From 3fbffab8f3acd8cf78a98d886abc28ab4256b8dc Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@fedoraproject.org>
Date: Mar 12 2009 17:34:00 +0000
Subject: * Thu Mar 12 2009 Adam Jackson <ajax@redhat.com> 1.6.0-13

- xselinux-1.6.0-selinux-nlfd.patch: Acquire the netlink socket from selinux,
  check it ourselves rather than having libselinux bang on it all the time.

---

diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index 7195414..59dc1de 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -19,7 +19,7 @@
 Summary:   X.Org X11 X server
 Name:      xorg-x11-server
 Version:   1.6.0
-Release:   12%{?dist}
+Release:   13%{?dist}
 URL:       http://www.x.org
 License:   MIT
 Group:     User Interface/X
@@ -79,10 +79,13 @@ Patch6010: xserver-1.5.99.902-selinux-debugging.patch
 Patch6011: xserver-1.6.0-less-acpi-brokenness.patch
 
 # don't try intel on poulsbo
-Patch6013: xserver-1.5.99.902-sod-off-poulsbo.patch
+Patch6012: xserver-1.5.99.902-sod-off-poulsbo.patch
 
 # don't do selinux if we're not told to
-Patch6014: xserver-1.6.0-selinux-less.patch
+Patch6013: xserver-1.6.0-selinux-less.patch
+
+# selinux performance hack
+Patch6014: xserver-1.6.0-selinux-nlfd.patch
 
 # https://bugs.freedesktop.org/show_bug.cgi?id=20087
 Patch6015: xserver-1.5.99.902-vnc.patch
@@ -144,7 +147,7 @@ BuildRequires: mesa-libGL-devel >= 7.1-0.37
 # XXX silly...
 BuildRequires: libdrm-devel >= 2.4.0 kernel-headers
 
-BuildRequires: audit-libs-devel libselinux-devel >= 2.0.59-1
+BuildRequires: audit-libs-devel libselinux-devel >= 2.0.79-1
 BuildRequires: hal-devel dbus-devel
 
 # All server subpackages have a virtual provide for the name of the server
@@ -158,6 +161,7 @@ X.Org X11 X server
 Summary: Xorg server common files
 Group: User Interface/X
 Requires: pixman >= 0.14.0
+Requires: libselinux >= 2.0.79-1
 
 %description common
 Common files shared among all X servers.
@@ -507,6 +511,10 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Mar 12 2009 Adam Jackson <ajax@redhat.com> 1.6.0-13
+- xselinux-1.6.0-selinux-nlfd.patch: Acquire the netlink socket from selinux,
+  check it ourselves rather than having libselinux bang on it all the time.
+
 * Wed Mar 11 2009 Adam Jackson <ajax@redhat.com> 1.6.0-12
 - Requires: pixman >= 0.14.0
 
@@ -965,7 +973,7 @@ rm -rf $RPM_BUILD_ROOT
 
 * Tue Mar 11 2008 Adam Jackson <ajax@redhat.com> 1.4.99.901-3.20080310
 - New 1.5 snapshot.
-- xserver-1.5-x86emy.patch: Fix an x86emu quirk.
+- xserver-1.5-x86emu.patch: Fix an x86emu quirk.
 
