@@ -72,8 +72,6 @@ AC_ARG_WITH(dmx,
+   [  --with-dmx=[auto/yes/no]  Add DMX (Distributed Multihead X) support [default=auto]],,
+   with_dmx=auto)
+ 
+-AC_ARG_WITH(selinux, [  --with-selinux  Add SELinux support])
+-
+ AC_ARG_WITH(console-kit,
+   [  --with-console-kit=[auto/yes/no]  Add ConsoleKit support [default=auto]],,
+   with_console_kit=auto)
+@@ -805,30 +803,6 @@ fi
+ 
+ 
+ #
+-# SELinux stuff
+-#
+-if test "x$with_selinux" = "xyes" ; then
+-	echo "SELinux support requested (--with-selinux was given), checking prerequisites"
+-	if test -d /usr/local/selinux/include ; then
+-		echo "Found /usr/local/selinux/include, will look there for SELinux stuff as well"
+-		CFLAGS="$CFLAGS -I/usr/local/selinux/include"
+-		LDFLAGS="$LDFLAGS -L/usr/local/selinux/lib"
+-	fi
+-	AC_CHECK_HEADER(selinux/selinux.h)
+-	AC_CHECK_HEADER(selinux/get_context_list.h)
+-	AC_CHECK_LIB(attr,attr_get,/bin/true)
+-	# I'm anal and I don't know which versions have which symbols,
+-	# so I check for all the ones we use
+-	AC_CHECK_LIB(selinux,get_ordered_context_list,/bin/true)
+-	AC_CHECK_LIB(selinux,freecon,/bin/true)
+-	AC_CHECK_LIB(selinux,freeconary,/bin/true)
+-	AC_CHECK_LIB(selinux,setexeccon,/bin/true)
+-	AC_CHECK_LIB(selinux,is_selinux_enabled,/bin/true)
+-	AC_DEFINE(HAVE_SELINUX)
+-	EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -lselinux -lattr"
+-fi
+-
+-#
+ # ConsoleKit support
+ #
+ use_console_kit=no
+@@ -1447,13 +1421,6 @@ else
+ 	echo "Console helper                        : NO"
+ fi
+ 
+-dnl <= SELinux support =>
+-if test "x$with_selinux" = "xyes" ; then
+-	echo "SELinux support                       : YES"
+-else
+-	echo "SELinux support                       : NO"
+-fi
+-
+ dnl <= Solaris Trusted Extensions support =>
+ if test "x$found_tsol" = "xyes" ; then
+ 	echo "Solaris Trusted Extensions support    : YES"
+diff -up gdm-2.19.6/daemon/slave.c.selinux gdm-2.19.6/daemon/slave.c
+--- gdm-2.19.6/daemon/slave.c.selinux	2007-08-24 11:24:34.000000000 -0400
++++ gdm-2.19.6/daemon/slave.c	2007-08-24 11:24:52.000000000 -0400
+@@ -87,11 +87,6 @@
+ #include <user_attr.h>
+ #endif
+ 
+-#ifdef HAVE_SELINUX
+-#include <selinux/selinux.h>
+-#include <selinux/get_context_list.h>
+-#endif /* HAVE_SELINUX */
+-
+ #include <glib/gi18n.h>
+ #include <gdk/gdkx.h>
+ #include <gtk/gtk.h>
+@@ -3521,48 +3516,6 @@ open_xsession_errors (struct passwd *pwe
+ 	return logfd;
+ }
+ 
+-#ifdef HAVE_SELINUX
+-/* This should be run just before we exec the user session */
+-static gboolean
+-gdm_selinux_setup (const char *login)
+-{
+-	security_context_t scontext;
+-	int ret=-1;
+-	char *seuser=NULL;
+-	char *level=NULL;
+-
+-	/* If selinux is not enabled, then we don't do anything */
+-	if (is_selinux_enabled () <= 0)
+-		return TRUE;
+-
+-	if (getseuserbyname(login, &seuser, &level) == 0)
+-		ret=get_default_context_with_level(seuser, level, 0, &scontext);
+-
+-	if (ret < 0) {
+-		gdm_error ("SELinux gdm login: unable to obtain default security context for %s.", login);
+-		/* note that this will be run when the .xsession-errors
+-		   is already being logged, so we can use stderr */
+-		gdm_fdprintf (2, "SELinux gdm login: unable to obtain default security context for %s.", login);
+- 		return (security_getenforce()==0);
+-	}
+-
+-	gdm_assert (scontext != NULL);
+-
+-	if (setexeccon (scontext) != 0) {
+-		gdm_error ("SELinux gdm login: unable to set executable context %s.",
+-			   (char *)scontext);
+-		gdm_fdprintf (2, "SELinux gdm login: unable to set executable context %s.",
+-			      (char *)scontext);
+-		freecon (scontext);
+-		return (security_getenforce()==0);
+-	}
+-
+-	freecon (scontext);
+-
+-	return TRUE;
+-}
+-#endif /* HAVE_SELINUX */
+-
+ static void
+ session_child_run (struct passwd *pwent,
+ 		   int logfd,
+@@ -4048,16 +4001,6 @@ session_child_run (struct passwd *pwent,
+ 	}
+ #endif
+ 
+-#ifdef HAVE_SELINUX
+-	if ( ! gdm_selinux_setup (pwent->pw_name)) {
+-		/* 66 means no "session crashed" examine .xsession-errors
+-		   dialog */
+-		gdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
+-			       _("Error! Unable to set executable context."));
+-		_exit (66);
+-	}
+-#endif
+-
+         g_shell_parse_argv (fullexec->str, NULL, &argv, NULL);
+ 	VE_IGNORE_EINTR (execv (argv[0], argv));
+ 	g_strfreev (argv);

