diff -up gdm-2.19.8/configure.ac.selinux gdm-2.19.8/configure.ac
diff -up gdm-2.19.8/daemon/slave.c.selinux gdm-2.19.8/daemon/slave.c
--- gdm-2.19.8/daemon/slave.c.selinux 2007-09-07 11:40:58.000000000 -0400
+++ gdm-2.19.8/daemon/slave.c 2007-09-07 12:21:37.000000000 -0400
@@ -89,7 +89,6 @@
#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
-#include <selinux/get_context_list.h>
#endif /* HAVE_SELINUX */
#include <glib/gi18n.h>
@@ -172,6 +171,10 @@ static uid_t logged_in_uid =
static gid_t logged_in_gid = -1;
#endif
+#ifdef HAVE_SELINUX
+security_context_t logged_in_context = NULL;
+#endif
+
static int greeter_fd_out = -1;
static int greeter_fd_in = -1;
@@ -2036,6 +2039,7 @@ restart_the_greeter (void)
gdm_slave_sensitize_config ();
}
+
static gboolean
play_login_sound (const char *sound_file)
{
@@ -3519,48 +3523,6 @@ open_xsession_errors (struct passwd *pwe
return logfd;
}
-#ifdef HAVE_SELINUX
-/* This should be run just before we exec the user session */
-static gboolean
-gdm_selinux_setup (const char *login)
-{
- security_context_t scontext;
- int ret=-1;
- char *seuser=NULL;
- char *level=NULL;
-
- /* If selinux is not enabled, then we don't do anything */
- if (is_selinux_enabled () <= 0)
- return TRUE;
-
- if (getseuserbyname(login, &seuser, &level) == 0)
- ret=get_default_context_with_level(seuser, level, 0, &scontext);
-
- if (ret < 0) {
- gdm_error ("SELinux gdm login: unable to obtain default security context for %s.", login);
- /* note that this will be run when the .xsession-errors
- is already being logged, so we can use stderr */
- gdm_fdprintf (2, "SELinux gdm login: unable to obtain default security context for %s.", login);
- return (security_getenforce()==0);
- }
-
- gdm_assert (scontext != NULL);
-
- if (setexeccon (scontext) != 0) {
- gdm_error ("SELinux gdm login: unable to set executable context %s.",
- (char *)scontext);
- gdm_fdprintf (2, "SELinux gdm login: unable to set executable context %s.",
- (char *)scontext);
- freecon (scontext);
- return (security_getenforce()==0);
- }
-
- freecon (scontext);
-
- return TRUE;
-}
-#endif /* HAVE_SELINUX */
-
static void
session_child_run (struct passwd *pwent,
int logfd,
@@ -3801,6 +3763,10 @@ session_child_run (struct passwd *pwent,
close (iceauth_fd);
}
+#ifdef HAVE_SELINUX
+ setexeccon (logged_in_context);
+#endif
+
NEVER_FAILS_setegid (pwent->pw_gid);
#ifdef HAVE_LOGINCAP
if (setusercontext (NULL, pwent, pwent->pw_uid,
@@ -4046,16 +4012,6 @@ session_child_run (struct passwd *pwent,
}
#endif
-#ifdef HAVE_SELINUX
- if ( ! gdm_selinux_setup (pwent->pw_name)) {
- /* 66 means no "session crashed" examine .xsession-errors
- dialog */
- gdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
- _("Error! Unable to set executable context."));
- _exit (66);
- }
-#endif
-
g_shell_parse_argv (fullexec->str, NULL, &argv, NULL);
VE_IGNORE_EINTR (execv (argv[0], argv));
g_strfreev (argv);
@@ -4741,6 +4697,11 @@ gdm_slave_session_start (void)
NEVER_FAILS_root_set_euid_egid (0, gdm_daemon_config_get_gdmgid ());
+#ifdef HAVE_SELINUX
+ getexeccon (&logged_in_context);
+ setexeccon (NULL);
+#endif
+
if G_UNLIKELY ( ! authok) {
gdm_debug ("gdm_slave_session_start: Auth not OK");
@@ -5009,6 +4970,10 @@ gdm_slave_session_stop (gboolean run_pos
seteuid (0);
setegid (0);
+#ifdef HAVE_SELINUX
+ setexeccon (NULL);
+#endif
+
gdm_slave_send_num (GDM_SOP_SESSPID, 0);
/* Now still as root make the system authfile not readable by others,
@@ -5069,6 +5034,12 @@ gdm_slave_session_stop (gboolean run_pos
logged_in_uid = -1;
logged_in_gid = -1;
+#ifdef HAVE_SELINUX
+ setexeccon (logged_in_context);
+ freecon (logged_in_context);
+ logged_in_context = NULL;
+#endif
+
/* things are going to be killed, so ignore errors */
XSetErrorHandler (ignore_xerror_handler);