X Strike Force XFree86 SVN commit: r2133 - in trunk/debian: . patches
Author: branden
Date: 2005-01-12 14:56:03 -0500 (Wed, 12 Jan 2005)
New Revision: 2133
Added:
trunk/debian/patches/099s_selinux_support.diff
Modified:
trunk/debian/CHANGESETS
trunk/debian/TODO
trunk/debian/changelog
Log:
Add patch from Manoj Srivastava that implements support for SELinux in
imake and xdm. (Note that this patch only adds source-level support, and
does not actually enable it.) Thanks, Manoj! (Closes: #233551)
Modified: trunk/debian/CHANGESETS
===================================================================
--- trunk/debian/CHANGESETS 2005-01-12 07:11:51 UTC (rev 2132)
+++ trunk/debian/CHANGESETS 2005-01-12 19:56:03 UTC (rev 2133)
@@ -132,4 +132,9 @@
operational error, not a user-input error.
2128, 2129, 2130
+Add patch from Manoj Srivastava that implements support for SELinux in
+imake and xdm. (Note that this patch only adds source-level support, and
+does not actually enable it.) Thanks, Manoj! (Closes: #233551)
+ 2133
+
vim:set ai et sts=4 sw=4 tw=80:
Modified: trunk/debian/TODO
===================================================================
--- trunk/debian/TODO 2005-01-12 07:11:51 UTC (rev 2132)
+++ trunk/debian/TODO 2005-01-12 19:56:03 UTC (rev 2133)
@@ -50,7 +50,6 @@
port. See <URL: http://lists.debian.org/debian-68k/2004/08/msg00392.html>.
* #245541: Evaluate Sven Luther's driver DDK package patch:
http://lists.debian.org/debian-x/2003/debian-x-200311/msg00002.html
-* #233551: add SELinux support to xdm
Post 4.3.0-1
------------
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2005-01-12 07:11:51 UTC (rev 2132)
+++ trunk/debian/changelog 2005-01-12 19:56:03 UTC (rev 2133)
@@ -105,8 +105,12 @@
XOpenDisplay() fails. Being unable to connect to the X server is an
operational error, not a user-input error.
- -- Branden Robinson <branden@debian.org> Tue, 11 Jan 2005 01:17:16 -0500
+ * Add patch from Manoj Srivastava that implements support for SELinux in
+ imake and xdm. (Note that this patch only adds source-level support, and
+ does not actually enable it.) Thanks, Manoj! (Closes: #233551)
+ -- Branden Robinson <branden@debian.org> Wed, 12 Jan 2005 14:54:44 -0500
+
xfree86 (4.3.0.dfsg.1-10) unstable; urgency=medium
* Upload urgency set to medium due to fix for stable-release-critical bugs
Added: trunk/debian/patches/099s_selinux_support.diff
===================================================================
--- trunk/debian/patches/099s_selinux_support.diff 2005-01-12 07:11:51 UTC (rev 2132)
+++ trunk/debian/patches/099s_selinux_support.diff 2005-01-12 19:56:03 UTC (rev 2133)
@@ -0,0 +1,186 @@
+$Id$
+
+Add support for SELinux. Note that this patch only adds source-level
+support, and does not actually enable it.
+
+This patch by Manoj Srivastava. As he notes in Debian #233551:
+
+ As implemented, the patch merely provides a capability, which
+ has to be explicitly turned on at compile time with -DHasSELinux=YES.
+ If one does not compile with -DHasSELinux=YES, the patch is a no-op.
+ Since none of the code is compiled in, there is no change in
+ behaviour, nor is there any performance hit.
+
+ If you do turn on the SELinux compatibility with -DHasSELinux,
+ you would need libselinux at build time. In other words, the
+ mainline X build does not build depend on SELinux; the dependency is
+ only invoked if you explicitly pass a parameter to imake.
+
+ Even when SELinux compatibility is compiled in, on a non
+ SELinux kernel it is dead code; there is no change in functionality,
+ apart from a single check to see if SELinux is available at each
+ login. The SELinux code paths are not exercised on non-SELinux
+ kernels.
+
+The more permanent way to enable SELinux support is to #define HasSELinux
+YES in the relevant distribution-specific section of linux.cf. If that is
+done for Debian, the source package will need to add a build-dependency on
+the libselinux1-dev package.
+
+Not submitted upstream to XFree86 or X.Org.
+
+--- xc/config/cf/Imake.tmpl~ 2005-01-12 11:55:51.000000000 -0500
++++ xc/config/cf/Imake.tmpl 2005-01-12 11:56:26.000000000 -0500
+@@ -2033,17 +2033,21 @@
+ * EXTRA_INCLUDES contains project-specific includes set in project incfiles
+ * INCLUDES contains client-specific includes set in Imakefile
+ * LOCAL_LDFLAGS contains client-specific ld flags flags set in Imakefile
++ * SELINUX_INCLUDES contains SELinux-specific includes set in the appropriate .cf file
++ * SELINUX_LDFLAGS contains SELinux-specific ld flags set in the appropriate .cf file
++ * SELINUX_CFLAGS contains SELinux-specific compiler flags set in the .cf file
++ * SELINUX_LIBS contains SELinux-specific libraries to link with set in the .cf file
+ */
+- ALLINCLUDES = $(INCLUDES) $(EXTRA_INCLUDES) $(TOP_INCLUDES) $(INSTALLED_INCLUDES) $(STD_INCLUDES)
++ ALLINCLUDES = $(INCLUDES) $(EXTRA_INCLUDES) $(TOP_INCLUDES) $(INSTALLED_INCLUDES) $(STD_INCLUDES) $(SELINUX_INCLUDES)
+ ALLDEFINES = $(ALLINCLUDES) $(STD_DEFINES) $(PROTO_DEFINES) $(THREADS_DEFINES) $(MODULE_DEFINES) $(DEFINES) $(EXTRA_DEFINES)
+- CFLAGS = $(CDEBUGFLAGS) $(CCOPTIONS) $(THREADS_CFLAGS) $(MODULE_CFLAGS) $(ALLDEFINES)
++ CFLAGS = $(CDEBUGFLAGS) $(CCOPTIONS) $(THREADS_CFLAGS) $(SELINUX_CFLAGS) $(MODULE_CFLAGS) $(ALLDEFINES)
+ LINTFLAGS = $(LINTOPTS) -DLINT $(ALLDEFINES) $(DEPEND_DEFINES)
+ LDPRELIB = LdPreLib $(INSTALLED_LIBS)
+ LDPOSTLIB = LdPostLib
+- LDOPTIONS = $(CDEBUGFLAGS) $(CCOPTIONS) $(EXTRA_LDOPTIONS) $(THREADS_LDFLAGS) $(LOCAL_LDFLAGS) $(LDPRELIBS)
++ LDOPTIONS = $(CDEBUGFLAGS) $(CCOPTIONS) $(EXTRA_LDOPTIONS) $(THREADS_LDFLAGS) $(SELINUX_LDFLAGS) $(LOCAL_LDFLAGS) $(LDPRELIBS)
+ CXXLDOPTIONS = $(CXXDEBUGFLAGS) $(CXXOPTIONS) $(EXTRA_LDOPTIONS) $(THREADS_CXXLDFLAGS) $(LOCAL_LDFLAGS) $(LDPRELIBS)
+
+- LDLIBS = $(LDPOSTLIBS) $(THREADS_LIBS) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
++ LDLIBS = $(LDPOSTLIBS) $(THREADS_LIBS) $(SELINUX_LIBS) $(SYS_LIBRARIES) $(EXTRA_LIBRARIES)
+ #if HasBrokenCCForLink
+ CCLINK = LdCmd
+ #else
+--- xc/config/cf/linux.cf~ 2005-01-12 11:55:59.000000000 -0500
++++ xc/config/cf/linux.cf 2005-01-12 11:56:26.000000000 -0500
+@@ -1036,3 +1036,57 @@
+ #ifndef XFree86ServerOSDefines
+ # define XFree86ServerOSDefines
+ #endif
++
++/*
++ * SELinux support
++ */
++#ifndef HasSELinux
++# define HasSELinux NO
++#endif
++
++#ifndef SELinuxDefines
++# if HasSELinux
++# define SELinuxDefines -DHAVE_SELINUX
++# else
++# define SELinuxDefines /**/
++# endif
++#endif
++
++#ifndef SELinuxIncludeFlags