 * Fri Mar 07 2008 Adam Jackson <ajax@redhat.com> 1.4.99.901-1.20080307
 - Today's 1.5 snapshot.
diff --git a/xserver-1.6.0-selinux-nlfd.patch b/xserver-1.6.0-selinux-nlfd.patch
new file mode 100644
index 0000000..27edf22
--- /dev/null
+++ b/xserver-1.6.0-selinux-nlfd.patch
@@ -0,0 +1,94 @@
+From 0731394b205f003143ceec1bde04b6c6726f9c10 Mon Sep 17 00:00:00 2001
+From: Adam Jackson <ajax@redhat.com>
+Date: Mon, 2 Mar 2009 18:45:27 -0500
+Subject: [PATCH] selinux netlink socket hack
+
+---
+ Xext/xselinux.c         |   29 +++++++++++++++++++++++++++++
+ configure.ac            |    4 ++++
+ include/dix-config.h.in |    2 ++
+ 3 files changed, 35 insertions(+), 0 deletions(-)
+
+diff --git a/Xext/xselinux.c b/Xext/xselinux.c
+index 6085983..419c0ae 100644
+--- a/Xext/xselinux.c
++++ b/Xext/xselinux.c
+@@ -1887,6 +1887,22 @@ SProcSELinuxDispatch(ClientPtr client)
+     }
+ }
+ 
++#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD
++static int netlink_fd;
++
++static void
++SELinuxBlockHandler(void *data, struct timeval **tv, void *read_mask)
++{
++}
++
++static void
++SELinuxWakeupHandler(void *data, int err, void *read_mask)
++{
++    if (FD_ISSET(netlink_fd, (fd_set *)read_mask))
++        avc_netlink_check_nb();
++}
++#endif
++
+ 
+ /*
+  * Extension Setup / Teardown
+@@ -1917,6 +1933,12 @@ SELinuxResetProc(ExtensionEntry *extEntry)
+     label_hnd = NULL;
+ 
+     audit_close(audit_fd);
++#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD
++    avc_netlink_release_fd();
++    RemoveBlockAndWakeupHandlers(SELinuxBlockHandler, SELinuxWakeupHandler,
++                                 NULL);
++    RemoveGeneralSocket(netlink_fd);
++#endif
+ 
+     avc_destroy();
+     avc_active = 0;
+@@ -2013,6 +2035,13 @@ SELinuxExtensionInit(INITARGS)
+     if (atom_client_ctx == BAD_RESOURCE)
+ 	FatalError("SELinux: Failed to create atom\n");
+ 
++#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD
++    netlink_fd = avc_netlink_acquire_fd();
++    AddGeneralSocket(netlink_fd);
++    RegisterBlockAndWakeupHandlers(SELinuxBlockHandler, SELinuxWakeupHandler,
++                                   NULL);
++#endif
++
+     /* Register callbacks */
+     ret &= dixRegisterPrivateInitFunc(subjectKey, SELinuxSubjectInit, NULL);
+     ret &= dixRegisterPrivateDeleteFunc(subjectKey, SELinuxSubjectFree, NULL);
+diff --git a/configure.ac b/configure.ac
+index 72ae67e..55a880e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -920,6 +920,10 @@ if test "x$XSELINUX" = xyes; then
+ 	AC_CHECK_LIB(selinux, avc_init, [], AC_MSG_ERROR([SELinux library not found])) 
+ 	AC_CHECK_HEADERS([libaudit.h], [], AC_MSG_ERROR([SELinux extension requires audit system headers]))
+ 	AC_CHECK_LIB(audit, audit_open, [], AC_MSG_ERROR([SELinux extension requires audit system library]))
++        AC_CHECK_DECL(avc_netlink_acquire_fd,
++                      [AC_DEFINE(HAVE_AVC_NETLINK_ACQUIRE_FD, 1, "Have avc_netlink_acquire_fd")],
++                      [],
++                      [#include <selinux/avc.h>])
+ 	AC_DEFINE(XSELINUX, 1, [Build SELinux extension])
+ 	SELINUX_LIB="-lselinux -laudit"
+ fi
+diff --git a/include/dix-config.h.in b/include/dix-config.h.in
+index 3da193f..66c3008 100644
+--- a/include/dix-config.h.in
++++ b/include/dix-config.h.in
+@@ -442,4 +442,6 @@
+ #include "dix-config-apple-verbatim.h"
+ #endif
+ 
++#undef HAVE_AVC_NETLINK_ACQUIRE_FD
++
+ #endif /* _DIX_CONFIG_H_ */
+-- 
+1.6.1.3
+