diff options
| -rw-r--r-- | configure.ac | 35 | ||||
| -rw-r--r-- | src/openvpn/Makefile.am | 1 | ||||
| -rw-r--r-- | src/openvpn/init.c | 4 | ||||
| -rw-r--r-- | src/openvpn/options.c | 6 | ||||
| -rw-r--r-- | src/openvpn/options.h | 2 | ||||
| -rw-r--r-- | src/openvpn/syshead.h | 2 |
6 files changed, 23 insertions, 27 deletions
diff --git a/configure.ac b/configure.ac index 98615c6..2388f17 100644 --- a/configure.ac +++ b/configure.ac @@ -215,7 +215,7 @@ AC_ARG_ENABLE( AC_ARG_ENABLE( [selinux], - [AS_HELP_STRING([--disable-selinux], [disable SELinux support])], + [AS_HELP_STRING([--enable-selinux], [enable SELinux support])], , [enable_selinux="no"] ) @@ -619,6 +619,13 @@ AC_CHECK_LIB( ) AC_SUBST([SOCKETS_LIBS]) +AC_CHECK_LIB( + [selinux], + [setcon], + [SELINUX_LIBS="-lselinux"] +) +AC_SUBST([SELINUX_LIBS]) + case "${with_mem_check}" in valgrind) AC_CHECK_HEADER( @@ -826,25 +833,6 @@ if test "${enable_crypto}" = "yes"; then fi fi -dnl -dnl check for SELinux library and headers -dnl -if test "${enable_selinux}" = "yes"; then - AC_CHECK_HEADER( - [selinux/selinux.h], - [AC_CHECK_LIB( - [selinux], - [setcon], - [ - LIBS="${LIBS} -lselinux" - AC_DEFINE(HAVE_SETCON, 1, [SELinux support]) - ], - [AC_MSG_RESULT([SELinux library not found.])] - )], - [AC_MSG_ERROR([SELinux headers not found.])] - ) -fi - if test -n "${SP_PLATFORM_WINDOWS}"; then AC_DEFINE_UNQUOTED([PATH_SEPARATOR], ['\\\\'], [Path separator]) #" AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], ["\\\\"], [Path separator]) #" @@ -896,6 +884,12 @@ else fi fi +if test "${enable_selinux}" = "yes"; then + test -z "${SELINUX_LIBS}" && AC_MSG_ERROR([libselinux required but missing]) + OPTIONAL_SELINUX_LIBS="${SELINUX_LIBS}" + AC_DEFINE([ENABLE_SELINUX], [1], [SELinux support]) +fi + if test "${enable_pedantic}" = "yes"; then enable_strict="yes" CFLAGS="${CFLAGS} -ansi -pedantic" @@ -922,6 +916,7 @@ AC_SUBST([TAP_WIN_MIN_MAJOR]) AC_SUBST([TAP_WIN_MIN_MINOR]) AC_SUBST([OPTIONAL_DL_LIBS]) +AC_SUBST([OPTIONAL_SELINUX_LIBS]) AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"]) diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 86abd09..a3f8b3a 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -97,6 +97,7 @@ openvpn_SOURCES = \ cryptoapi.h cryptoapi.c openvpn_LDADD = \ $(SOCKETS_LIBS) \ + $(OPTIONAL_SELINUX_LIBS) \ $(OPTIONAL_DL_LIBS) if WIN32 openvpn_SOURCES += openvpn_win32_resources.rc diff --git a/src/openvpn/init.c b/src/openvpn/init.c index b8f57b2..0c995ff 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1038,7 +1038,7 @@ do_uid_gid_chroot (struct context *c, bool no_delay) mstats_open(c->options.memstats_fn); #endif -#ifdef HAVE_SETCON +#ifdef ENABLE_SELINUX /* Apply a SELinux context in order to restrict what OpenVPN can do * to _only_ what it is supposed to do after initialization is complete * (basically just network I/O operations). Doing it after chroot @@ -2465,7 +2465,7 @@ do_option_warnings (struct context *c) msg (M_WARN, "WARNING: --ping should normally be used with --ping-restart or --ping-exit"); if (o->username || o->groupname || o->chroot_dir -#ifdef HAVE_SETCON +#ifdef ENABLE_SELINUX || o->selinux_context #endif ) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index d7f848e..4e95b83 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -316,7 +316,7 @@ static const char usage_message[] = "--user user : Set UID to user after initialization.\n" "--group group : Set GID to group after initialization.\n" "--chroot dir : Chroot to this directory after initialization.\n" -#ifdef HAVE_SETCON +#ifdef ENABLE_SELINUX "--setcon context: Apply this SELinux context after initialization.\n" #endif "--cd dir : Change to this directory before initialization.\n" @@ -1477,7 +1477,7 @@ show_settings (const struct options *o) SHOW_STR (groupname); SHOW_STR (chroot_dir); SHOW_STR (cd_dir); -#ifdef HAVE_SETCON +#ifdef ENABLE_SELINUX SHOW_STR (selinux_context); #endif SHOW_STR (writepid); @@ -4525,7 +4525,7 @@ add_option (struct options *options, } options->cd_dir = p[1]; } -#ifdef HAVE_SETCON +#ifdef ENABLE_SELINUX else if (streq (p[0], "setcon") && p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 6af4b3a..57b88b7 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -310,7 +310,7 @@ struct options const char *groupname; const char *chroot_dir; const char *cd_dir; -#ifdef HAVE_SETCON +#ifdef ENABLE_SELINUX char *selinux_context; #endif const char *writepid; diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index 1ad81d8..cac4757 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -176,7 +176,7 @@ #include <sys/epoll.h> #endif -#ifdef HAVE_SETCON +#ifdef ENABLE_SELINUX #include <selinux/selinux.h> #endif |