--- Begin Message ---
Package: xdm
Version: 1:1.1.8-3
Severity: normal
The SE Linux patch was written for an older release of SE Linux and
doesn't work properly with the latest code base (gets the wrong
login context).
Below is a modified patch to make it work correctly.
Could you please build with this patch ASAP so we can try and get it
into Lenny?
# HG changeset patch
# User ejka@imfi.kspu.ru
# Node ID 4403c371616cc416a83156451f1afd293aff0e16
# Parent 28b3145223134d9d9a32202d0bae2036572e560a
Ported 099s_selinux_support.diff (changes: remove Imakefile hunks, add
--with-selinux flag to configure.ac.
Updated to latest SE Linux code by Russell Coker 3rd Aug 2008
diff -ru xdm-1.1.8-prese/configure.ac xdm-1.1.8/configure.ac
--- xdm-1.1.8-prese/configure.ac 2008-05-22 04:24:55.000000000 +1000
+++ xdm-1.1.8/configure.ac 2008-08-03 07:37:02.000000000 +1000
@@ -116,6 +116,23 @@
fi])
fi
+use_selinux_default=no
+# Check for selinux support
+AC_ARG_WITH(selinux, AC_HELP_STRING([--with-selinux],[Add support for selinux]),
+ [USE_SELINUX=$withval], [USE_SELINUX=$use_selinux_default])
+if test "x$USE_SELINUX" != "xno" ; then
+ old_LIBS="$LIBS"
+ LIBS=""
+ AC_SEARCH_LIBS(is_selinux_enabled,[selinux])
+ AC_CHECK_FUNC(is_selinux_enabled,
+ [AC_DEFINE(HAVE_SELINUX,1,[Add support for selinux])],
+ [if test "x$USE_SELINUX" != "xtry" ; then
+ AC_MSG_ERROR(["selinux support requested, but is_selinux_enabled not found."])
+ fi])
+ XDM_LIBS="$XDM_LIBS $LIBS"
+ LIBS="$old_LIBS"
+fi
+
# FIXME: Find better test for which OS'es use su -m - for now, just try to
# mirror the Imakefile setting of:
# if defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) || defined(FreeBSDArchitecture) || defined(DarwinArchitecture)
diff -ru xdm-1.1.8-prese/session.c xdm-1.1.8/session.c
--- xdm-1.1.8-prese/session.c 2008-08-03 07:36:02.000000000 +1000
+++ xdm-1.1.8/session.c 2008-08-03 08:16:22.000000000 +1000
@@ -36,6 +36,10 @@
* session.c
*/
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
#include "dm.h"
#include "dm_auth.h"
#include "dm_error.h"
@@ -70,6 +74,11 @@
#include <prot.h>
#endif
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+#endif /* HAVE_SELINUX */
+
#ifndef GREET_USER_STATIC
# include <dlfcn.h>
# ifndef RTLD_NOW
@@ -77,6 +86,39 @@
# endif
#endif
+#ifdef HAVE_SELINUX
+/* This should be run just before we exec the user session. */
+static int
+xdm_selinux_setup (const char *login)
+ {
+ security_context_t scontext;
+ int ret = -1;
+ char *seuser=NULL;
+ char *level=NULL;
+
+ /* If SELinux is not enabled, then we don't do anything. */
+ if ( is_selinux_enabled () <= 0)
+ return TRUE;
+
+ if (getseuserbyname(login, &seuser, &level) == 0)
+ ret=get_default_context_with_level(seuser, level, 0, &scontext);
+ if (ret < 0 || scontext == NULL) {
+ LogError ("SELinux: unable to obtain default security context for %s\n", login);
+ return FALSE;
+ }
+
+ if (setexeccon (scontext) != 0) {
+ freecon (scontext);
+ LogError ("SELinux: unable to set executable context %s\n",
+ (char *)scontext);
+ return FALSE;
+ }
+
+ freecon (scontext);
+ return TRUE;
+}
+#endif /* HAVE_SELINUX */
+
static int runAndWait (char **args, char **environ);
#ifdef HAVE_GRP_H
@@ -785,6 +827,17 @@
bzero(passwd, strlen(passwd));
SetUserAuthorization (d, verify);
+#ifdef HAVE_SELINUX
+ /*
+ * For Security Enhanced Linux:
+ * set the default security context for this user.
+ */
+ if ( ! xdm_selinux_setup (name)) {
+ LogError ("failed to set security context\n");
+ exit (UNMANAGE_DISPLAY);
+ return (0);
+ }
+#endif /* HAVE_SELINUX */
home = getEnv (verify->userEnviron, "HOME");
if (home)
if (chdir (home) == -1) {
--- End Message ---
--- Begin Message ---
Source: xdm
Source-Version: 1:1.1.8-4
We believe that the bug you reported is fixed in the latest version of
xdm, which is due to be installed in the Debian FTP archive:
xdm_1.1.8-4.diff.gz
to pool/main/x/xdm/xdm_1.1.8-4.diff.gz
xdm_1.1.8-4.dsc
to pool/main/x/xdm/xdm_1.1.8-4.dsc
xdm_1.1.8-4_i386.deb
to pool/main/x/xdm/xdm_1.1.8-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 493524@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated xdm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 20 Aug 2008 15:30:27 +0200
Source: xdm
Binary: xdm
Architecture: source i386
Version: 1:1.1.8-4
Distribution: unstable
Urgency: low
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description:
xdm - X display manager
Closes: 493524 495776
Changes:
xdm (1:1.1.8-4) unstable; urgency=low
.
* Update SELinux patch to get the correct login context (closes: #493524).
Thanks, Russell Coker!
* debian.diff: Fix remaining bad reference to the auth dir in manpage.
* xdm_fixes.diff: open the log file *after* BecomeDaemon(), so we don't send
the log to /dev/null (closes: #495776).
Checksums-Sha1:
6f13708f80c9858407856f27f351aac2d8109ada 1369 xdm_1.1.8-4.dsc
84a3a6d82f49b6ae7182f48672fdc2450a313540 104188 xdm_1.1.8-4.diff.gz
611f40cc6fd17c5fe9109c3c4d437273c335f6a9 192708 xdm_1.1.8-4_i386.deb
Checksums-Sha256:
dd9b376eb1d744b17260ea001b96125e84fdd4214ef22350d19eb85ad39cfeaa 1369 xdm_1.1.8-4.dsc
ced51244030ed4d8c4ef382270e888a737391b6ec885f55c77cf51ee53e395f1 104188 xdm_1.1.8-4.diff.gz
1bec743eaaa8917d8cdc67cd46b64d6e527e8365a1ac5be4f3a3620e26a43f2f 192708 xdm_1.1.8-4_i386.deb
Files:
34ecb17ffac7cfe753019c80507ef293 1369 x11 optional xdm_1.1.8-4.dsc
44798e5528058601714a18f6c6f051a9 104188 x11 optional xdm_1.1.8-4.diff.gz
0f748b414f4e48061ba01f7a33ca4714 192708 x11 optional xdm_1.1.8-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkisHb8ACgkQmEvTgKxfcAxXvQCgxNrYZjUD8F84GmwSpRdh1ri9
qIgAoNtXt+Lk/5GYY+lI0/mzup6ZvXtc
=upHy
-----END PGP SIGNATURE-----
--- End Message ---