From 1504793eaaff0b8cecfa4d3713c8bf6d92789799 Mon Sep 17 00:00:00 2001
From: Ray Strode <rstrode@redhat.com>
Date: Sep 07 2012 14:56:06 +0000
Subject: fix selinux context after forking session


This should fix unlock on dwalsh's machine

---

diff --git a/fix-selinux-context.patch b/fix-selinux-context.patch
new file mode 100644
index 0000000..1f6706a
--- /dev/null
+++ b/fix-selinux-context.patch
@@ -0,0 +1,116 @@
+From fd4291d5e4e811a0e484a06d88509f4adfed6a90 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Thu, 6 Sep 2012 17:01:03 -0400
+Subject: [PATCH 1/2] configure: check for selinux again
+
+This sort of reverts commit 378390b9b5639bbe37cf4ba06e2e4acf1587e1d8.
+---
+ configure.ac | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/configure.ac b/configure.ac
+index 5283845..af31719 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -142,6 +142,14 @@ AC_SUBST(UPOWER)
+ AC_SUBST(UPOWER_CFLAGS)
+ AC_SUBST(UPOWER_LIBS)
+ 
++PKG_CHECK_MODULES(LIBSELINUX, libselinux, have_selinux=yes, have_selinux=no)
++
++if test "x$have_selinux" = "xyes" ; then
++        AC_DEFINE(HAVE_SELINUX, 1, [Define if have selinux])
++fi
++AC_SUBST(LIBSELINUX_CFLAGS)
++AC_SUBST(LIBSELINUX_LIBS)
++
+ PKG_CHECK_MODULES(SIMPLE_GREETER,
+         gtk+-3.0 >= $GTK_REQUIRED_VERSION
+ 	fontconfig >= $FONTCONFIG_REQUIRED_VERSION
+@@ -1595,6 +1603,7 @@ fi
+ echo \
+ "        Xinerama support:         ${XINERAMA_SUPPORT}
+         XDMCP support:            ${XDMCP_SUPPORT}
++        SELinux support:          ${have_selinux}
+         ConsoleKit support:       ${use_console_kit}
+         systemd support:          ${use_systemd}
+         systemd unit dir:         ${with_systemdsystemunitdir}
+-- 
+1.7.12
+
+
+From d4dbdc8c5a5703f205540d0c39459e1a06faf458 Mon Sep 17 00:00:00 2001
+From: Ray Strode <rstrode@redhat.com>
+Date: Thu, 6 Sep 2012 17:14:06 -0400
+Subject: [PATCH 2/2] daemon: reset exec context after fork()
+
+When pam_open_session finishes, the session worker
+is set up such that the next fork()/exec() may transition the
+user to a user specific context (such as staff_t).
+
+This makes sense for the first fork()/exec() (which is the user
+login), but the worker may fork()/exec() other workers after login
+for unlock operations.  These workers need to run in a gdm context
+not a user context.
+
+This commit changes gdm-session-worker to manually reset the exec()
+context after the first fork().
+
+https://bugzilla.gnome.org/show_bug.cgi?id=683426
+---
+ daemon/Makefile.am          |  2 ++
+ daemon/gdm-session-worker.c | 11 +++++++++++
+ 2 files changed, 13 insertions(+)
+
+diff --git a/daemon/Makefile.am b/daemon/Makefile.am
+index 8d0cf5e..bb84765 100644
+--- a/daemon/Makefile.am
++++ b/daemon/Makefile.am
+@@ -27,6 +27,7 @@ AM_CPPFLAGS = \
+ 	$(WARN_CFLAGS)					\
+ 	$(DEBUG_CFLAGS)					\
+ 	$(SYSTEMD_CFLAGS)				\
++	$(LIBSELINUX_CFLAGS)	 			\
+ 	-DLANG_CONFIG_FILE=\"$(LANG_CONFIG_FILE)\"	\
+ 	$(NULL)
+ 
+@@ -291,6 +292,7 @@ gdm_session_worker_LDADD = 			\
+ 	$(top_builddir)/common/libgdmcommon.la	\
+ 	$(DAEMON_LIBS)				\
+ 	$(SYSTEMD_LIBS) 			\
++	$(LIBSELINUX_LIBS) 			\
+ 	$(NULL)
+ 
+ sbin_PROGRAMS = 			\
+diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c
+index 190123d..1ccc0b7 100644
+--- a/daemon/gdm-session-worker.c
++++ b/daemon/gdm-session-worker.c
+@@ -46,6 +46,10 @@
+ #include <systemd/sd-daemon.h>
+ #endif
+ 
++#ifdef HAVE_SELINUX
++#include <selinux/selinux.h>
++#endif /* HAVE_SELINUX */
++
+ #include "gdm-common.h"
+ #include "gdm-log.h"
+ #include "gdm-session-worker.h"
+@@ -1876,6 +1880,13 @@ gdm_session_worker_start_session (GdmSessionWorker  *worker,
+                 _exit (127);
+         }
+ 
++        /* If we end up execing again, make sure we don't use the executable context set up
++         * by pam_selinux durin pam_open_session
++         */
++#ifdef HAVE_SELINUX
++        setexeccon (NULL);
++#endif
++
+         worker->priv->child_pid = session_pid;
+ 
+         g_debug ("GdmSessionWorker: session opened creating reply...");
+-- 
+1.7.12
+
diff --git a/gdm.spec b/gdm.spec
index 38b4a07..2b74638 100644
--- a/gdm.spec
+++ b/gdm.spec
@@ -98,6 +98,7 @@ Obsoletes: gdm-plugin-fingerprint < 1:3.2.1
 Provides: gdm-plugin-fingerprint = %{epoch}:%{version}-%{release}
 
 Patch0: fix-auto-login.patch
+Patch1: fix-selinux-context.patch
 
 %package libs
 Summary: Client-side library to talk to gdm
@@ -127,6 +128,7 @@ Development files and headers for writing GDM greeters.
 %prep
 %setup -q
 %patch0 -p1 -b .fix-autologin
+%patch1 -p1 -b .fix-selinux-context
 
 autoreconf -i -f
 intltoolize -f
@@ -359,6 +361,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor >&/dev/null || :
 %changelog
 * Fri Sep 07 2012 Ray Strode <rstrode@redhat.com> 1:3.5.91-2
 - Fix autologin
+- Fix selinux context after forking session
 
 * Thu Sep 06 2012 Richard Hughes <hughsient@gmail.com> - 1:3.5.91-1
 - Update to 3.5.91