Set correct daemon SELinux context when started from pam module

With confined users we want to run the gnome-keyring-daemon as sgkeyringd_staff_t (Fedora case), but currently this does not work properly from the pam module. This patch will fix the problem. We are ignoring error conditions since for most users the errors will not effect unconfined users, and on a confined user it would still partially work but generate an AVC. Patch by Daniel Walsh <dwalsh@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=684225
GNOME · Mar 18, 2011 · 2f6a7c0 · 2f6a7c0
1 parent ba4cb92
commit 2f6a7c0
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 0 deletions.
diff --git a/configure.in b/configure.in
@@ -573,6 +573,24 @@ AC_SUBST(LCOV)
 AC_SUBST(GCOV)
 AC_SUBST(GENHTML)
 
+# ----------------------------------------------------------------------
+# selinux
+
+LIBSELINUX=""
+selinux_status="no"
+AC_ARG_ENABLE([selinux],
+        AC_HELP_STRING([--disable-selinux],[do not use SELinux]))
+if test "x$enable_selinux" != "xno"; then
+    AC_CHECK_LIB([selinux],[getfilecon],
+        [AC_CHECK_LIB([selinux],[setexeccon],
+            [AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in])
+             LIBSELINUX="-lselinux"
+             selinux_status="yes"])
+        ])
+fi
+AC_SUBST(LIBSELINUX)
+AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"])
+
 # ----------------------------------------------------------------------
 # Valgrind
 
@@ -744,6 +762,7 @@ echo
 echo "OPTIONAL DEPENDENCIES"
 echo "  PAM:                  $pam_status"
 echo "  Linux capabilities:   $libcapng_status"
+echo "  SELinux:              $selinux_status"
 echo
 echo "CONFIGURATION"
 echo "  SSH Agent:            $ssh_status"

diff --git a/pam/Makefile.am b/pam/Makefile.am
@@ -16,6 +16,7 @@ pam_gnome_keyring_la_LIBADD = \
 	$(top_builddir)/egg/libegg-buffer.la \
 	$(top_builddir)/egg/libegg-creds.la \
 	$(top_builddir)/egg/libegg-secure.la \
+	$(LIBSELINUX) \
 	-lpam
 
 pam_gnome_keyring_la_LDFLAGS = \

diff --git a/pam/gkr-pam-module.c b/pam/gkr-pam-module.c
@@ -317,6 +317,36 @@ cleanup_free_password (pam_handle_t *ph, void *data, int pam_end_status)
 	free_password (data);
 }
 
+#ifdef WITH_SELINUX
+#include  <selinux/flask.h>
+#include  <selinux/selinux.h>
+/* Attempt to set SELinux Context. We are ignoring failure and just going
+   with default behaviour default behaviour
+*/
+static void setup_selinux_context(const char *command) {
+	security_context_t fcon = NULL, newcon = NULL, execcon = NULL;
+
+	if (is_selinux_enabled() != 1) return;
+
+	int ret = getexeccon(&execcon);
+	if ((ret < 0) || (! execcon)) goto err;
+
+	ret = getfilecon(command, &fcon);
+	if (ret < 0) goto err;
+
+	ret = security_compute_create(execcon, fcon, SECCLASS_PROCESS, &newcon);
+	if (ret < 0) goto err;
+
+	setexeccon(newcon);
+
+err:
+	freecon(newcon);
+	freecon(fcon);
+	freecon(execcon);
+	return;
+}
+#endif
+
 static void
 setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct passwd *pwd)
 {
@@ -329,6 +359,10 @@ setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct pass
 	char *args[] = { GNOME_KEYRING_DAEMON, "--daemonize", "--login", NULL};
 #endif
 
+#ifdef WITH_SELINUX
+	setup_selinux_context(GNOME_KEYRING_DAEMON);
+#endif
+
 	assert (pwd);
 	assert (pwd->pw_dir);