From: Alon Bar-Lev <alon.barlev@gmail.com>
Date: Wed, 29 Feb 2012 20:12:05 +0000 (+0200)
Subject: build: proper selinux detection and usage
X-Git-Tag: v2.3_alpha2~100
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cd5990e0e0da1621b9c2d9ca927ff8d1af3c241a;p=thirdparty%2Fopenvpn.git

build: proper selinux detection and usage

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Acked-by: Samuli Seppänen <samuli@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
---

diff --git a/configure.ac b/configure.ac
index 98615c658..2388f17d9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -215,7 +215,7 @@ AC_ARG_ENABLE(
 
 AC_ARG_ENABLE(
 	[selinux],
-	[AS_HELP_STRING([--disable-selinux], [disable SELinux support])],
+	[AS_HELP_STRING([--enable-selinux], [enable SELinux support])],
 	,
 	[enable_selinux="no"]
 )
@@ -619,6 +619,13 @@ AC_CHECK_LIB(
 )
 AC_SUBST([SOCKETS_LIBS])
 
+AC_CHECK_LIB(
+	[selinux],
+	[setcon],
+	[SELINUX_LIBS="-lselinux"]
+)
+AC_SUBST([SELINUX_LIBS])
+
 case "${with_mem_check}" in
 	valgrind)
 		AC_CHECK_HEADER(
@@ -826,25 +833,6 @@ if test "${enable_crypto}" = "yes"; then
    fi
 fi
 
-dnl
-dnl check for SELinux library and headers
-dnl
-if test "${enable_selinux}" = "yes"; then
-	AC_CHECK_HEADER(
-		[selinux/selinux.h],
-		[AC_CHECK_LIB(
-			[selinux],
-			[setcon],
-			[
-				LIBS="${LIBS} -lselinux"
-				AC_DEFINE(HAVE_SETCON, 1, [SELinux support])
-			],
-			[AC_MSG_RESULT([SELinux library not found.])]
-		)],
-		[AC_MSG_ERROR([SELinux headers not found.])]
-	)
-fi
-
 if test -n "${SP_PLATFORM_WINDOWS}"; then
 	AC_DEFINE_UNQUOTED([PATH_SEPARATOR], ['\\\\'], [Path separator]) #"
 	AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], ["\\\\"], [Path separator]) #"
@@ -896,6 +884,12 @@ else
 	fi
 fi
 
+if test "${enable_selinux}" = "yes"; then
+	test -z "${SELINUX_LIBS}" && AC_MSG_ERROR([libselinux required but missing])
+	OPTIONAL_SELINUX_LIBS="${SELINUX_LIBS}"
+	AC_DEFINE([ENABLE_SELINUX], [1], [SELinux support])
+fi
+
 if test "${enable_pedantic}" = "yes"; then
 	enable_strict="yes"
 	CFLAGS="${CFLAGS} -ansi -pedantic"
@@ -922,6 +916,7 @@ AC_SUBST([TAP_WIN_MIN_MAJOR])
 AC_SUBST([TAP_WIN_MIN_MINOR])
 
 AC_SUBST([OPTIONAL_DL_LIBS])
+AC_SUBST([OPTIONAL_SELINUX_LIBS])
 
 AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
 
diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 86abd09b1..a3f8b3a0f 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -97,6 +97,7 @@ openvpn_SOURCES = \
 	cryptoapi.h cryptoapi.c
 openvpn_LDADD = \
 	$(SOCKETS_LIBS) \
+	$(OPTIONAL_SELINUX_LIBS) \
 	$(OPTIONAL_DL_LIBS)
 if WIN32
 openvpn_SOURCES += openvpn_win32_resources.rc
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index b8f57b291..0c995ffd2 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1038,7 +1038,7 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
 	mstats_open(c->options.memstats_fn);
 #endif
 
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
       /* Apply a SELinux context in order to restrict what OpenVPN can do
        * to _only_ what it is supposed to do after initialization is complete
        * (basically just network I/O operations). Doing it after chroot
@@ -2465,7 +2465,7 @@ do_option_warnings (struct context *c)
     msg (M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit");
 
   if (o->username || o->groupname || o->chroot_dir
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
       || o->selinux_context
 #endif
       )
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index d7f848e7f..4e95b8332 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -316,7 +316,7 @@ static const char usage_message[] =
   "--user user     : Set UID to user after initialization.\n"
   "--group group   : Set GID to group after initialization.\n"
   "--chroot dir    : Chroot to this directory after initialization.\n"
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
   "--setcon context: Apply this SELinux context after initialization.\n"
 #endif
   "--cd dir        : Change to this directory before initialization.\n"
@@ -1477,7 +1477,7 @@ show_settings (const struct options *o)
   SHOW_STR (groupname);
   SHOW_STR (chroot_dir);
   SHOW_STR (cd_dir);
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
   SHOW_STR (selinux_context);
 #endif
   SHOW_STR (writepid);
@@ -4525,7 +4525,7 @@ add_option (struct options *options,
 	}
       options->cd_dir = p[1];
     }
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
   else if (streq (p[0], "setcon") && p[1])
     {
       VERIFY_PERMISSION (OPT_P_GENERAL);
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 6af4b3a77..57b88b7dc 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -310,7 +310,7 @@ struct options
   const char *groupname;
   const char *chroot_dir;
   const char *cd_dir;
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
   char *selinux_context;
 #endif
   const char *writepid;
diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
index 1ad81d897..cac475795 100644
--- a/src/openvpn/syshead.h
+++ b/src/openvpn/syshead.h
@@ -176,7 +176,7 @@
 #include <sys/epoll.h>
 #endif
 
-#ifdef HAVE_SETCON
+#ifdef ENABLE_SELINUX
 #include <selinux/selinux.h>
 #endif