Bug#249784: kdm: Patch for SE/Linux 2.6 Security enhancements
Package: kdm
Severity: wishlist
this is pretty much it, believe it or not.
of course configure --enable-selinux is required (in debian/rules).
the debian package should have --enable-selinux ON by default.
if you are considering _not_ applying this patch, then consider this:
a large number of packages have already accepted, upstream, the
selinux patches, including logrotate and gdm.
therefore, libselinux, like libacl, is pretty much going to become
a part of the base linux install.
also, the patch has ZERO effect on a system which has neither selinux
enabled at boot-time nor selinux compiled/modules _in_ the kernel.
--- client.c.old 2004-05-19 07:40:58.000000000 +0000
+++ kdm/backend/client.c 2004-05-19 07:18:01.000000000 +0000
@@ -44,6 +44,12 @@
#include <sys/stat.h>
#include <pwd.h>
#include <grp.h>
+
+#ifdef WITH_SELINUX
+#include <selinux/get_context_list.h>
+#include <selinux/selinux.h>
+#endif
+
#ifdef SECURE_RPC
# include <rpc/rpc.h>
# include <rpc/key_prot.h>
@@ -1085,6 +1091,24 @@
systemEnviron);
/*
+ * for Security Enhanced Linux,
+ * set the default security context for this user.
+ */
+#ifdef WITH_SELINUX
+ if (is_selinux_enabled())
+ {
+ security_context_t scontext;
+ if (get_default_context(name,NULL,&scontext))
+ LogError("Failed to get default security context for %s.", name);
+ Debug("setting security context to %s", scontext);
+ if (setexeccon(scontext)) {
+ freecon(scontext);
+ LogError("Failed to set exec security context %s for %s.", scontext, name);
+ }
+ freecon(scontext);
+ }
+#endif
+ /*
* for user-based authorization schemes,
* add the user to the server's allowed "hosts" list.
*/
--- configure.in.in.old 2004-05-19 07:43:37.000000000 +0000
+++ configure.in.in 2004-05-19 07:18:15.000000000 +0000
@@ -197,3 +197,23 @@
#endif
])
+AC_MSG_CHECKING(for SELinux support)
+AC_ARG_ENABLE(selinux,
+ AC_HELP_STRING([--enable-selinux], [enable SELinux support]),
+ [
+ AC_MSG_RESULT(yes)
+ AC_CHECK_LIB(selinux, is_selinux_enabled, [SELINUX_LDFLAGS="-lselinux"
+ AC_DEFINE_UNQUOTED(HAVE_SELINUX_LIB, 1, [Define if libselinux is installed])
+ AC_DEFINE(WITH_SELINUX, 1, [Define if you want wdm to be compiled with SELinux support])
+ SELINUX_CFLAGS="-DWITH_SELINUX -I/usr/include/selinux"
+ ],
+ [
+ AC_MSG_WARN([libselinux not found, compiling without SELinux support])
+ ])
+ ],
+ [
+ AC_MSG_RESULT(no)
+ ])
+AC_SUBST(SELINUX_LDFLAGS)
+AC_SUBST(SELINUX_CFLAGS)
+
--- Makefile.am.old 2004-05-19 07:46:07.000000000 +0000
+++ kdm/backend/Makefile.am 2004-05-19 07:18:31.000000000 +0000
@@ -8,6 +8,10 @@
$(LIB_LIBS) $(KRB4_LIBS) $(KRB5_LIBS) $(LIBSOCKET) $(LIBRESOLV) \
$(LIBUCB) $(LIBUTIL)
+CPPFLAGS = $(CPPFLAGS) $(SELINUX_CFLAGS)
+CFLAGS = $(CFLAGS) $(SELINUX_CFLAGS)
+LDFLAGS = $(LDFLAGS) $(SELINUX_LDFLAGS)
+
bin_PROGRAMS = kdm
kdm_SOURCES = \
access.c \
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux highfield 2.6.6-selinux1 #5 Tue May 18 16:33:29 GMT 2004 i686
Locale: LANG=C, LC_CTYPE=C
Reply to: