From fd4291d5e4e811a0e484a06d88509f4adfed6a90 Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Thu, 6 Sep 2012 17:01:03 -0400
Subject: [PATCH 1/2] configure: check for selinux again
This sort of reverts commit 378390b9b5639bbe37cf4ba06e2e4acf1587e1d8.
---
configure.ac | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/configure.ac b/configure.ac
index 5283845..af31719 100644
--- a/configure.ac
+++ b/configure.ac
@@ -142,6 +142,14 @@ AC_SUBST(UPOWER)
AC_SUBST(UPOWER_CFLAGS)
AC_SUBST(UPOWER_LIBS)
+PKG_CHECK_MODULES(LIBSELINUX, libselinux, have_selinux=yes, have_selinux=no)
+
+if test "x$have_selinux" = "xyes" ; then
+ AC_DEFINE(HAVE_SELINUX, 1, [Define if have selinux])
+fi
+AC_SUBST(LIBSELINUX_CFLAGS)
+AC_SUBST(LIBSELINUX_LIBS)
+
PKG_CHECK_MODULES(SIMPLE_GREETER,
gtk+-3.0 >= $GTK_REQUIRED_VERSION
fontconfig >= $FONTCONFIG_REQUIRED_VERSION
@@ -1595,6 +1603,7 @@ fi
echo \
" Xinerama support: ${XINERAMA_SUPPORT}
XDMCP support: ${XDMCP_SUPPORT}
+ SELinux support: ${have_selinux}
ConsoleKit support: ${use_console_kit}
systemd support: ${use_systemd}
systemd unit dir: ${with_systemdsystemunitdir}
--
1.7.12
From d4dbdc8c5a5703f205540d0c39459e1a06faf458 Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Thu, 6 Sep 2012 17:14:06 -0400
Subject: [PATCH 2/2] daemon: reset exec context after fork()
When pam_open_session finishes, the session worker
is set up such that the next fork()/exec() may transition the
user to a user specific context (such as staff_t).
This makes sense for the first fork()/exec() (which is the user
login), but the worker may fork()/exec() other workers after login
for unlock operations. These workers need to run in a gdm context
not a user context.
This commit changes gdm-session-worker to manually reset the exec()
context after the first fork().
https://bugzilla.gnome.org/show_bug.cgi?id=683426
---
daemon/Makefile.am | 2 ++
daemon/gdm-session-worker.c | 11 +++++++++++
2 files changed, 13 insertions(+)
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 8d0cf5e..bb84765 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -27,6 +27,7 @@ AM_CPPFLAGS = \
$(WARN_CFLAGS) \
$(DEBUG_CFLAGS) \
$(SYSTEMD_CFLAGS) \
+ $(LIBSELINUX_CFLAGS) \
-DLANG_CONFIG_FILE=\"$(LANG_CONFIG_FILE)\" \
$(NULL)
@@ -291,6 +292,7 @@ gdm_session_worker_LDADD = \
$(top_builddir)/common/libgdmcommon.la \
$(DAEMON_LIBS) \
$(SYSTEMD_LIBS) \
+ $(LIBSELINUX_LIBS) \
$(NULL)
sbin_PROGRAMS = \
diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c
index 190123d..1ccc0b7 100644
--- a/daemon/gdm-session-worker.c
+++ b/daemon/gdm-session-worker.c
@@ -46,6 +46,10 @@
#include <systemd/sd-daemon.h>
#endif
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif /* HAVE_SELINUX */
+
#include "gdm-common.h"
#include "gdm-log.h"
#include "gdm-session-worker.h"
@@ -1876,6 +1880,13 @@ gdm_session_worker_start_session (GdmSessionWorker *worker,
_exit (127);
}
+ /* If we end up execing again, make sure we don't use the executable context set up
+ * by pam_selinux durin pam_open_session
+ */
+#ifdef HAVE_SELINUX
+ setexeccon (NULL);
+#endif
+
worker->priv->child_pid = session_pid;
g_debug ("GdmSessionWorker: session opened creating reply...");
--
1.7.12