* Thu Mar 12 2009 Adam Jackson <ajax@redhat.com> 1.6.0-13

- xselinux-1.6.0-selinux-nlfd.patch: Acquire the netlink socket from selinux, check it ourselves rather than having libselinux bang on it all the time.
2009-03-12 17:34:00 +00:00 · 2009-03-12 17:34:00 +00:00 · 3fbffab8f3
commit 3fbffab8f3
parent 242c526cf3
2 changed files with 107 additions and 5 deletions
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@ -19,7 +19,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.6.0
-Release:   12%{?dist}
+Release:   13%{?dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@ -79,10 +79,13 @@ Patch6010: xserver-1.5.99.902-selinux-debugging.patch
 Patch6011: xserver-1.6.0-less-acpi-brokenness.patch
 # don't try intel on poulsbo
-Patch6013: xserver-1.5.99.902-sod-off-poulsbo.patch
+Patch6012: xserver-1.5.99.902-sod-off-poulsbo.patch
 # don't do selinux if we're not told to
-Patch6014: xserver-1.6.0-selinux-less.patch
+Patch6013: xserver-1.6.0-selinux-less.patch
 # selinux performance hack
 Patch6014: xserver-1.6.0-selinux-nlfd.patch
 # https://bugs.freedesktop.org/show_bug.cgi?id=20087
 Patch6015: xserver-1.5.99.902-vnc.patch
@ -144,7 +147,7 @@ BuildRequires: mesa-libGL-devel >= 7.1-0.37
 # XXX silly...
 BuildRequires: libdrm-devel >= 2.4.0 kernel-headers
-BuildRequires: audit-libs-devel libselinux-devel >= 2.0.59-1
+BuildRequires: audit-libs-devel libselinux-devel >= 2.0.79-1
 BuildRequires: hal-devel dbus-devel
 # All server subpackages have a virtual provide for the name of the server
@ -158,6 +161,7 @@ X.Org X11 X server
 Summary: Xorg server common files
 Group: User Interface/X
 Requires: pixman >= 0.14.0
 Requires: libselinux >= 2.0.79-1
 %description common
 Common files shared among all X servers.
@ -507,6 +511,10 @@ rm -rf $RPM_BUILD_ROOT
 %changelog
 * Thu Mar 12 2009 Adam Jackson <ajax@redhat.com> 1.6.0-13
 - xselinux-1.6.0-selinux-nlfd.patch: Acquire the netlink socket from selinux,
  check it ourselves rather than having libselinux bang on it all the time.
 * Wed Mar 11 2009 Adam Jackson <ajax@redhat.com> 1.6.0-12
 - Requires: pixman >= 0.14.0
@ -965,7 +973,7 @@ rm -rf $RPM_BUILD_ROOT
 * Tue Mar 11 2008 Adam Jackson <ajax@redhat.com> 1.4.99.901-3.20080310
 - New 1.5 snapshot.
- xserver-1.5-x86emy.patch: Fix an x86emu quirk.
+- xserver-1.5-x86emu.patch: Fix an x86emu quirk.
 * Fri Mar 07 2008 Adam Jackson <ajax@redhat.com> 1.4.99.901-1.20080307
 - Today's 1.5 snapshot.
--- a/xserver-1.6.0-selinux-nlfd.patch
+++ b/xserver-1.6.0-selinux-nlfd.patch
@ -0,0 +1,94 @@
 From 0731394b205f003143ceec1bde04b6c6726f9c10 Mon Sep 17 00:00:00 2001
 From: Adam Jackson <ajax@redhat.com>
 Date: Mon, 2 Mar 2009 18:45:27 -0500
 Subject: [PATCH] selinux netlink socket hack
 ---
 Xext/xselinux.c         |   29 +++++++++++++++++++++++++++++
 configure.ac            |    4 ++++
 include/dix-config.h.in |    2 ++
 3 files changed, 35 insertions(+), 0 deletions(-)
 diff --git a/Xext/xselinux.c b/Xext/xselinux.c
 index 6085983..419c0ae 100644
 --- a/Xext/xselinux.c
 +++ b/Xext/xselinux.c
@@ -1887,6 +1887,22 @@ SProcSELinuxDispatch(ClientPtr client)
     }
 }
 +#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD
 +static int netlink_fd;
 +
 +static void
 +SELinuxBlockHandler(void *data, struct timeval **tv, void *read_mask)
 +{
 +}
 +
 +static void
 +SELinuxWakeupHandler(void *data, int err, void *read_mask)
 +{
 +    if (FD_ISSET(netlink_fd, (fd_set *)read_mask))
 +        avc_netlink_check_nb();
 +}
 +#endif
 +
 /*
  * Extension Setup / Teardown
@@ -1917,6 +1933,12 @@ SELinuxResetProc(ExtensionEntry *extEntry)
     label_hnd = NULL;
     audit_close(audit_fd);
 +#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD
 +    avc_netlink_release_fd();
 +    RemoveBlockAndWakeupHandlers(SELinuxBlockHandler, SELinuxWakeupHandler,
 +                                 NULL);
 +    RemoveGeneralSocket(netlink_fd);
 +#endif
     avc_destroy();
     avc_active = 0;
@@ -2013,6 +2035,13 @@ SELinuxExtensionInit(INITARGS)
     if (atom_client_ctx == BAD_RESOURCE)
 	FatalError("SELinux: Failed to create atom\n");
 +#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD
 +    netlink_fd = avc_netlink_acquire_fd();
 +    AddGeneralSocket(netlink_fd);
 +    RegisterBlockAndWakeupHandlers(SELinuxBlockHandler, SELinuxWakeupHandler,
 +                                   NULL);
 +#endif
 +
     /* Register callbacks */
     ret &= dixRegisterPrivateInitFunc(subjectKey, SELinuxSubjectInit, NULL);
     ret &= dixRegisterPrivateDeleteFunc(subjectKey, SELinuxSubjectFree, NULL);
 diff --git a/configure.ac b/configure.ac
 index 72ae67e..55a880e 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -920,6 +920,10 @@ if test "x$XSELINUX" = xyes; then
 	AC_CHECK_LIB(selinux, avc_init, [], AC_MSG_ERROR([SELinux library not found])) 
 	AC_CHECK_HEADERS([libaudit.h], [], AC_MSG_ERROR([SELinux extension requires audit system headers]))
 	AC_CHECK_LIB(audit, audit_open, [], AC_MSG_ERROR([SELinux extension requires audit system library]))
 +        AC_CHECK_DECL(avc_netlink_acquire_fd,
 +                      [AC_DEFINE(HAVE_AVC_NETLINK_ACQUIRE_FD, 1, "Have avc_netlink_acquire_fd")],
 +                      [],
 +                      [#include <selinux/avc.h>])
 	AC_DEFINE(XSELINUX, 1, [Build SELinux extension])
 	SELINUX_LIB="-lselinux -laudit"
 fi
 diff --git a/include/dix-config.h.in b/include/dix-config.h.in
 index 3da193f..66c3008 100644
 --- a/include/dix-config.h.in
 +++ b/include/dix-config.h.in
@@ -442,4 +442,6 @@
 #include "dix-config-apple-verbatim.h"
 #endif
 +#undef HAVE_AVC_NETLINK_ACQUIRE_FD
 +
 #endif /* _DIX_CONFIG_H_ */
 -- 
 1.6.1.3