Bug#249784: kdm: Patch for SE/Linux 2.6 Security enhancements

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#249784: kdm: Patch for SE/Linux 2.6 Security enhancements
From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
Date: Wed, 19 May 2004 07:52:07 +0000
Message-id: <[🔎] E1BQLrz-0006Jw-83@lkcl.net>
Reply-to: Luke Kenneth Casson Leighton <lkcl@lkcl.net>, 249784@bugs.debian.org

Package: kdm
Severity: wishlist


this is pretty much it, believe it or not.
of course configure --enable-selinux is required (in debian/rules).

the debian package should have --enable-selinux ON by default.

if you are considering _not_ applying this patch, then consider this:
a large number of packages have already accepted, upstream, the
selinux patches, including logrotate and gdm.

therefore, libselinux, like libacl, is pretty much going to become
a part of the base linux install.

also, the patch has ZERO effect on a system which has neither selinux
enabled at boot-time nor selinux compiled/modules _in_ the kernel.


--- client.c.old	2004-05-19 07:40:58.000000000 +0000
+++ kdm/backend/client.c	2004-05-19 07:18:01.000000000 +0000
@@ -44,6 +44,12 @@
 #include <sys/stat.h>
 #include <pwd.h>
 #include <grp.h>
+
+#ifdef WITH_SELINUX
+#include <selinux/get_context_list.h>
+#include <selinux/selinux.h>
+#endif
+
 #ifdef SECURE_RPC
 # include <rpc/rpc.h>
 # include <rpc/key_prot.h>
@@ -1085,6 +1091,24 @@
 	   systemEnviron);
 
     /*
+     * for Security Enhanced Linux,
+     * set the default security context for this user.
+     */
+#ifdef WITH_SELINUX
+   if (is_selinux_enabled())
+   {
+        security_context_t scontext;
+        if (get_default_context(name,NULL,&scontext))
+             LogError("Failed to get default security context for %s.", name);
+        Debug("setting security context to %s", scontext);
+        if (setexeccon(scontext)) {
+             freecon(scontext);
+             LogError("Failed to set exec security context %s for %s.", scontext, name);
+        }
+        freecon(scontext);
+   }
+#endif
+    /*
      * for user-based authorization schemes,
      * add the user to the server's allowed "hosts" list.
      */
--- configure.in.in.old	2004-05-19 07:43:37.000000000 +0000
+++ configure.in.in	2004-05-19 07:18:15.000000000 +0000
@@ -197,3 +197,23 @@
 #endif
 ])
 
+AC_MSG_CHECKING(for SELinux support)
+AC_ARG_ENABLE(selinux,
+   AC_HELP_STRING([--enable-selinux], [enable SELinux support]),
+   [
+       AC_MSG_RESULT(yes)
+       AC_CHECK_LIB(selinux, is_selinux_enabled, [SELINUX_LDFLAGS="-lselinux"
+           AC_DEFINE_UNQUOTED(HAVE_SELINUX_LIB, 1, [Define if libselinux is installed])
+               AC_DEFINE(WITH_SELINUX, 1, [Define if you want wdm to be compiled with SELinux support])
+               SELINUX_CFLAGS="-DWITH_SELINUX -I/usr/include/selinux"
+               ],
+               [
+               AC_MSG_WARN([libselinux not found, compiling without SELinux support])
+               ])
+   ],
+   [
+       AC_MSG_RESULT(no)
+   ])
+AC_SUBST(SELINUX_LDFLAGS)
+AC_SUBST(SELINUX_CFLAGS)
+
--- Makefile.am.old	2004-05-19 07:46:07.000000000 +0000
+++ kdm/backend/Makefile.am	2004-05-19 07:18:31.000000000 +0000
@@ -8,6 +8,10 @@
     $(LIB_LIBS) $(KRB4_LIBS) $(KRB5_LIBS) $(LIBSOCKET) $(LIBRESOLV) \
     $(LIBUCB) $(LIBUTIL)
 
+CPPFLAGS = $(CPPFLAGS) $(SELINUX_CFLAGS)
+CFLAGS = $(CFLAGS) $(SELINUX_CFLAGS)
+LDFLAGS = $(LDFLAGS) $(SELINUX_LDFLAGS)
+
 bin_PROGRAMS = kdm
 kdm_SOURCES = \
     access.c \
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux highfield 2.6.6-selinux1 #5 Tue May 18 16:33:29 GMT 2004 i686
Locale: LANG=C, LC_CTYPE=C

Reply to:

Prev by Date: Re: KDE Security Advisory: URI Handler Vulnerabilities
Next by Date: Bug#249784: [patch] SELinux support in KDM 3.2.2
Previous by thread: konqueror 3.2.2 bug
Next by thread: Bug#249784: [patch] SELinux support in KDM 3.2.2
Index(es):
- Date
- Thread