diff -up gdm-2.19.8/configure.ac.selinux gdm-2.19.8/configure.ac diff -up gdm-2.19.8/daemon/slave.c.selinux gdm-2.19.8/daemon/slave.c --- gdm-2.19.8/daemon/slave.c.selinux 2007-09-07 11:40:58.000000000 -0400 +++ gdm-2.19.8/daemon/slave.c 2007-09-07 12:21:37.000000000 -0400 @@ -89,7 +89,6 @@ #ifdef HAVE_SELINUX #include -#include #endif /* HAVE_SELINUX */ #include @@ -172,6 +171,10 @@ static uid_t logged_in_uid = static gid_t logged_in_gid = -1; #endif +#ifdef HAVE_SELINUX +security_context_t logged_in_context = NULL; +#endif + static int greeter_fd_out = -1; static int greeter_fd_in = -1; @@ -2036,6 +2039,7 @@ restart_the_greeter (void) gdm_slave_sensitize_config (); } + static gboolean play_login_sound (const char *sound_file) { @@ -3519,48 +3523,6 @@ open_xsession_errors (struct passwd *pwe return logfd; } -#ifdef HAVE_SELINUX -/* This should be run just before we exec the user session */ -static gboolean -gdm_selinux_setup (const char *login) -{ - security_context_t scontext; - int ret=-1; - char *seuser=NULL; - char *level=NULL; - - /* If selinux is not enabled, then we don't do anything */ - if (is_selinux_enabled () <= 0) - return TRUE; - - if (getseuserbyname(login, &seuser, &level) == 0) - ret=get_default_context_with_level(seuser, level, 0, &scontext); - - if (ret < 0) { - gdm_error ("SELinux gdm login: unable to obtain default security context for %s.", login); - /* note that this will be run when the .xsession-errors - is already being logged, so we can use stderr */ - gdm_fdprintf (2, "SELinux gdm login: unable to obtain default security context for %s.", login); - return (security_getenforce()==0); - } - - gdm_assert (scontext != NULL); - - if (setexeccon (scontext) != 0) { - gdm_error ("SELinux gdm login: unable to set executable context %s.", - (char *)scontext); - gdm_fdprintf (2, "SELinux gdm login: unable to set executable context %s.", - (char *)scontext); - freecon (scontext); - return (security_getenforce()==0); - } - - freecon (scontext); - - return TRUE; -} -#endif /* HAVE_SELINUX */ - static void session_child_run (struct passwd *pwent, int logfd, @@ -3801,6 +3763,10 @@ session_child_run (struct passwd *pwent, close (iceauth_fd); } +#ifdef HAVE_SELINUX + setexeccon (logged_in_context); +#endif + NEVER_FAILS_setegid (pwent->pw_gid); #ifdef HAVE_LOGINCAP if (setusercontext (NULL, pwent, pwent->pw_uid, @@ -4046,16 +4012,6 @@ session_child_run (struct passwd *pwent, } #endif -#ifdef HAVE_SELINUX - if ( ! gdm_selinux_setup (pwent->pw_name)) { - /* 66 means no "session crashed" examine .xsession-errors - dialog */ - gdm_errorgui_error_box (d, GTK_MESSAGE_ERROR, - _("Error! Unable to set executable context.")); - _exit (66); - } -#endif - g_shell_parse_argv (fullexec->str, NULL, &argv, NULL); VE_IGNORE_EINTR (execv (argv[0], argv)); g_strfreev (argv); @@ -4741,6 +4697,11 @@ gdm_slave_session_start (void) NEVER_FAILS_root_set_euid_egid (0, gdm_daemon_config_get_gdmgid ()); +#ifdef HAVE_SELINUX + getexeccon (&logged_in_context); + setexeccon (NULL); +#endif + if G_UNLIKELY ( ! authok) { gdm_debug ("gdm_slave_session_start: Auth not OK"); @@ -5009,6 +4970,10 @@ gdm_slave_session_stop (gboolean run_pos seteuid (0); setegid (0); +#ifdef HAVE_SELINUX + setexeccon (NULL); +#endif + gdm_slave_send_num (GDM_SOP_SESSPID, 0); /* Now still as root make the system authfile not readable by others, @@ -5069,6 +5034,12 @@ gdm_slave_session_stop (gboolean run_pos logged_in_uid = -1; logged_in_gid = -1; +#ifdef HAVE_SELINUX + setexeccon (logged_in_context); + freecon (logged_in_context); + logged_in_context = NULL; +#endif + /* things are going to be killed, so ignore errors */ XSetErrorHandler (ignore_xerror_handler);