|
 |
a09e3e |
From d2d52704624ce841f4a392fccd82079d87ff13b6 Mon Sep 17 00:00:00 2001
|
|
|
a09e3e |
From: Jan Grulich <jgrulich@redhat.com>
|
|
|
a09e3e |
Date: Thu, 11 Nov 2021 13:52:41 +0100
|
|
|
a09e3e |
Subject: [PATCH] SELinux: restore SELinux context in case of different
|
|
|
a09e3e |
policies
|
|
|
a09e3e |
|
|
|
a09e3e |
---
|
|
|
a09e3e |
CMakeLists.txt | 13 +++++++++++++
|
|
|
a09e3e |
unix/vncserver/CMakeLists.txt | 2 +-
|
|
|
a09e3e |
unix/vncserver/vncsession.c | 16 ++++++++++++++++
|
|
|
a09e3e |
3 files changed, 30 insertions(+), 1 deletion(-)
|
|
|
a09e3e |
|
|
|
a09e3e |
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
|
|
a09e3e |
index 50247c7da..1708eb3d8 100644
|
|
|
a09e3e |
--- a/CMakeLists.txt
|
|
|
a09e3e |
+++ b/CMakeLists.txt
|
|
|
a09e3e |
@@ -268,6 +268,19 @@ if(UNIX AND NOT APPLE)
|
|
|
a09e3e |
endif()
|
|
|
a09e3e |
endif()
|
|
|
a09e3e |
|
|
|
a09e3e |
+# Check for SELinux library
|
|
|
a09e3e |
+if(UNIX AND NOT APPLE)
|
|
|
a09e3e |
+ check_include_files(selinux/selinux.h HAVE_SELINUX_H)
|
|
|
a09e3e |
+ if(HAVE_SELINUX_H)
|
|
|
a09e3e |
+ set(CMAKE_REQUIRED_LIBRARIES -lselinux)
|
|
|
a09e3e |
+ set(CMAKE_REQUIRED_LIBRARIES)
|
|
|
a09e3e |
+ set(SELINUX_LIBS selinux)
|
|
|
a09e3e |
+ add_definitions("-DHAVE_SELINUX")
|
|
|
a09e3e |
+ else()
|
|
|
a09e3e |
+ message(WARNING "Could not find SELinux development files")
|
|
|
a09e3e |
+ endif()
|
|
|
a09e3e |
+endif()
|
|
|
a09e3e |
+
|
|
|
a09e3e |
# Generate config.h and make sure the source finds it
|
|
|
a09e3e |
configure_file(config.h.in config.h)
|
|
|
a09e3e |
add_definitions(-DHAVE_CONFIG_H)
|
|
|
a09e3e |
diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
|
|
|
a09e3e |
index f65ccc7db..ae69dc098 100644
|
|
|
a09e3e |
--- a/unix/vncserver/CMakeLists.txt
|
|
|
a09e3e |
+++ b/unix/vncserver/CMakeLists.txt
|
|
|
a09e3e |
@@ -1,5 +1,5 @@
|
|
|
a09e3e |
add_executable(vncsession vncsession.c)
|
|
|
a09e3e |
-target_link_libraries(vncsession ${PAM_LIBS})
|
|
|
a09e3e |
+target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
|
|
|
a09e3e |
|
|
|
a09e3e |
configure_file(vncserver@.service.in vncserver@.service @ONLY)
|
|
|
a09e3e |
configure_file(vncsession-start.in vncsession-start @ONLY)
|
|
|
a09e3e |
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
|
|
|
a09e3e |
index 3573e5e9b..f6d2fd59e 100644
|
|
|
a09e3e |
--- a/unix/vncserver/vncsession.c
|
|
|
a09e3e |
+++ b/unix/vncserver/vncsession.c
|
|
|
a09e3e |
@@ -37,6 +37,11 @@
|
|
|
a09e3e |
#include <sys/types.h>
|
|
|
a09e3e |
#include <sys/wait.h>
|
|
|
a09e3e |
|
|
|
a09e3e |
+#ifdef HAVE_SELINUX
|
|
|
a09e3e |
+#include <selinux/selinux.h>
|
|
|
a09e3e |
+#include <selinux/restorecon.h>
|
|
|
a09e3e |
+#endif
|
|
|
a09e3e |
+
|
|
|
a09e3e |
extern char **environ;
|
|
|
a09e3e |
|
|
|
a09e3e |
// PAM service name
|
|
|
a09e3e |
@@ -360,6 +365,17 @@ redir_stdio(const char *homedir, const char *display)
|
|
|
a09e3e |
syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
|
|
|
a09e3e |
_exit(EX_OSERR);
|
|
|
a09e3e |
}
|
|
|
a09e3e |
+
|
|
|
a09e3e |
+#ifdef HAVE_SELINUX
|
|
|
a09e3e |
+ int result;
|
|
|
a09e3e |
+ if (selinux_file_context_verify(logfile, 0) == 0) {
|
|
|
a09e3e |
+ result = selinux_restorecon(logfile, SELINUX_RESTORECON_RECURSE);
|
|
|
a09e3e |
+
|
|
|
a09e3e |
+ if (result < 0) {
|
|
|
a09e3e |
+ syslog(LOG_WARNING, "Failure restoring SELinux context for \"%s\": %s", logfile, strerror(errno));
|
|
|
a09e3e |
+ }
|
|
|
a09e3e |
+ }
|
|
|
a09e3e |
+#endif
|
|
|
a09e3e |
}
|
|
|
a09e3e |
|
|
|
a09e3e |
hostlen = sysconf(_SC_HOST_NAME_MAX);
|