Bug#319121: FTBFS: Missing build-dependency on libselinux1-dev

To: 319121@bugs.debian.org
Subject: Bug#319121: FTBFS: Missing build-dependency on libselinux1-dev
From: Eugene Konev <ejka@imfi.kspu.ru>
Date: Thu, 21 Jul 2005 11:23:57 +0800
Message-id: <[🔎] 523ll40lu42.fsf@imfi.kspu.ru>
Reply-to: Eugene Konev <ejka@imfi.kspu.ru>, 319121@bugs.debian.org
In-reply-to: <[🔎] 20050720080658.GD30884@riva.ucam.org> (Colin Watson's message of "Wed, 20 Jul 2005 09:06:58 +0100")
References: <20050719142227.GB3210@localhost.localdomain> <[🔎] 20050720080658.GD30884@riva.ucam.org>

> Please either make some appropriate -dev package, or perhaps even
> xutils, depend on libselinux-dev, or else stop telling arbitrary
> programs to link with libselinux.

Attached is a reworked patch 099s_selinux_support.diff with all selinux
specific changes moved from Imake.tmpl to xdm Imakefile, as xdm is the
only program affected by selinux addition. This change will prevent
bringing -lselinux into linkflags of programs using xmkmf.

$Id$

Add support for SELinux.  Note that this patch only adds source-level
support, and does not actually enable it.

This patch by Manoj Srivastava.  As he notes in Debian #233551:

    As implemented, the patch merely provides a capability, which
    has to be explicitly turned on at compile time with -DHasSELinux=YES.
    If one does not compile with -DHasSELinux=YES, the patch is a no-op.
    Since none of the code is compiled in, there is no change in
    behaviour, nor is there any performance hit.

    If you do turn on the SELinux compatibility with -DHasSELinux,
    you would need libselinux at build time.  In other words, the
    mainline X build does not build depend on SELinux; the dependency is
    only invoked if you explicitly pass a parameter to imake.

    Even when SELinux compatibility is compiled in, on a non
    SELinux kernel it is dead code; there is no change in functionality,
    apart from a single check to see if SELinux is available at each
    login. The SELinux code paths are not exercised on non-SELinux
    kernels.

The more permanent way to enable SELinux support is to #define HasSELinux
YES in the relevant distribution-specific section of linux.cf.  If that is
done for Debian, the source package will need to add a build-dependency on
the libselinux1-dev package.

Changes by Eugene Konev:
    Do not impose selinux on the whole world out there: move selinux 
    specific changes from config/cf/Imake.tmpl to programs/xdm/Imakefile,
    as xdm is the only program affected by this patch.

Not submitted upstream to XFree86 or X.Org.

Index: xc/config/cf/linux.cf
===================================================================
--- xc-old/config/cf/linux.cf	2005-07-21 03:33:06.000000000 +0800
+++ xc/config/cf/linux.cf	2005-07-21 03:34:00.000000000 +0800
@@ -1114,3 +1114,57 @@
 #ifndef XFree86ServerOSDefines
 # define XFree86ServerOSDefines
 #endif
+
+/*
+ *     SELinux support
+ */
+#ifndef HasSELinux
+# define HasSELinux YES
+#endif
+
+#ifndef SELinuxDefines
+# if HasSELinux
+#  define SELinuxDefines -DHAVE_SELINUX
+# else
+#  define SELinuxDefines /**/
+# endif
+#endif
+
+#ifndef SELinuxIncludeFlags
+# if HasSELinux
+#   define SELinuxIncludeFlags -I/usr/include/selinux
+# else
+#   define SELinuxIncludeFlags /**/
+# endif
+#endif
+
+#ifndef SELinuxCompileFlags
+# define SELinuxCompileFlags /**/
+#endif
+
+#ifndef SELinuxLoadFlags
+# define SELinuxLoadFlags SELinuxCompileFlags
+#endif
+
+#ifndef SELinuxLibraries
+# if HasSELinux
+#  define SELinuxLibraries -lselinux
+# else
+#  define SELinuxLibraries /**/
+# endif
+#endif
+
+#if HasSELinux
+# ifndef SELINUX_LDFLAGS
+   SELINUX_LDFLAGS = SELinuxLoadFlags
+# endif
+# ifndef SELINUX_INCLUDES
+   SELINUX_INCLUDES = SELinuxIncludeFlags
+# endif
+# ifndef SELINUX_CFLAGS
+   SELINUX_CFLAGS = SELinuxCompileFlags SELinuxDefines
+# endif
+# ifndef SELINUX_LIBS
+   SELINUX_LIBS = SELinuxLibraries
+# endif
+#endif
Index: xc/programs/xdm/session.c
===================================================================
--- xc-old/programs/xdm/session.c	2005-07-21 03:33:06.000000000 +0800
+++ xc/programs/xdm/session.c	2005-07-21 03:34:00.000000000 +0800
@@ -61,6 +61,11 @@
 # include <krb5/krb5.h>
 #endif
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+#endif /* HAVE_SELINUX */
+
 #ifndef GREET_USER_STATIC
 # include <dlfcn.h>
 # ifndef RTLD_NOW
@@ -68,6 +73,34 @@
 # endif
 #endif
 
