XSELinux: Add xorg.conf option for permissive/enforcing/disabled.
Patch by Joe Nall. The option goes in the "extmod" subsection. TODO: Make it easier for extension modules to handle their own options.
This commit is contained in:
Eamon Walsh
Eamon Walsh
parent
415e49b940
commit
b5f98fcea2
|
|
@ -37,6 +37,7 @@ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|||
#include <libaudit.h>
|
||||
|
||||
#include <X11/Xatom.h>
|
||||
#include "globals.h"
|
||||
#include "resource.h"
|
||||
#include "privates.h"
|
||||
#include "registry.h"
|
||||
|
|
@ -1891,16 +1892,36 @@ void
|
|||
SELinuxExtensionInit(INITARGS)
|
||||
{
|
||||
ExtensionEntry *extEntry;
|
||||
struct selinux_opt options[] = { { SELABEL_OPT_VALIDATE, (char *)1 } };
|
||||
struct selinux_opt selabel_option = { SELABEL_OPT_VALIDATE, (char *)1 };
|
||||
struct selinux_opt avc_option = { AVC_OPT_SETENFORCE, (char *)0 };
|
||||
security_context_t con;
|
||||
int ret = TRUE;
|
||||
|
||||
/* Setup SELinux stuff */
|
||||
/* Check SELinux mode on system */
|
||||
if (!is_selinux_enabled()) {
|
||||
ErrorF("SELinux: SELinux not enabled, disabling SELinux support.\n");
|
||||
ErrorF("SELinux: Disabled on system, not enabling in X server\n");
|
||||
return;
|
||||
}
|
||||
|
||||
/* Check SELinux mode in configuration file */
|
||||
switch(selinuxEnforcingState) {
|
||||
case SELINUX_MODE_DISABLED:
|
||||
LogMessage(X_INFO, "SELinux: Disabled in configuration file\n");
|
||||
return;
|
||||
case SELINUX_MODE_ENFORCING:
|
||||
LogMessage(X_INFO, "SELinux: Configured in enforcing mode\n");
|
||||
avc_option.value = (char *)1;
|
||||
break;
|
||||
case SELINUX_MODE_PERMISSIVE:
|
||||
LogMessage(X_INFO, "SELinux: Configured in permissive mode\n");
|
||||
avc_option.value = (char *)0;
|
||||
break;
|
||||
default:
|
||||
avc_option.type = AVC_OPT_UNUSED;
|
||||
break;
|
||||
}
|
||||
|
||||
/* Set up SELinux stuff */
|
||||
selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback)SELinuxLog);
|
||||
selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback)SELinuxAudit);
|
||||
|
||||
|
|
@ -1912,11 +1933,11 @@ SELinuxExtensionInit(INITARGS)
|
|||
FatalError("SELinux: Failed to set up security class mapping\n");
|
||||
}
|
||||
|
||||
if (avc_open(NULL, 0) < 0)
|
||||
if (avc_open(&avc_option, 1) < 0)
|
||||
FatalError("SELinux: Couldn't initialize SELinux userspace AVC\n");
|
||||
avc_active = 1;
|
||||
|
||||
label_hnd = selabel_open(SELABEL_CTX_X, options, 1);
|
||||
label_hnd = selabel_open(SELABEL_CTX_X, &selabel_option, 1);
|
||||
if (!label_hnd)
|
||||
FatalError("SELinux: Failed to open x_contexts mapping in policy\n");
|
||||
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ static ExtensionModule extensionModules[] = {
|
|||
{
|
||||
SELinuxExtensionInit,
|
||||
SELINUX_EXTENSION_NAME,
|
||||
NULL,
|
||||
&noSELinuxExtension,
|
||||
NULL,
|
||||
NULL
|
||||
},
|
||||
|
|
@ -258,6 +258,27 @@ extmodSetup(pointer module, pointer opts, int *errmaj, int *errmin)
