From 0ff220a4e9a8eb9898e4380faa65a043400d54b4 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 24 Jun 2010 14:34:53 -0400 Subject: [PATCH] Add check for setkeycreatecon() when --with-selinux is specified. --HG-- branch : 1.7 --- config.h.in | 3 +++ configure | 70 +++++++++++++++++++++++++++++++++++++++++----------- configure.in | 3 +++ selinux.c | 2 ++ 4 files changed, 64 insertions(+), 14 deletions(-) diff --git a/config.h.in b/config.h.in index 36f488f52..728ae27ff 100644 --- a/config.h.in +++ b/config.h.in @@ -412,6 +412,9 @@ /* Define to 1 if you have the `seteuid' function. */ #undef HAVE_SETEUID +/* Define to 1 if you have the `setkeycreatecon' function. */ +#undef HAVE_SETKEYCREATECON + /* Define to 1 if you have the `setlocale' function. */ #undef HAVE_SETLOCALE diff --git a/configure b/configure index 9c1f61f0c..86e5eb6b6 100755 --- a/configure +++ b/configure @@ -5434,6 +5434,47 @@ if test "${with_selinux+set}" = set; then : SUDO_OBJS="${SUDO_OBJS} selinux.o" PROGS="${PROGS} sesh" SEMAN=1 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for setkeycreatecon in -lselinux" >&5 +$as_echo_n "checking for setkeycreatecon in -lselinux... " >&6; } +if test "${ac_cv_lib_selinux_setkeycreatecon+set}" = set; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lselinux $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char setkeycreatecon (); +int +main () +{ +return setkeycreatecon (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_selinux_setkeycreatecon=yes +else + ac_cv_lib_selinux_setkeycreatecon=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_selinux_setkeycreatecon" >&5 +$as_echo "$ac_cv_lib_selinux_setkeycreatecon" >&6; } +if test "x$ac_cv_lib_selinux_setkeycreatecon" = x""yes; then : + $as_echo "#define HAVE_SETKEYCREATECON 1" >>confdefs.h + +fi + ;; no) ;; *) as_fn_error "\"--with-selinux does not take an argument.\"" "$LINENO" 5 @@ -6578,13 +6619,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:6581: $ac_compile\"" >&5) + (eval echo "\"\$as_me:6622: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:6584: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:6625: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:6587: output\"" >&5) + (eval echo "\"\$as_me:6628: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -7789,7 +7830,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 7792 "configure"' > conftest.$ac_ext + echo '#line 7833 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9182,11 +9223,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9185: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9226: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9189: \$? = $ac_status" >&5 + echo "$as_me:9230: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9521,11 +9562,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9524: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9565: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9528: \$? = $ac_status" >&5 + echo "$as_me:9569: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9626,11 +9667,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9629: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9670: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9633: \$? = $ac_status" >&5 + echo "$as_me:9674: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9681,11 +9722,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9684: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9725: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9688: \$? = $ac_status" >&5 + echo "$as_me:9729: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12048,7 +12089,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12051 "configure" +#line 12092 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12144,7 +12185,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12147 "configure" +#line 12188 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -20500,5 +20541,6 @@ fi + diff --git a/configure.in b/configure.in index d00c7cfbd..1f1776ec5 100644 --- a/configure.in +++ b/configure.in @@ -1282,6 +1282,8 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support]) SUDO_OBJS="${SUDO_OBJS} selinux.o" PROGS="${PROGS} sesh" SEMAN=1 + AC_CHECK_LIB([selinux], [setkeycreatecon], + [AC_DEFINE(HAVE_SETKEYCREATECON)]) ;; no) ;; *) AC_MSG_ERROR(["--with-selinux does not take an argument."]) @@ -2829,6 +2831,7 @@ AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.]) AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the header file.]) AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.]) AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.]) +AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.]) AH_TEMPLATE(HAVE_SIGACTION_T, [Define to 1 if has the sigaction_t typedef.]) AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.]) AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().]) diff --git a/selinux.c b/selinux.c index d7b47567c..2c03e6c7e 100644 --- a/selinux.c +++ b/selinux.c @@ -334,11 +334,13 @@ selinux_execve(const char *path, char *argv[], char *envp[]) return; } +#ifdef HAVE_SETKEYCREATECON if (setkeycreatecon(se_state.new_context)) { warning("unable to set key creation context to %s", se_state.new_context); if (se_state.enforcing) return; } +#endif /* HAVE_SETKEYCREATECON */ /* We use the "spare" slot in argv to store sesh. */ --argv; -- 2.50.1