From e5ecf63c98064745f817e45e7a58e29f3dd6ed42 Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Aug 24 2007 15:33:07 +0000 Subject: - use pam_selinux instead of home grown selinux code (bug 254164) --- diff --git a/gdm-2.19.6-selinux.patch b/gdm-2.19.6-selinux.patch new file mode 100644 index 0000000..415f5d4 --- /dev/null +++ b/gdm-2.19.6-selinux.patch @@ -0,0 +1,138 @@ +diff -up gdm-2.19.6/configure.ac.selinux gdm-2.19.6/configure.ac +--- gdm-2.19.6/configure.ac.selinux 2007-08-24 11:25:38.000000000 -0400 ++++ gdm-2.19.6/configure.ac 2007-08-24 11:25:54.000000000 -0400 +@@ -72,8 +72,6 @@ AC_ARG_WITH(dmx, + [ --with-dmx=[auto/yes/no] Add DMX (Distributed Multihead X) support [default=auto]],, + with_dmx=auto) + +-AC_ARG_WITH(selinux, [ --with-selinux Add SELinux support]) +- + AC_ARG_WITH(console-kit, + [ --with-console-kit=[auto/yes/no] Add ConsoleKit support [default=auto]],, + with_console_kit=auto) +@@ -805,30 +803,6 @@ fi + + + # +-# SELinux stuff +-# +-if test "x$with_selinux" = "xyes" ; then +- echo "SELinux support requested (--with-selinux was given), checking prerequisites" +- if test -d /usr/local/selinux/include ; then +- echo "Found /usr/local/selinux/include, will look there for SELinux stuff as well" +- CFLAGS="$CFLAGS -I/usr/local/selinux/include" +- LDFLAGS="$LDFLAGS -L/usr/local/selinux/lib" +- fi +- AC_CHECK_HEADER(selinux/selinux.h) +- AC_CHECK_HEADER(selinux/get_context_list.h) +- AC_CHECK_LIB(attr,attr_get,/bin/true) +- # I'm anal and I don't know which versions have which symbols, +- # so I check for all the ones we use +- AC_CHECK_LIB(selinux,get_ordered_context_list,/bin/true) +- AC_CHECK_LIB(selinux,freecon,/bin/true) +- AC_CHECK_LIB(selinux,freeconary,/bin/true) +- AC_CHECK_LIB(selinux,setexeccon,/bin/true) +- AC_CHECK_LIB(selinux,is_selinux_enabled,/bin/true) +- AC_DEFINE(HAVE_SELINUX) +- EXTRA_DAEMON_LIBS="$EXTRA_DAEMON_LIBS -lselinux -lattr" +-fi +- +-# + # ConsoleKit support + # + use_console_kit=no +@@ -1447,13 +1421,6 @@ else + echo "Console helper : NO" + fi + +-dnl <= SELinux support => +-if test "x$with_selinux" = "xyes" ; then +- echo "SELinux support : YES" +-else +- echo "SELinux support : NO" +-fi +- + dnl <= Solaris Trusted Extensions support => + if test "x$found_tsol" = "xyes" ; then + echo "Solaris Trusted Extensions support : YES" +diff -up gdm-2.19.6/daemon/slave.c.selinux gdm-2.19.6/daemon/slave.c +--- gdm-2.19.6/daemon/slave.c.selinux 2007-08-24 11:24:34.000000000 -0400 ++++ gdm-2.19.6/daemon/slave.c 2007-08-24 11:24:52.000000000 -0400 +@@ -87,11 +87,6 @@ + #include + #endif + +-#ifdef HAVE_SELINUX +-#include +-#include +-#endif /* HAVE_SELINUX */ +- + #include + #include + #include +@@ -3521,48 +3516,6 @@ open_xsession_errors (struct passwd *pwe + return logfd; + } + +-#ifdef HAVE_SELINUX +-/* This should be run just before we exec the user session */ +-static gboolean +-gdm_selinux_setup (const char *login) +-{ +- security_context_t scontext; +- int ret=-1; +- char *seuser=NULL; +- char *level=NULL; +- +- /* If selinux is not enabled, then we don't do anything */ +- if (is_selinux_enabled () <= 0) +- return TRUE; +- +- if (getseuserbyname(login, &seuser, &level) == 0) +- ret=get_default_context_with_level(seuser, level, 0, &scontext); +- +- if (ret < 0) { +- gdm_error ("SELinux gdm login: unable to obtain default security context for %s.", login); +- /* note that this will be run when the .xsession-errors +- is already being logged, so we can use stderr */ +- gdm_fdprintf (2, "SELinux gdm login: unable to obtain default security context for %s.", login); +- return (security_getenforce()==0); +- } +- +- gdm_assert (scontext != NULL); +- +- if (setexeccon (scontext) != 