Debian Bug report logs - #493524
xdm: SE Linux patch was written for old version

version graph

Package: xdm; Maintainer for xdm is Debian X Strike Force <debian-x@lists.debian.org>; Source for xdm is src:xdm.

Reported by: Russell Coker <russell@coker.com.au>

Date: Sat, 2 Aug 2008 23:33:02 UTC

Severity: normal

Found in version xdm/1:1.1.8-3

Fixed in version xdm/1:1.1.8-4

Done: Julien Cristau <jcristau@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#493524; Package xdm. Full text and rfc822 format available.

Acknowledgement sent to Russell Coker <russell@coker.com.au>:
New Bug report received and forwarded. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: xdm: SE Linux patch was written for old version
Date: Sun, 03 Aug 2008 09:30:37 +1000
Package: xdm
Version: 1:1.1.8-3
Severity: normal

The SE Linux patch was written for an older release of SE Linux and
doesn't work properly with the latest code base (gets the wrong
login context).

Below is a modified patch to make it work correctly.

Could you please build with this patch ASAP so we can try and get it
into Lenny?

# HG changeset patch
# User ejka@imfi.kspu.ru
# Node ID 4403c371616cc416a83156451f1afd293aff0e16
# Parent  28b3145223134d9d9a32202d0bae2036572e560a
Ported 099s_selinux_support.diff (changes: remove Imakefile hunks, add
--with-selinux flag to configure.ac.
Updated to latest SE Linux code by Russell Coker 3rd Aug 2008


diff -ru xdm-1.1.8-prese/configure.ac xdm-1.1.8/configure.ac
--- xdm-1.1.8-prese/configure.ac	2008-05-22 04:24:55.000000000 +1000
+++ xdm-1.1.8/configure.ac	2008-08-03 07:37:02.000000000 +1000
@@ -116,6 +116,23 @@
 		 fi])
 fi
 
+use_selinux_default=no
+# Check for selinux support
+AC_ARG_WITH(selinux, AC_HELP_STRING([--with-selinux],[Add support for selinux]),
+	[USE_SELINUX=$withval], [USE_SELINUX=$use_selinux_default])
+if test "x$USE_SELINUX" != "xno" ; then
+   	old_LIBS="$LIBS"
+	LIBS=""
+	AC_SEARCH_LIBS(is_selinux_enabled,[selinux])
+	AC_CHECK_FUNC(is_selinux_enabled,
+		[AC_DEFINE(HAVE_SELINUX,1,[Add support for selinux])],
+		[if test "x$USE_SELINUX" != "xtry" ; then
+			AC_MSG_ERROR(["selinux support requested, but is_selinux_enabled not found."])
+		 fi])
+	XDM_LIBS="$XDM_LIBS $LIBS"
+	LIBS="$old_LIBS"
+fi
+
 # FIXME: Find better test for which OS'es use su -m  - for now, just try to
 # mirror the Imakefile setting of:
 # if  defined(OpenBSDArchitecture) || defined(NetBSDArchitecture) || defined(FreeBSDArchitecture) || defined(DarwinArchitecture)
diff -ru xdm-1.1.8-prese/session.c xdm-1.1.8/session.c
--- xdm-1.1.8-prese/session.c	2008-08-03 07:36:02.000000000 +1000
+++ xdm-1.1.8/session.c	2008-08-03 08:16:22.000000000 +1000
@@ -36,6 +36,10 @@
  * session.c
  */
 
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
 #include "dm.h"
 #include "dm_auth.h"
 #include "dm_error.h"
@@ -70,6 +74,11 @@
 #include <prot.h>
 #endif
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+#endif /* HAVE_SELINUX */
+
 #ifndef GREET_USER_STATIC
 # include <dlfcn.h>
 # ifndef RTLD_NOW
@@ -77,6 +86,39 @@
 # endif
 #endif
 
