102 lines
2.8 KiB
Diff
102 lines
2.8 KiB
Diff
diff --git a/configure.in b/configure.in
|
|
index a5a434d..1d3801e 100644
|
|
--- a/configure.in
|
|
+++ b/configure.in
|
|
@@ -572,6 +572,24 @@ AC_SUBST(GCOV)
|
|
AC_SUBST(GENHTML)
|
|
|
|
# ----------------------------------------------------------------------
|
|
+# selinux
|
|
+
|
|
+LIBSELINUX=""
|
|
+selinux_status="no"
|
|
+AC_ARG_ENABLE([selinux],
|
|
+ AC_HELP_STRING([--disable-selinux],[do not use SELinux]))
|
|
+if test "x$enable_selinux" != "xno"; then
|
|
+ AC_CHECK_LIB([selinux],[getfilecon],
|
|
+ [AC_CHECK_LIB([selinux],[setexeccon],
|
|
+ [AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in])
|
|
+ LIBSELINUX="-lselinux"
|
|
+ selinux_status="yes"])
|
|
+ ])
|
|
+fi
|
|
+AC_SUBST(LIBSELINUX)
|
|
+AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"])
|
|
+
|
|
+# ----------------------------------------------------------------------
|
|
# Valgrind
|
|
|
|
AC_ARG_ENABLE(valgrind,
|
|
@@ -742,6 +760,7 @@ echo
|
|
echo "OPTIONAL DEPENDENCIES"
|
|
echo " PAM: $pam_status"
|
|
echo " Linux capabilities: $libcapng_status"
|
|
+echo " SELinux: $selinux_status"
|
|
echo
|
|
echo "CONFIGURATION"
|
|
echo " SSH Agent: $ssh_status"
|
|
diff --git a/pam/Makefile.am b/pam/Makefile.am
|
|
index 81bda13..2e6362d 100644
|
|
--- a/pam/Makefile.am
|
|
+++ b/pam/Makefile.am
|
|
@@ -16,6 +16,7 @@ pam_gnome_keyring_la_LIBADD = \
|
|
$(top_builddir)/egg/libegg-buffer.la \
|
|
$(top_builddir)/egg/libegg-creds.la \
|
|
$(top_builddir)/egg/libegg-secure.la \
|
|
+ $(LIBSELINUX) \
|
|
-lpam
|
|
|
|
pam_gnome_keyring_la_LDFLAGS = \
|
|
diff --git a/pam/gkr-pam-module.c b/pam/gkr-pam-module.c
|
|
index e63c917..8ad814c 100644
|
|
--- a/pam/gkr-pam-module.c
|
|
+++ b/pam/gkr-pam-module.c
|
|
@@ -317,6 +317,36 @@ cleanup_free_password (pam_handle_t *ph, void *data, int pam_end_status)
|
|
free_password (data);
|
|
}
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+#include <selinux/flask.h>
|
|
+#include <selinux/selinux.h>
|
|
+/* Attempt to set SELinux Context. We are ignoring failure and just going
|
|
+ with default behaviour default behaviour
|
|
+*/
|
|
+static void setup_selinux_context(const char *command) {
|
|
+ security_context_t fcon = NULL, newcon = NULL, execcon = NULL;
|
|
+
|
|
+ if (is_selinux_enabled() != 1) return;
|
|
+
|
|
+ int ret = getexeccon(&execcon);
|
|
+ if ((ret < 0) || (! execcon)) goto err;
|
|
+
|
|
+ ret = getfilecon(command, &fcon);
|
|
+ if (ret < 0) goto err;
|
|
+
|
|
+ ret = security_compute_create(execcon, fcon, SECCLASS_PROCESS, &newcon);
|
|
+ if (ret < 0) goto err;
|
|
+
|
|
+ setexeccon(newcon);
|
|
+
|
|
+err:
|
|
+ freecon(newcon);
|
|
+ freecon(fcon);
|
|
+ freecon(execcon);
|
|
+ return;
|
|
+}
|
|
+#endif
|
|
+
|
|
static void
|
|
setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct passwd *pwd)
|
|
{
|
|
@@ -329,6 +359,10 @@ setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct pass
|
|
char *args[] = { GNOME_KEYRING_DAEMON, "--daemonize", "--login", NULL};
|
|
#endif
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+ setup_selinux_context(GNOME_KEYRING_DAEMON);
|
|
+#endif
|
|
+
|
|
assert (pwd);
|
|
assert (pwd->pw_dir);
|
|
|