From dd74952191b851bc380374ff6e2ec4ae89e4ecf8 Mon Sep 17 00:00:00 2001
From: Tomas Bzatek <tbzatek@redhat.com>
Date: Tue, 15 Mar 2011 14:33:12 +0100
Subject: [PATCH] Set correct SELinux context of daemon started from the pam
 module (#684225)

---
 gnome-keyring-2.91.93-pam-selinux.patch | 93 +++++++++++++++++++++++++
 gnome-keyring.spec                      | 15 +++-
 2 files changed, 105 insertions(+), 3 deletions(-)
 create mode 100644 gnome-keyring-2.91.93-pam-selinux.patch

diff --git a/gnome-keyring-2.91.93-pam-selinux.patch b/gnome-keyring-2.91.93-pam-selinux.patch
new file mode 100644
index 0000000..ef1676c
--- /dev/null
+++ b/gnome-keyring-2.91.93-pam-selinux.patch
@@ -0,0 +1,93 @@
+diff --git a/configure.in b/configure.in
+index a5a434d..8294028 100644
+--- a/configure.in
++++ b/configure.in
+@@ -572,6 +572,28 @@ AC_SUBST(GCOV)
+ AC_SUBST(GENHTML)
+ 
+ # ----------------------------------------------------------------------
++# selinux
++AC_ARG_ENABLE([selinux],
++        AC_HELP_STRING([--disable-selinux],[do not use SELinux]),
++        WITH_SELINUX=$enableval, WITH_SELINUX=yes)
++if test "$WITH_SELINUX" == "yes" ; then
++  AC_CHECK_LIB([selinux],[getfilecon], LIBSELINUX="-lselinux", LIBSELINUX="")
++  selinux_status="yes"
++else
++  LIBSELINUX=""
++  selinux_status="no"
++fi
++AC_SUBST(LIBSELINUX)
++AM_CONDITIONAL([HAVE_LIBSELINUX], [test ! -z "$LIBSELINUX"])
++if test ! -z "$LIBSELINUX" ; then
++    AC_DEFINE([WITH_SELINUX], 1, [Defined if SE Linux support is compiled in])
++    BACKUP_LIBS=$LIBS
++    LIBS="$LIBS $LIBSELINUX"
++    AC_CHECK_FUNCS(setexeccon)
++    LIBS=$BACKUP_LIBS
++fi
++
++# ----------------------------------------------------------------------
+ # Valgrind
+ 
+ AC_ARG_ENABLE(valgrind,
+@@ -742,6 +764,7 @@ echo
+ echo "OPTIONAL DEPENDENCIES"
+ echo "  PAM:                  $pam_status"
+ echo "  Linux capabilities:   $libcapng_status"
++echo "  SELinux:              $selinux_status"
+ echo
+ echo "CONFIGURATION"
+ echo "  SSH Agent:            $ssh_status"
+diff --git a/pam/gkr-pam-module.c b/pam/gkr-pam-module.c
+index e63c917..2e2e765 100644
+--- a/pam/gkr-pam-module.c
++++ b/pam/gkr-pam-module.c
+@@ -317,6 +317,36 @@ cleanup_free_password (pam_handle_t *ph, void *data, int pam_end_status)
+ 	free_password (data);
+ }
+ 
++#ifdef WITH_SELINUX
++#include  <selinux/flask.h>
++#include  <selinux/selinux.h>
++/* Attempt to set SELinux Context. We are ignoring failure and just going
++   with default behaviour default behaviour
++*/
++static void setup_selinux_context(const char *command) {
++	security_context_t fcon = NULL, newcon = NULL, execcon = NULL;
++
++	if (is_selinux_enabled() != 1) return;
++
++	int ret = getexeccon(&execcon);
++	if ((ret < 0) || (! execcon)) goto err;
++
++	ret = getfilecon(command, &fcon);
++	if (ret < 0) goto err;
++	
++	ret = security_compute_create(execcon, fcon, SECCLASS_PROCESS, &newcon);
++	if (ret < 0) goto err;
++
++	setexeccon(newcon);
++
++err:
++	freecon(newcon);
++	freecon(fcon);
++	freecon(execcon);
++	return;
++}
++#endif
++
+ static void
+ setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct passwd *pwd)
+ {
+@@ -329,6 +359,10 @@ setup_child (int inp[2], int outp[2], int errp[2], pam_handle_t *ph, struct pass
+ 	char *args[] = { GNOME_KEYRING_DAEMON, "--daemonize", "--login", NULL};
+ #endif
+ 	
++#ifdef WITH_SELINUX
++	setup_selinux_context(GNOME_KEYRING_DAEMON);
++#endif
++
+ 	assert (pwd);
+ 	assert (pwd->pw_dir);
+ 
diff --git a/gnome-keyring.spec b/gnome-keyring.spec
index aba33a2..5aed3f3 100644
--- a/gnome-keyring.spec
+++ b/gnome-keyring.spec
@@ -3,11 +3,12 @@
 %define dbus_version 1.0
 %define gcrypt_version 1.2.2
 %define libtasn1_version 0.3.4
+%define libgnome-keyring_version 2.91.92
 
 Summary: Framework for managing passwords and other secrets
 Name: gnome-keyring
 Version: 2.91.92
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Libraries
 #VCS: git:git://git.gnome.org/gnome-keyring
@@ -18,6 +19,10 @@ URL: http://www.gnome.org
 # https://bugzilla.redhat.com/show_bug.cgi?id=668831
 Patch4: file-caps.patch
 
+# gnome keyring pam module is starting gnome-keyring with the wrong SELinux context.
+# https://bugzilla.redhat.com/show_bug.cgi?id=684225
+Patch5: gnome-keyring-2.91.93-pam-selinux.patch
+
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: gtk3-devel >= %{gtk3_version}
 BuildRequires: dbus-devel >= %{dbus_version}
@@ -28,11 +33,11 @@ BuildRequires: autoconf, automake, libtool
 BuildRequires: gettext
 BuildRequires: intltool
 BuildRequires: libtasn1-tools
-BuildRequires: libgnome-keyring-devel
+BuildRequires: libgnome-keyring-devel >= %{libgnome-keyring_version}
 BuildRequires: gtk-doc
 BuildRequires: libcap-ng-devel
 # for smooth transition since the core was split
-Requires: libgnome-keyring
+Requires: libgnome-keyring >= %{libgnome-keyring_version}
 
 %description
 The gnome-keyring session daemon manages passwords and other types of
@@ -68,6 +73,7 @@ automatically unlock the "login" keyring when the user logs in.
 %prep
 %setup -q -n gnome-keyring-%{version}
 %patch4 -p1 -b .file-caps
+%patch5 -p1 -b .pam-selinux
 
 %build
 autoreconf -i -f
@@ -142,6 +148,9 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas
 
 
 %changelog
+* Tue Mar 15 2011 Tomas Bzatek <tbzatek@redhat.com> - 2.91.92-2
+- Set correct SELinux context of daemon started from the pam module (#684225)
+
 * Fri Mar 11 2011 Tomas Bzatek <tbzatek@redhat.com> - 2.91.92-1
 - Update to 2.91.92