gdm-autologin-pam

@@ -4,7 +4,9 @@ auth       required    pam_permit.so
 account    required    pam_nologin.so
 account    include     system-auth
 password   include     system-auth
+session    required    pam_selinux.so close
 session    optional    pam_keyinit.so force revoke
 session    include     system-auth
 session    required    pam_loginuid.so
 session    optional    pam_console.so
+session    required    pam_selinux.so open

gdm-pam

@@ -5,9 +5,11 @@ auth       optional    pam_gnome_keyring.so auto_start
 account    required    pam_nologin.so
 account    include     system-auth
 password   include     system-auth
+session    required    pam_selinux.so close
 session    optional    pam_keyinit.so force revoke
 session    include     system-auth
 session    required    pam_loginuid.so
 session    optional    pam_console.so
+session    required    pam_selinux.so open
 session    optional    pam_gnome_keyring.so
 

gdm.spec

@@ -1,5 +1,4 @@
 
-%define libselinuxver 1.27.7
 %define libauditver 1.0.6
 %define pango_version 1.2.0
 %define gtk2_version 2.6.0
@@ -17,7 +16,7 @@
 Summary: The GNOME Display Manager
 Name: gdm
 Version: 2.19.6
-Release: 4%{?dist}
+Release: 5%{?dist}
 Epoch: 1
 License: GPLv2+
 Group: User Interface/X
@@ -56,6 +55,9 @@ Patch35: gdmsetup-path.patch
 # http://bugzilla.gnome.org/show_bug.cgi?id=467335
 Patch36: gdm-2.19.5-disable-typeahead.patch
 
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=254164
+Patch37: gdm-2.19.6-selinux.patch
+
 Patch100: gdm-2.19.6-change-defaults.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) 
@@ -101,7 +103,6 @@ BuildRequires: libattr-devel
 BuildRequires: gettext 
 BuildRequires: gnome-doc-utils
 BuildRequires: libdmx-devel
-BuildRequires: libselinux-devel >= %{libselinuxver}
 BuildRequires: audit-libs-devel >= %{libauditver}
 BuildRequires: intltool
 %ifnarch s390 s390x ppc64
@@ -109,7 +110,6 @@ BuildRequires: xorg-x11-server-Xorg
 %endif
 BuildRequires: nss-devel >= %{nss_version}
 BuildRequires: ConsoleKit
-Requires: libselinux >= %{libselinuxver}
 Requires: audit-libs >= %{libauditver}
 
 %description
@@ -140,6 +140,7 @@ Extra icons / faces for the GNOME Display Manager.
 %patch33 -p1 -b .pass-ats-to-session
 %patch35 -p1 -b .gdmsetup-path
 %patch36 -p1 -b .disable-typeahead
+%patch37 -p1 -b .selinux
 
 %patch100 -p1 -b .change-defaults
 
@@ -157,7 +158,6 @@ autoheader
 %configure --with-pam-prefix=%{_sysconfdir} \
 	   --enable-console-helper \
 	   --disable-scrollkeeper  \
-	   --with-selinux \
 	   --with-console-kit
 make
 
@@ -355,6 +355,9 @@ fi
 %{_datadir}/pixmaps/faces/extras/*.jpg
 
 %changelog
+* Fri Aug 24 2007 Ray Strode <rstrode@redhat.com> - 1:2.19.6-5
+- use pam_selinux instead of home grown selinux code (bug 254164)
+
 * Wed Aug 22 2007 Kristian Høgsberg <krh@redhat.com> - 1:2.19.6-4
 - Pass -br to the default X server too.