From 867ba48dbf030009f3bb0f79c083ae0c7787dee5 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 24 Jun 2010 15:31:05 -0400 Subject: [PATCH] Add check for setkeycreatecon() when --with-selinux is specified. --- config.h.in | 3 +++ configure | 70 ++++++++++++++++++++++++++++++++++++++++----------- configure.in | 3 +++ src/selinux.c | 2 ++ 4 files changed, 64 insertions(+), 14 deletions(-) diff --git a/config.h.in b/config.h.in index 319e0b7f3..415c961e7 100644 --- a/config.h.in +++ b/config.h.in @@ -409,6 +409,9 @@ /* Define to 1 if you have the `seteuid' function. */ #undef HAVE_SETEUID +/* Define to 1 if you have the `setkeycreatecon' function. */ +#undef HAVE_SETKEYCREATECON + /* Define to 1 if you have the `setlocale' function. */ #undef HAVE_SETLOCALE diff --git a/configure b/configure index 819000028..1816a9507 100755 --- a/configure +++ b/configure @@ -5905,6 +5905,47 @@ if test "${with_selinux+set}" = set; then : SUDO_OBJS="${SUDO_OBJS} selinux.o" PROGS="${PROGS} sesh" SEMAN=1 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for setkeycreatecon in -lselinux" >&5 +$as_echo_n "checking for setkeycreatecon in -lselinux... " >&6; } +if test "${ac_cv_lib_selinux_setkeycreatecon+set}" = set; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lselinux $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char setkeycreatecon (); +int +main () +{ +return setkeycreatecon (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_selinux_setkeycreatecon=yes +else + ac_cv_lib_selinux_setkeycreatecon=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_selinux_setkeycreatecon" >&5 +$as_echo "$ac_cv_lib_selinux_setkeycreatecon" >&6; } +if test "x$ac_cv_lib_selinux_setkeycreatecon" = x""yes; then : + $as_echo "#define HAVE_SETKEYCREATECON 1" >>confdefs.h + +fi + ;; no) ;; *) as_fn_error "\"--with-selinux does not take an argument.\"" "$LINENO" 5 @@ -6923,13 +6964,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:6926: $ac_compile\"" >&5) + (eval echo "\"\$as_me:6967: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:6929: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:6970: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:6932: output\"" >&5) + (eval echo "\"\$as_me:6973: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -8134,7 +8175,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8137 "configure"' > conftest.$ac_ext + echo '#line 8178 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9395,11 +9436,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9398: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9439: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9402: \$? = $ac_status" >&5 + echo "$as_me:9443: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9734,11 +9775,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9737: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9778: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9741: \$? = $ac_status" >&5 + echo "$as_me:9782: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9839,11 +9880,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9842: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9883: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9846: \$? = $ac_status" >&5 + echo "$as_me:9887: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -9894,11 +9935,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9897: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9938: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:9901: \$? = $ac_status" >&5 + echo "$as_me:9942: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12261,7 +12302,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12264 "configure" +#line 12305 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12357,7 +12398,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12360 "configure" +#line 12401 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -20529,5 +20570,6 @@ fi + diff --git a/configure.in b/configure.in index f26ebee5c..407de6c61 100644 --- a/configure.in +++ b/configure.in @@ -1314,6 +1314,8 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support]) SUDO_OBJS="${SUDO_OBJS} selinux.o" PROGS="${PROGS} sesh" SEMAN=1 + AC_CHECK_LIB([selinux], [setkeycreatecon], + [AC_DEFINE(HAVE_SETKEYCREATECON)]) ;; no) ;; *) AC_MSG_ERROR(["--with-selinux does not take an argument."]) @@ -2839,6 +2841,7 @@ AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.]) AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the header file.]) AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.]) AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.]) +AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.]) AH_TEMPLATE(HAVE_SIGACTION_T, [Define to 1 if has the sigaction_t typedef.]) AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.]) AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().]) diff --git a/src/selinux.c b/src/selinux.c index c577753c8..b5c3dc842 100644 --- a/src/selinux.c +++ b/src/selinux.c @@ -369,11 +369,13 @@ selinux_execve(const char *path, char *argv[], char *envp[]) return; } +#ifdef HAVE_SETKEYCREATECON if (setkeycreatecon(se_state.new_context)) { warning("unable to set key creation context to %s", se_state.new_context); if (se_state.enforcing) return; } +#endif /* HAVE_SETKEYCREATECON */ for (argc = 0; argv[argc] != NULL; argc++) continue; -- 2.40.0