build: proper selinux detection and usage

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

diff --git a/configure.ac b/configure.ac
index 98615c658e17783384c714046420144fdcfaddf2..2388f17d9594be59ca9e5d264c75020aa216203e 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -215,7 +215,7 @@ AC_ARG_ENABLE(
 
 AC_ARG_ENABLE(
        [selinux],
-       [AS_HELP_STRING([--disable-selinux], [disable SELinux support])],
+       [AS_HELP_STRING([--enable-selinux], [enable SELinux support])],
        ,
        [enable_selinux="no"]
 )
@@ -619,6 +619,13 @@ AC_CHECK_LIB(
 )
 AC_SUBST([SOCKETS_LIBS])
 
+AC_CHECK_LIB(
+       [selinux],
+       [setcon],
+       [SELINUX_LIBS="-lselinux"]
+)
+AC_SUBST([SELINUX_LIBS])
+
 case "${with_mem_check}" in
        valgrind)
                AC_CHECK_HEADER(
@@ -826,25 +833,6 @@ if test "${enable_crypto}" = "yes"; then
    fi
 fi
 
-dnl
-dnl check for SELinux library and headers
-dnl
-if test "${enable_selinux}" = "yes"; then
-       AC_CHECK_HEADER(
-               [selinux/selinux.h],
-               [AC_CHECK_LIB(
-                       [selinux],
-                       [setcon],
-                       [
-                               LIBS="${LIBS} -lselinux"
-                               AC_DEFINE(HAVE_SETCON, 1, [SELinux support])
-                       ],
-                       [AC_MSG_RESULT([SELinux library not found.])]
-               )],
-               [AC_MSG_ERROR([SELinux headers not found.])]
-       )
-fi
-
 if test -n "${SP_PLATFORM_WINDOWS}"; then
        AC_DEFINE_UNQUOTED([PATH_SEPARATOR], ['\\\\'], [Path separator]) #"
        AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], ["\\\\"], [Path separator]) #"
@@ -896,6 +884,12 @@ else
        fi
 fi
 
+if test "${enable_selinux}" = "yes"; then
+       test -z "${SELINUX_LIBS}" && AC_MSG_ERROR([libselinux required but missing])
+       OPTIONAL_SELINUX_LIBS="${SELINUX_LIBS}"
+       AC_DEFINE([ENABLE_SELINUX], [1], [SELinux support])
+fi
+
 if test "${enable_pedantic}" = "yes"; then
        enable_strict="yes"
        CFLAGS="${CFLAGS} -ansi -pedantic"
@@ -922,6 +916,7 @@ AC_SUBST([TAP_WIN_MIN_MAJOR])
 AC_SUBST([TAP_WIN_MIN_MINOR])
 
 AC_SUBST([OPTIONAL_DL_LIBS])
+AC_SUBST([OPTIONAL_SELINUX_LIBS])
 
 AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
 

diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 86abd09b1239a85e07ddf0559bd37a0b63ad3708..a3f8b3a0ffb62565f64ddee0194c05e1ca326ad4 100644 (file)
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -97,6 +97,7 @@ openvpn_SOURCES = \
        cryptoapi.h cryptoapi.c
 openvpn_LDADD = \
        $(SOCKETS_LIBS) \
+       $(OPTIONAL_SELINUX_LIBS) \
        $(OPTIONAL_DL_LIBS)
 if WIN32
 openvpn_SOURCES += openvpn_win32_resources.rc

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index b8f57b291cf0272ef3132b281eac335894c6abf1..0c995ffd28ae6b4690351d4113746535cd881c71 100644 (file)
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1038,7 +1038,7 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
        mstats_open(c->options.memstats_fn);
 #endif
 
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
       /* Apply a SELinux context in order to restrict what OpenVPN can do
        * to _only_ what it is supposed to do after initialization is complete
        * (basically just network I/O operations). Doing it after chroot
@@ -2465,7 +2465,7 @@ do_option_warnings (struct context *c)
     msg (M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
 
   if (o->username || o->groupname || o->chroot_dir
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
       || o->selinux_context
 #endif
       )

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index d7f848e7f5ea420563878b1ddd1b8a02fc63953a..4e95b83326cb5e1b9346890a89280d27c90086dc 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -316,7 +316,7 @@ static const char usage_message[] =
   "--user user     : Set UID to user after initialization.\n"
   "--group group   : Set GID to group after initialization.\n"
   "--chroot dir    : Chroot to this directory after initialization.\n"
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
   "--setcon context: Apply this SELinux context after initialization.\n"
 #endif
   "--cd dir        : Change to this directory before initialization.\n"
@@ -1477,7 +1477,7 @@ show_settings (const struct options *o)
   SHOW_STR (groupname);
   SHOW_STR (chroot_dir);
   SHOW_STR (cd_dir);
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
   SHOW_STR (selinux_context);
 #endif
   SHOW_STR (writepid);
@@ -4525,7 +4525,7 @@ add_option (struct options *options,
        }
       options->cd_dir = p[1];
     }
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
   else if (streq (p[0], "setcon") && p[1])
     {
       VERIFY_PERMISSION (OPT_P_GENERAL);

diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 6af4b3a7784d75dbf4cff4360edc51be142a0b31..57b88b7dc67137540f0356aac5deec419f626da3 100644 (file)
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -310,7 +310,7 @@ struct options
   const char *groupname;
   const char *chroot_dir;
   const char *cd_dir;
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
   char *selinux_context;
 #endif
   const char *writepid;

diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 1ad81d8975f9469b8a0949f7b9fa290f4dad7bdb..cac475795db23f74ed160e748736a3359607962f 100644 (file)
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -176,7 +176,7 @@
 #include <sys/epoll.h>
 #endif
 
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
 #include <selinux/selinux.h>
 #endif