+#ifdef HAVE_SELINUX
+/* This should be run just before we exec the user session. */
+static int
+xdm_selinux_setup (const char *login)
+  {
+	security_context_t scontext;
+	int ret = -1;
+	char *seuser=NULL;
+	char *level=NULL;
+
+	/* If SELinux is not enabled, then we don't do anything. */
+	if ( is_selinux_enabled () <= 0)
+		return TRUE;
+
+	if (getseuserbyname(login, &seuser, &level) == 0)
+		ret=get_default_context_with_level(seuser, level, 0, &scontext);
+	if (ret < 0 || scontext == NULL) {
+		LogError ("SELinux: unable to obtain default security context for %s\n", login);
+		return FALSE;
+	}
+
+	if (setexeccon (scontext) != 0) {
+	freecon (scontext);
+	LogError ("SELinux: unable to set executable context %s\n",
+	      (char *)scontext);
+	return FALSE;
+	}
+
+	freecon (scontext);
+	return TRUE;
+}
+#endif /* HAVE_SELINUX */
+
 static	int	runAndWait (char **args, char **environ);
 
 #ifdef HAVE_GRP_H
@@ -785,6 +827,17 @@
 	    bzero(passwd, strlen(passwd));
 
 	SetUserAuthorization (d, verify);
+#ifdef HAVE_SELINUX
+   /*
+    * For Security Enhanced Linux:
+    * set the default security context for this user.
+    */
+   if ( ! xdm_selinux_setup (name)) {
+      LogError ("failed to set security context\n");
+       exit (UNMANAGE_DISPLAY);
+       return (0);
+   }
+#endif /* HAVE_SELINUX */
 	home = getEnv (verify->userEnviron, "HOME");
 	if (home)
 	    if (chdir (home) == -1) {




Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#493524; Package xdm. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 493524@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Russell Coker <russell@coker.com.au>, 493524@bugs.debian.org
Subject: Re: Bug#493524: xdm: SE Linux patch was written for old version
Date: Sun, 3 Aug 2008 01:51:56 +0200
On Sun, Aug  3, 2008 at 09:30:37 +1000, Russell Coker wrote:

> +#ifdef HAVE_SELINUX
> +/* This should be run just before we exec the user session. */
> +static int
> +xdm_selinux_setup (const char *login)
> +  {
> +	security_context_t scontext;
> +	int ret = -1;
> +	char *seuser=NULL;
> +	char *level=NULL;
> +
> +	/* If SELinux is not enabled, then we don't do anything. */
> +	if ( is_selinux_enabled () <= 0)
> +		return TRUE;
> +
> +	if (getseuserbyname(login, &seuser, &level) == 0)
> +		ret=get_default_context_with_level(seuser, level, 0, &scontext);
> +	if (ret < 0 || scontext == NULL) {
> +		LogError ("SELinux: unable to obtain default security context for %s\n", login);
> +		return FALSE;
> +	}
> +
> +	if (setexeccon (scontext) != 0) {
> +	freecon (scontext);
> +	LogError ("SELinux: unable to set executable context %s\n",
> +	      (char *)scontext);
> +	return FALSE;
> +	}
> +
> +	freecon (scontext);
> +	return TRUE;
> +}
> +#endif /* HAVE_SELINUX */
> +

Looks like seuser and level are never freed.  Am I missing something?

Cheers,
Julien




Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#493524; Package xdm. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #15 received at 493524@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Russell Coker <russell@coker.com.au>, 493524@bugs.debian.org
Subject: Re: Bug#493524: xdm: SE Linux patch was written for old version
Date: Mon, 11 Aug 2008 13:26:19 +0200
On Sun, Aug  3, 2008 at 01:51:56 +0200, Julien Cristau wrote:

> On Sun, Aug  3, 2008 at 09:30:37 +1000, Russell Coker wrote:
> 
> > +	if (getseuserbyname(login, &seuser, &level) == 0)
> > +		ret=get_default_context_with_level(seuser, level, 0, &scontext);
> > +	if (ret < 0 || scontext == NULL) {
> > +		LogError ("SELinux: unable to obtain default security context for %s\n", login);
> > +		return FALSE;
> > +	}
> > +
> 
> Looks like seuser and level are never freed.  Am I missing something?
> 
Looking at <selinux/selinux.h>, we read:
/* Get the SELinux username and level to use for a given Linux username.?
   These values may then be passed into the get_ordered_context_list*
   and get_default_context* functions to obtain a context for the user.
   Returns 0 on success or -1 otherwise.
   Caller must free the returned strings via free. */
extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);

Will apply the fixed patch with the missing calls to free().

