From fd4291d5e4e811a0e484a06d88509f4adfed6a90 Mon Sep 17 00:00:00 2001

From: Ray Strode <rstrode@redhat.com>

Date: Thu, 6 Sep 2012 17:01:03 -0400

Subject: [PATCH 1/2] configure: check for selinux again

This sort of reverts commit 378390b9b5639bbe37cf4ba06e2e4acf1587e1d8.

---

 configure.ac | 9 +++++++++

 1 file changed, 9 insertions(+)

diff --git a/configure.ac b/configure.ac

index 5283845..af31719 100644

--- a/configure.ac

+++ b/configure.ac

@@ -142,6 +142,14 @@ AC_SUBST(UPOWER)

 AC_SUBST(UPOWER_CFLAGS)

 AC_SUBST(UPOWER_LIBS)

+PKG_CHECK_MODULES(LIBSELINUX, libselinux, have_selinux=yes, have_selinux=no)

+

+if test "x$have_selinux" = "xyes" ; then

+        AC_DEFINE(HAVE_SELINUX, 1, [Define if have selinux])

+fi

+AC_SUBST(LIBSELINUX_CFLAGS)

+AC_SUBST(LIBSELINUX_LIBS)

+

 PKG_CHECK_MODULES(SIMPLE_GREETER,

         gtk+-3.0 >= $GTK_REQUIRED_VERSION

 	fontconfig >= $FONTCONFIG_REQUIRED_VERSION

@@ -1595,6 +1603,7 @@ fi

 echo \

 "        Xinerama support:         ${XINERAMA_SUPPORT}

         XDMCP support:            ${XDMCP_SUPPORT}

+        SELinux support:          ${have_selinux}

         ConsoleKit support:       ${use_console_kit}

         systemd support:          ${use_systemd}

         systemd unit dir:         ${with_systemdsystemunitdir}

-- 

1.7.12

From d4dbdc8c5a5703f205540d0c39459e1a06faf458 Mon Sep 17 00:00:00 2001

From: Ray Strode <rstrode@redhat.com>

Date: Thu, 6 Sep 2012 17:14:06 -0400

Subject: [PATCH 2/2] daemon: reset exec context after fork()

When pam_open_session finishes, the session worker

is set up such that the next fork()/exec() may transition the

user to a user specific context (such as staff_t).

This makes sense for the first fork()/exec() (which is the user

login), but the worker may fork()/exec() other workers after login

for unlock operations.  These workers need to run in a gdm context

not a user context.

This commit changes gdm-session-worker to manually reset the exec()

context after the first fork().

https://bugzilla.gnome.org/show_bug.cgi?id=683426

---

 daemon/Makefile.am          |  2 ++

 daemon/gdm-session-worker.c | 11 +++++++++++

 2 files changed, 13 insertions(+)

diff --git a/daemon/Makefile.am b/daemon/Makefile.am

index 8d0cf5e..bb84765 100644

--- a/daemon/Makefile.am

+++ b/daemon/Makefile.am

@@ -27,6 +27,7 @@ AM_CPPFLAGS = \

 	$(WARN_CFLAGS)					\

 	$(DEBUG_CFLAGS)					\

 	$(SYSTEMD_CFLAGS)				\

+	$(LIBSELINUX_CFLAGS)	 			\

 	-DLANG_CONFIG_FILE=\"$(LANG_CONFIG_FILE)\"	\

 	$(NULL)

@@ -291,6 +292,7 @@ gdm_session_worker_LDADD = 			\

 	$(top_builddir)/common/libgdmcommon.la	\

 	$(DAEMON_LIBS)				\

 	$(SYSTEMD_LIBS) 			\

+	$(LIBSELINUX_LIBS) 			\

 	$(NULL)

 sbin_PROGRAMS = 			\

diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c

index 190123d..1ccc0b7 100644

--- a/daemon/gdm-session-worker.c

+++ b/daemon/gdm-session-worker.c

@@ -46,6 +46,10 @@

 #include <systemd/sd-daemon.h>

 #endif

+#ifdef HAVE_SELINUX

+#include <selinux/selinux.h>

+#endif /* HAVE_SELINUX */

+

 #include "gdm-common.h"

 #include "gdm-log.h"

 #include "gdm-session-worker.h"

@@ -1876,6 +1880,13 @@ gdm_session_worker_start_session (GdmSessionWorker  *worker,

                 _exit (127);

         }

+        /* If we end up execing again, make sure we don't use the executable context set up

+         * by pam_selinux durin pam_open_session

+         */

+#ifdef HAVE_SELINUX

+        setexeccon (NULL);

+#endif

+

         worker->priv->child_pid = session_pid;

         g_debug ("GdmSessionWorker: session opened creating reply...");

-- 

1.7.12