0) { +- gdm_error ("SELinux gdm login: unable to set executable context %s.", +- (char *)scontext); +- gdm_fdprintf (2, "SELinux gdm login: unable to set executable context %s.", +- (char *)scontext); +- freecon (scontext); +- return (security_getenforce()==0); +- } +- +- freecon (scontext); +- +- return TRUE; +-} +-#endif /* HAVE_SELINUX */ +- + static void + session_child_run (struct passwd *pwent, + int logfd, +@@ -4048,16 +4001,6 @@ session_child_run (struct passwd *pwent, + } + #endif + +-#ifdef HAVE_SELINUX +- if ( ! gdm_selinux_setup (pwent->pw_name)) { +- /* 66 means no "session crashed" examine .xsession-errors +- dialog */ +- gdm_errorgui_error_box (d, GTK_MESSAGE_ERROR, +- _("Error! Unable to set executable context.")); +- _exit (66); +- } +-#endif +- + g_shell_parse_argv (fullexec->str, NULL, &argv, NULL); + VE_IGNORE_EINTR (execv (argv[0], argv)); + g_strfreev (argv); diff --git a/gdm-autologin-pam b/gdm-autologin-pam index f676719..9593fad 100644 --- a/gdm-autologin-pam +++ b/gdm-autologin-pam @@ -4,7 +4,9 @@ auth required pam_permit.so account required pam_nologin.so account include system-auth password include system-auth +session required pam_selinux.so close session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so session optional pam_console.so +session required pam_selinux.so open diff --git a/gdm-pam b/gdm-pam index 74e791c..cbe994b 100644 --- a/gdm-pam +++ b/gdm-pam @@ -5,9 +5,11 @@ auth optional pam_gnome_keyring.so auto_start account required pam_nologin.so account include system-auth password include system-auth +session required pam_selinux.so close session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so session optional pam_console.so +session required pam_selinux.so open session optional pam_gnome_keyring.so diff --git a/gdm.spec b/gdm.spec index 310aba4..f8aff64 100644 --- a/gdm.spec +++ b/gdm.spec @@ -1,5 +1,4 @@ -%define libselinuxver 1.27.7 %define libauditver 1.0.6 %define pango_version 1.2.0 %define gtk2_version 2.6.0 @@ -17,7 +16,7 @@ Summary: The GNOME Display Manager Name: gdm Version: 2.19.6 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 1 License: GPLv2+ Group: User Interface/X @@ -56,6 +55,9 @@ Patch35: gdmsetup-path.patch # http://bugzilla.gnome.org/show_bug.cgi?id=467335 Patch36: gdm-2.19.5-disable-typeahead.patch +# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=254164 +Patch37: gdm-2.19.6-selinux.patch + Patch100: gdm-2.19.6-change-defaults.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -101,7 +103,6 @@ BuildRequires: libattr-devel BuildRequires: gettext BuildRequires: gnome-doc-utils BuildRequires: libdmx-devel -BuildRequires: libselinux-devel >= %{libselinuxver} BuildRequires: audit-libs-devel >= %{libauditver} BuildRequires: intltool %ifnarch s390 s390x ppc64 @@ -109,7 +110,6 @@ BuildRequires: xorg-x11-server-Xorg %endif BuildRequires: nss-devel >= %{nss_version} BuildRequires: ConsoleKit -Requires: libselinux >= %{libselinuxver} Requires: audit-libs >= %{libauditver} %description @@ -140,6 +140,7 @@ Extra icons / faces for the GNOME Display Manager. %patch33 -p1 -b .pass-ats-to-session %patch35 -p1 -b .gdmsetup-path %patch36 -p1 -b .disable-typeahead +%patch37 -p1 -b .selinux %patch100 -p1 -b .change-defaults @@ -157,7 +158,6 @@ autoheader %configure --with-pam-prefix=%{_sysconfdir} \ --enable-console-helper \ --disable-scrollkeeper \ - --with-selinux \ --with-console-kit make @@ -355,6 +355,9 @@ fi %{_datadir}/pixmaps/faces/extras/*.jpg %changelog +* Fri Aug 24 2007 Ray Strode - 1:2.19.6-5 +- use pam_selinux instead of home grown selinux code (bug 254164) + * Wed Aug 22 2007 Kristian Høgsberg - 1:2.19.6-4 - Pass -br to the default X server too.