Cheers,
Julien




Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#493524; Package xdm. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #20 received at 493524@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Julien Cristau <jcristau@debian.org>
Cc: 493524@bugs.debian.org
Subject: Re: Bug#493524: xdm: SE Linux patch was written for old version
Date: Mon, 11 Aug 2008 22:06:08 +1000
On Monday 11 August 2008 21:26, Julien Cristau <jcristau@debian.org> wrote:
> > Looks like seuser and level are never freed.  Am I missing something?
>
> Looking at <selinux/selinux.h>, we read:
> /* Get the SELinux username and level to use for a given Linux username.?
>    These values may then be passed into the get_ordered_context_list*
>    and get_default_context* functions to obtain a context for the user.
>    Returns 0 on success or -1 otherwise.
>    Caller must free the returned strings via free. */
> extern int getseuserbyname(const char *linuxuser, char **seuser, char
> **level);
>
> Will apply the fixed patch with the missing calls to free().

Thanks for that.  I had been meaning to review your suggestion.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#493524; Package xdm. Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #25 received at 493524@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: 493524@bugs.debian.org
Subject: Can this be fixed for Lenny?
Date: Wed, 20 Aug 2008 13:33:59 +1000
What is the status of this?  Is it going to be fixed in time for Lenny?

Thanks for your work in fixing the patch.




Reply sent to Julien Cristau <jcristau@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Russell Coker <russell@coker.com.au>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 493524-close@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: 493524-close@bugs.debian.org
Subject: Bug#493524: fixed in xdm 1:1.1.8-4
Date: Wed, 20 Aug 2008 13:47:04 +0000
Source: xdm
Source-Version: 1:1.1.8-4

We believe that the bug you reported is fixed in the latest version of
xdm, which is due to be installed in the Debian FTP archive:

xdm_1.1.8-4.diff.gz
  to pool/main/x/xdm/xdm_1.1.8-4.diff.gz
xdm_1.1.8-4.dsc
  to pool/main/x/xdm/xdm_1.1.8-4.dsc
xdm_1.1.8-4_i386.deb
  to pool/main/x/xdm/xdm_1.1.8-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 493524@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated xdm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 20 Aug 2008 15:30:27 +0200
Source: xdm
Binary: xdm
Architecture: source i386
Version: 1:1.1.8-4
Distribution: unstable
Urgency: low
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description: 
 xdm        - X display manager
Closes: 493524 495776
Changes: 
 xdm (1:1.1.8-4) unstable; urgency=low
 .
   * Update SELinux patch to get the correct login context (closes: #493524).
     Thanks, Russell Coker!
   * debian.diff: Fix remaining bad reference to the auth dir in manpage.
   * xdm_fixes.diff: open the log file *after* BecomeDaemon(), so we don't send
     the log to /dev/null (closes: #495776).
Checksums-Sha1: 
 6f13708f80c9858407856f27f351aac2d8109ada 1369 xdm_1.1.8-4.dsc
 84a3a6d82f49b6ae7182f48672fdc2450a313540 104188 xdm_1.1.8-4.diff.gz
 611f40cc6fd17c5fe9109c3c4d437273c335f6a9 192708 xdm_1.1.8-4_i386.deb
Checksums-Sha256: 
 dd9b376eb1d744b17260ea001b96125e84fdd4214ef22350d19eb85ad39cfeaa 1369 xdm_1.1.8-4.dsc
 ced51244030ed4d8c4ef382270e888a737391b6ec885f55c77cf51ee53e395f1 104188 xdm_1.1.8-4.diff.gz
 1bec743eaaa8917d8cdc67cd46b64d6e527e8365a1ac5be4f3a3620e26a43f2f 192708 xdm_1.1.8-4_i386.deb
Files: 
 34ecb17ffac7cfe753019c80507ef293 1369 x11 optional xdm_1.1.8-4.dsc
 44798e5528058601714a18f6c6f051a9 104188 x11 optional xdm_1.1.8-4.diff.gz
 0f748b414f4e48061ba01f7a33ca4714 192708 x11 optional xdm_1.1.8-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkisHb8ACgkQmEvTgKxfcAxXvQCgxNrYZjUD8F84GmwSpRdh1ri9
qIgAoNtXt+Lk/5GYY+lI0/mzup6ZvXtc
=upHy
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 29 Sep 2008 07:29:11 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 07:02:07 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.