[gnome-keyring] Set correct daemon SELinux context when started from pam module

[Tomas Bzatek <tbzatek src gnome org>]

commit 2f6a7c049dfffed20e3f78e3f51a8cca8735f2d3
Author: Tomas Bzatek <tbzatek redhat com>
Date:   Fri Mar 18 13:39:22 2011 +0100

    Set correct daemon SELinux context when started from pam module
    
    With confined users we want to run the gnome-keyring-daemon as
    sgkeyringd_staff_t (Fedora case), but currently this does not
    work properly from the pam module.
    
    This patch will fix the problem.  We are ignoring error conditions
    since for most users the errors will not effect unconfined users,
    and on a confined user it would still partially work but generate
    an AVC.
    
    Patch by Daniel Walsh <dwalsh redhat com>
    https://bugzilla.redhat.com/show_bug.cgi?id=684225

 configure.in         |   19 +++++++++++++++++++
 pam/Makefile.am      |    1 +
 pam/gkr-pam-module.c |   34 ++++++++++++++++++++++++++++++++++
 3 files changed, 54 insertions(+), 0 deletions(-)
---
diff --git a/configure.in b/configure.in
index c000ed9..295bac3 100644
--- a/configure.in
+++ b/configure.in
@@ -574,6 +574,24 @@ AC_SUBST(GCOV)
 AC_SUBST(GENHTML)
 
 # ----------------------------------------------------------------------
+# selinux
+
+LIBSELINUX=""
+selinux_status="no"
+AC_ARG_ENABLE([selinux],
+        AC_HELP_STRING([--disable-selinux],[do not use SELinux]))
+if test "x$enable_selinux" != "xno"; then
+    AC_CHECK_LIB([selinux],[getfilecon],
+        [AC_CHECK_LIB([selinux],[setexeccon],
+            [AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in])
+             LIBSELINUX="-lselinux"
+             selinux_status="yes"])
+        ])
+fi
+AC_SUBST(LIBSELINUX)
+AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"])
+
+# ----------------------------------------------------------------------
 # Valgrind
 
 AC_ARG_ENABLE(valgrind,
@@ -744,6 +762,7 @@ echo
 echo "OPTIONAL DEPENDENCIES"
 echo "  PAM:                  $pam_status"
 echo "  Linux capabilities:   $libcapng_status"
+echo "  SELinux:              $selinux_status"
 echo
 echo "CONFIGURATION"
 echo "  SSH Agent:            $ssh_status"
diff --git a/pam/Makefile.am b/pam/Makefile.am
index 81bda13..2e6362d 100644
--- a/pam/Makefile.am
+++ b/pam/Makefile.am
@@ -16,6 +16,7 @@ pam_gnome_keyring_la_LIBADD = \
 	$(top_builddir)/egg/libegg-buffer.la \
 	$(top_builddir)/egg/libegg-creds.la \
 	$(top_builddir)/egg/libegg-secure.la \
+	$(LIBSELINUX) \
 	-lpam
 	
 pam_gnome_keyring_la_LDFLAGS = \
diff --git a/pam/gkr-pam-module.c b/pam/gkr-pam-module.c
index e63c917..8ad814c 100644
--- a/pam/gkr-pam-module.c
+++ b/pam/gkr-pam-module.c
@@ -317,6 +317,36 @@ cleanup_free_password (pam_handle_t *ph, void *data, int pam_end_status)
 	free_password (data);
 }
 
+#ifdef WITH_SELINUX
+#include  <selinux/flask.h>
+#include  <selinux/selinux.h>
+/* Attempt to set SELinux Context. We are ignoring failure and just going
+   with default behaviour default behaviour
+*/
+static void setup_selinux_context(const char *command) {
+	security_context_t fcon = NULL, newcon = NULL, execcon = NULL;
+
+	if (is_selinux_enabled() != 1) return;
+
+	int ret = getexeccon(&execcon);
+	if ((ret < 0) || (! execcon)) goto err;
+
+	ret = getfilecon(command, &fcon);
+	if (ret < 0) goto err;
+
+	ret = security_compute_create(execcon, fcon, SECCLASS_PROCESS, &newcon);
+	if (ret < 0) goto err;
+
+	setexeccon(newcon);
+
+err:
+	freecon(newcon);
+	freecon(fcon);
+	freecon(execcon);
+	return;
+}
+#endif
+
 static void
 setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct passwd *pwd)
 {
@@ -329,6 +359,10 @@ setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct pass
 	char *args[] = { GNOME_KEYRING_DAEMON, "--daemonize", "--login", NULL};
 #endif
 	
+#ifdef WITH_SELINUX
+	setup_selinux_context(GNOME_KEYRING_DAEMON);
+#endif
+
 	assert (pwd);
 	assert (pwd->pw_dir);