From fd4291d5e4e811a0e484a06d88509f4adfed6a90 Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Thu, 6 Sep 2012 17:01:03 -0400 Subject: [PATCH 1/2] configure: check for selinux again This sort of reverts commit 378390b9b5639bbe37cf4ba06e2e4acf1587e1d8. --- configure.ac | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/configure.ac b/configure.ac index 5283845..af31719 100644 --- a/configure.ac +++ b/configure.ac @@ -142,6 +142,14 @@ AC_SUBST(UPOWER) AC_SUBST(UPOWER_CFLAGS) AC_SUBST(UPOWER_LIBS) +PKG_CHECK_MODULES(LIBSELINUX, libselinux, have_selinux=yes, have_selinux=no) + +if test "x$have_selinux" = "xyes" ; then + AC_DEFINE(HAVE_SELINUX, 1, [Define if have selinux]) +fi +AC_SUBST(LIBSELINUX_CFLAGS) +AC_SUBST(LIBSELINUX_LIBS) + PKG_CHECK_MODULES(SIMPLE_GREETER, gtk+-3.0 >= $GTK_REQUIRED_VERSION fontconfig >= $FONTCONFIG_REQUIRED_VERSION @@ -1595,6 +1603,7 @@ fi echo \ " Xinerama support: ${XINERAMA_SUPPORT} XDMCP support: ${XDMCP_SUPPORT} + SELinux support: ${have_selinux} ConsoleKit support: ${use_console_kit} systemd support: ${use_systemd} systemd unit dir: ${with_systemdsystemunitdir} -- 1.7.12 From d4dbdc8c5a5703f205540d0c39459e1a06faf458 Mon Sep 17 00:00:00 2001 From: Ray Strode Date: Thu, 6 Sep 2012 17:14:06 -0400 Subject: [PATCH 2/2] daemon: reset exec context after fork() When pam_open_session finishes, the session worker is set up such that the next fork()/exec() may transition the user to a user specific context (such as staff_t). This makes sense for the first fork()/exec() (which is the user login), but the worker may fork()/exec() other workers after login for unlock operations. These workers need to run in a gdm context not a user context. This commit changes gdm-session-worker to manually reset the exec() context after the first fork(). https://bugzilla.gnome.org/show_bug.cgi?id=683426 --- daemon/Makefile.am | 2 ++ daemon/gdm-session-worker.c | 11 +++++++++++ 2 files changed, 13 insertions(+) diff --git a/daemon/Makefile.am b/daemon/Makefile.am index 8d0cf5e..bb84765 100644 --- a/daemon/Makefile.am +++ b/daemon/Makefile.am @@ -27,6 +27,7 @@ AM_CPPFLAGS = \ $(WARN_CFLAGS) \ $(DEBUG_CFLAGS) \ $(SYSTEMD_CFLAGS) \ + $(LIBSELINUX_CFLAGS) \ -DLANG_CONFIG_FILE=\"$(LANG_CONFIG_FILE)\" \ $(NULL) @@ -291,6 +292,7 @@ gdm_session_worker_LDADD = \ $(top_builddir)/common/libgdmcommon.la \ $(DAEMON_LIBS) \ $(SYSTEMD_LIBS) \ + $(LIBSELINUX_LIBS) \ $(NULL) sbin_PROGRAMS = \ diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c index 190123d..1ccc0b7 100644 --- a/daemon/gdm-session-worker.c +++ b/daemon/gdm-session-worker.c @@ -46,6 +46,10 @@ #include #endif +#ifdef HAVE_SELINUX +#include +#endif /* HAVE_SELINUX */ + #include "gdm-common.h" #include "gdm-log.h" #include "gdm-session-worker.h" @@ -1876,6 +1880,13 @@ gdm_session_worker_start_session (GdmSessionWorker *worker, _exit (127); } + /* If we end up execing again, make sure we don't use the executable context set up + * by pam_selinux durin pam_open_session + */ +#ifdef HAVE_SELINUX + setexeccon (NULL); +#endif + worker->priv->child_pid = session_pid; g_debug ("GdmSessionWorker: session opened creating reply..."); -- 1.7.12