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef XSELINUX
|
||||
if (! strcmp(SELINUX_EXTENSION_NAME, extensionModules[i].name)) {
|
||||
pointer o;
|
||||
selinuxEnforcingState = SELINUX_MODE_DEFAULT;
|
||||
|
||||
if ((o = xf86FindOption(opts, "SELinux mode disabled"))) {
|
||||
xf86MarkOptionUsed(o);
|
||||
selinuxEnforcingState = SELINUX_MODE_DISABLED;
|
||||
}
|
||||
if ((o = xf86FindOption(opts, "SELinux mode permissive"))) {
|
||||
xf86MarkOptionUsed(o);
|
||||
selinuxEnforcingState = SELINUX_MODE_PERMISSIVE;
|
||||
}
|
||||
if ((o = xf86FindOption(opts, "SELinux mode enforcing"))) {
|
||||
xf86MarkOptionUsed(o);
|
||||
selinuxEnforcingState = SELINUX_MODE_ENFORCING;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
LoadExtension(&extensionModules[i], FALSE);
|
||||
}
|
||||
/* Need a non-NULL return */
|
||||
|
|
|
|||
|
|
@ -440,6 +440,9 @@ _X_HIDDEN void *dixLookupTab[] = {
|
|||
#ifdef XIDLE
|
||||
SYMVAR(noXIdleExtension)
|
||||
#endif
|
||||
#ifdef XSELINUX
|
||||
SYMVAR(noSELinuxExtension)
|
||||
#endif
|
||||
#ifdef XV
|
||||
SYMVAR(noXvExtension)
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -175,6 +175,16 @@ extern Bool noXInputExtension;
|
|||
extern Bool noXIdleExtension;
|
||||
#endif
|
||||
|
||||
#ifdef XSELINUX
|
||||
extern Bool noSELinuxExtension;
|
||||
|
||||
#define SELINUX_MODE_DEFAULT 0
|
||||
#define SELINUX_MODE_DISABLED 1
|
||||
#define SELINUX_MODE_PERMISSIVE 2
|
||||
#define SELINUX_MODE_ENFORCING 3
|
||||
extern int selinuxEnforcingState;
|
||||
#endif
|
||||
|
||||
#ifdef XV
|
||||
extern Bool noXvExtension;
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -215,6 +215,9 @@ extern Bool noXInputExtension;
|
|||
#ifdef XIDLE
|
||||
extern Bool noXIdleExtension;
|
||||
#endif
|
||||
#ifdef XSELINUX
|
||||
extern Bool noSELinuxExtension;
|
||||
#endif
|
||||
#ifdef XV
|
||||
extern Bool noXvExtension;
|
||||
#endif
|
||||
|
|
@ -487,6 +490,9 @@ static ExtensionToggle ExtensionToggleList[] =
|
|||
#endif
|
||||
#ifdef XKB
|
||||
{ "XKEYBOARD", &noXkbExtension },
|
||||
#endif
|
||||
#ifdef XSELINUX
|
||||
{ "SELinux", &noSELinuxExtension },
|
||||
#endif
|
||||
{ "XTEST", &noTestExtensions },
|
||||
#ifdef XV
|
||||
|
|
@ -597,7 +603,7 @@ InitExtensions(argc, argv)
|
|||
if (!noSecurityExtension) SecurityExtensionInit();
|
||||
#endif
|
||||
#ifdef XSELINUX
|
||||
SELinuxExtensionInit();
|
||||
if (!noSELinuxExtension) SELinuxExtensionInit();
|
||||
#endif
|
||||
#ifdef XPRINT
|
||||
XpExtensionInit(); /* server-specific extension, cannot be disabled */
|
||||
|
|
|
|||
|
|
@ -232,6 +232,10 @@ _X_EXPORT Bool noXInputExtension = FALSE;
|
|||
#ifdef XIDLE
|
||||
_X_EXPORT Bool noXIdleExtension = FALSE;
|
||||
#endif
|
||||
#ifdef XSELINUX
|
||||
_X_EXPORT Bool noSELinuxExtension = FALSE;
|
||||
_X_EXPORT int selinuxEnforcingState = SELINUX_MODE_DEFAULT;
|
||||
#endif
|
||||
#ifdef XV
|
||||
_X_EXPORT Bool noXvExtension = FALSE;
|
||||
#endif
|
||||
|
|
|
|||
Loading…
Reference in New Issue