++# if HasSELinux
++# define SELinuxIncludeFlags -I/usr/include/selinux
++# else
++# define SELinuxIncludeFlags /**/
++# endif
++#endif
++
++#ifndef SELinuxCompileFlags
++# define SELinuxCompileFlags /**/
++#endif
++
++#ifndef SELinuxLoadFlags
++# define SELinuxLoadFlags SELinuxCompileFlags
++#endif
++
++#ifndef SELinuxLibraries
++# if HasSELinux
++# define SELinuxLibraries -lselinux
++# else
++# define SELinuxLibraries /**/
++# endif
++#endif
++
++#if HasSELinux
++# ifndef SELINUX_LDFLAGS
++ SELINUX_LDFLAGS = SELinuxLoadFlags
++# endif
++# ifndef SELINUX_INCLUDES
++ SELINUX_INCLUDES = SELinuxIncludeFlags
++# endif
++# ifndef SELINUX_CFLAGS
++ SELINUX_CFLAGS = SELinuxCompileFlags SELinuxDefines
++# endif
++# ifndef SELINUX_LIBS
++ SELINUX_LIBS = SELinuxLibraries
++# endif
++#endif
+--- xc/programs/xdm/session.c~ 2005-01-12 11:56:06.000000000 -0500
++++ xc/programs/xdm/session.c 2005-01-12 12:01:56.000000000 -0500
+@@ -60,6 +60,11 @@
+ # include <krb5/krb5.h>
+ #endif
+
++#ifdef HAVE_SELINUX
++#include <selinux/selinux.h>
++#include <selinux/get_context_list.h>
++#endif /* HAVE_SELINUX */
++
+ #ifndef GREET_USER_STATIC
+ # include <dlfcn.h>
+ # ifndef RTLD_NOW
+@@ -241,6 +246,34 @@
+ SessionExit (d, RESERVER_DISPLAY, TRUE);
+ }
+
++#ifdef HAVE_SELINUX
++/* This should be run just before we exec the user session. */
++static int
++xdm_selinux_setup (const char *login)
++{
++ security_context_t scontext;
++ /* If SELinux is not enabled, then we don't do anything. */
++ if ( ! is_selinux_enabled ())
++ return TRUE;
++
++ if (get_default_context((char*) login,0, &scontext) < 0) {
++ LogError ("SELinux: unable to obtain default security context for %s\n",
++ login);
++ return FALSE;
++ }
++
++ if (setexeccon (scontext) != 0) {
++ freecon (scontext);
++ LogError ("SELinux: unable to set executable context %s\n",
++ (char *)scontext);
++ return FALSE;
++ }
++
++ freecon (scontext);
++ return TRUE;
++}
++#endif /* HAVE_SELINUX */
++
+ /*
+ * We need our own error handlers because we can't be sure what exit code Xlib
+ * will use, and our Xlib does exit(1) which matches REMANAGE_DISPLAY, which
+@@ -725,6 +758,17 @@
+ #endif /* K5AUTH */
+ bzero (passwd, strlen (passwd));
+ SetUserAuthorization (d, verify);
++#ifdef HAVE_SELINUX
++ /*
++ * For Security Enhanced Linux:
++ * set the default security context for this user.
++ */
++ if ( ! xdm_selinux_setup (name)) {
++ LogError ("failed to set security context\n");
++ exit (UNMANAGE_DISPLAY);
++ return (0);
++ }
++#endif /* HAVE_SELINUX */
+ home = getEnv (verify->userEnviron, "HOME");
+ if (home)
+ if (chdir (home) == -1) {
Property changes on: trunk/debian/patches/099s_selinux_support.diff
___________________________________________________________________
Name: svn:keywords
+ Id
Reply to: