gnome-keyring/gnome-keyring-2.91.93-pam-selinux.patch

94 lines
2.6 KiB
Diff

diff --git a/configure.in b/configure.in
index a5a434d..8294028 100644
--- a/configure.in
+++ b/configure.in
@@ -572,6 +572,28 @@ AC_SUBST(GCOV)
AC_SUBST(GENHTML)
# ----------------------------------------------------------------------
+# selinux
+AC_ARG_ENABLE([selinux],
+ AC_HELP_STRING([--disable-selinux],[do not use SELinux]),
+ WITH_SELINUX=$enableval, WITH_SELINUX=yes)
+if test "$WITH_SELINUX" == "yes" ; then
+ AC_CHECK_LIB([selinux],[getfilecon], LIBSELINUX="-lselinux", LIBSELINUX="")
+ selinux_status="yes"
+else
+ LIBSELINUX=""
+ selinux_status="no"
+fi
+AC_SUBST(LIBSELINUX)
+AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"])
+if test ! -z "$LIBSELINUX" ; then
+ AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in])
+ BACKUP_LIBS=$LIBS
+ LIBS="$LIBS $LIBSELINUX"
+ AC_CHECK_FUNCS(setexeccon)
+ LIBS=$BACKUP_LIBS
+fi
+
+# ----------------------------------------------------------------------
# Valgrind
AC_ARG_ENABLE(valgrind,
@@ -742,6 +764,7 @@ echo
echo "OPTIONAL DEPENDENCIES"
echo " PAM: $pam_status"
echo " Linux capabilities: $libcapng_status"
+echo " SELinux: $selinux_status"
echo
echo "CONFIGURATION"
echo " SSH Agent: $ssh_status"
diff --git a/pam/gkr-pam-module.c b/pam/gkr-pam-module.c
index e63c917..2e2e765 100644
--- a/pam/gkr-pam-module.c
+++ b/pam/gkr-pam-module.c
@@ -317,6 +317,36 @@ cleanup_free_password (pam_handle_t *ph, void *data, int pam_end_status)
free_password (data);
}
+#ifdef WITH_SELINUX
+#include <selinux/flask.h>
+#include <selinux/selinux.h>
+/* Attempt to set SELinux Context. We are ignoring failure and just going
+ with default behaviour default behaviour
+*/
+static void setup_selinux_context(const char *command) {
+ security_context_t fcon = NULL, newcon = NULL, execcon = NULL;
+
+ if (is_selinux_enabled() != 1) return;
+
+ int ret = getexeccon(&execcon);
+ if ((ret < 0) || (! execcon)) goto err;
+
+ ret = getfilecon(command, &fcon);
+ if (ret < 0) goto err;
+
+ ret = security_compute_create(execcon, fcon, SECCLASS_PROCESS, &newcon);
+ if (ret < 0) goto err;
+
+ setexeccon(newcon);
+
+err:
+ freecon(newcon);
+ freecon(fcon);
+ freecon(execcon);
+ return;
+}
+#endif
+
static void
setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct passwd *pwd)
{
@@ -329,6 +359,10 @@ setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct pass
char *args[] = { GNOME_KEYRING_DAEMON, "--daemonize", "--login", NULL};
#endif
+#ifdef WITH_SELINUX
+ setup_selinux_context(GNOME_KEYRING_DAEMON);
+#endif
+
assert (pwd);
assert (pwd->pw_dir);