+#ifdef HAVE_SELINUX
+/* This should be run just before we exec the user session. */
+static int
+xdm_selinux_setup (const char *login)
+  {
+	security_context_t scontext;
+	/* If SELinux is not enabled, then we don't do anything. */
+	if ( ! is_selinux_enabled ())
+	return TRUE;
+	
+	if (get_default_context((char*) login,0, &scontext) < 0) {
+	LogError ("SELinux: unable to obtain default security context for %s\n",
+	         login);
+	return FALSE;
+	}
+		
+	if (setexeccon (scontext) != 0) {
+	freecon (scontext);
+	LogError ("SELinux: unable to set executable context %s\n",
+	      (char *)scontext);
+	return FALSE;
+	}
+		
+	freecon (scontext);
+	return TRUE;
+}
+#endif /* HAVE_SELINUX */
+				
 static	int	runAndWait (char **args, char **environ);
 
 #if defined(CSRG_BASED) || defined(__osf__) || defined(__DARWIN__) || defined(__QNXNTO__) || defined(sun) || defined(__GLIBC__)
@@ -726,6 +759,17 @@
 #endif /* K5AUTH */
 	bzero(passwd, strlen(passwd));
 	SetUserAuthorization (d, verify);
+#ifdef HAVE_SELINUX
+   /*
+    * For Security Enhanced Linux:
+    * set the default security context for this user.
+    */
+   if ( ! xdm_selinux_setup (name)) {
+      LogError ("failed to set security context\n");
+       exit (UNMANAGE_DISPLAY);
+       return (0);
+   }
+#endif /* HAVE_SELINUX */
 	home = getEnv (verify->userEnviron, "HOME");
 	if (home)
 	    if (chdir (home) == -1) {
Index: xc/programs/xdm/Imakefile
===================================================================
--- xc-old/programs/xdm/Imakefile	2005-07-21 03:33:06.000000000 +0800
+++ xc/programs/xdm/Imakefile	2005-07-21 03:34:00.000000000 +0800
@@ -200,12 +200,13 @@
    XDMCONFIGDIR = XdmConfigurationSubdirectory
         SUBDIRS = $(GREET_DIR) $(XDMCONFIGDIR)
 
-INCLUDES = $(KRB5_INCLUDE)
+INCLUDES = $(KRB5_INCLUDE) $(SELINUX_INCLUDES)
 DEPLIBS = $(DEPXMULIB) $(DEPXTOOLLIB) $(DEPXLIB) $(DEPXAUTHLIB) \
 	  $(DEPXDMCPLIB) $(XINDEPLIBS)
+LOCAL_LDFLAGS	=  $(SELINUX_LDFLAGS)
 LOCAL_LIBRARIES = $(GREETLIBS) $(XMULIB) $(XTOOLLIB) $(XLIB) $(XAUTHLIB) \
 	$(XDMCPLIB) $(RPCLIB) $(PAM_LIBRARIES) $(DLLIBRARY) \
-	$(CRYPT_LIBRARIES) $(KRBIVLIB) $(XINLIBS)
+	$(CRYPT_LIBRARIES) $(KRBIVLIB) $(XINLIBS) $(SELINUX_LIBS)
 
           SRCS1 = auth.c daemon.c server.c dpylist.c dm.c error.c file.c \
 		  netaddr.c reset.c resource.c protodpy.c policy.c \
@@ -330,6 +331,7 @@
 SpecialCObjectRule(socket,$(ICONFIGFILES),$(SOCK_DEFINES))
 SpecialCObjectRule(xdmcp,$(ICONFIGFILES),$(SOCK_DEFINES))
 SpecialCObjectRule(xdmshell,$(ICONFIGFILES),$(VFORK_DEFINES))
+SpecialCObjectRule(session,,$(SELINUX_CFLAGS))
 
 #if !SharedLibXdmGreet
 LinkSourceFile(greet.c,greeter)

Reply to:

References:
- Re: Bug#319121: FTBFS: Missing build-dependency on libselinux1-dev
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: X Strike Force X.Org X11 SVN commit: r385 - trunk/debian
Next by Date: Bug#319003: xserver-xorg: Trident and -3: libvgahw is still broken
Previous by thread: Processed: Re: Bug#319121: FTBFS: Missing build-dependency on libselinux1-dev
Next by thread: Bug#319179: uxterm and utf-8 font selection
Index(es):
- Date
- Thread