[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    [selinux] loginutils/login.c::initselinux() should use the selinux seuser
From:       <pchang9 () itri ! org ! tw>
Date:       2020-01-10 1:42:49
Message-ID: 1578620569195.36742 () itri ! org ! tw
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]

[Attachment #4 (text/plain)]

Hi,


We are working on enabling SELinux for BusyBox.

We found a potential issue below, with suggested patch:


loginutils/login.c::initselinux() should use the selinux seuser for default context, \
not the Linux username.

Patch getseuserbyname() before the get_default_context().


Reference: getseuserbyname on https://selinuxproject.org/page/LibselinuxAPISummary

Example code: https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getseuser.c



-Chang


--
本信件可能包含工研院機密資訊，非指定之收件者，請勿使用或揭露本信件內容，並請銷毀此信件。 \
This email may contain confidential information. Please do not use or disclose it in \
any way and delete it if you are not the intended recipient.


[Attachment #5 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=big5">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} \
--></style> </head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
 <p>Hi,</p>
<p><br>
</p>
<p>We are working on enabling SELinux for BusyBox. </p>
<p>We found a potential issue below, with suggested patch:</p>
<p><br>
</p>
<p><em>loginutils/login.c::initselinux()</em> should use the selinux seuser for \
default context, not the Linux username.</p> <p>Patch getseuserbyname() before the \
get_default_context().</p> <p><br>
</p>
<p>Reference: getseuserbyname on <a \
href="https://selinuxproject.org/page/LibselinuxAPISummary"> \
https://selinuxproject.org/page/LibselinuxAPISummary</a><br> </p>
<p><em>Example code: <a \
href="https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getseuser.c">
 https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getseuser.c</a><br>
 </em></p>
<p><br>
</p>
<p>-Chang<br>
<em></em></p>
<br>
<br>
--<br>
本信件可能包含工研院機密資訊，非指定之收件者，請勿使用或揭露本信件內容，並請銷毀此信件。 \
This email may contain confidential information. Please do not use or disclose it in \
any way and delete it if you are not the intended recipient. </body>
</html>


["use_getseuserbyname.patch" (text/x-patch)]

diff --git a/loginutils/login.c b/loginutils/login.c
index 25bb5203b..9e41f8a84 100644
--- a/loginutils/login.c
+++ b/loginutils/login.c
@@ -178,12 +178,16 @@ static void die_if_nologin(void)
 static void initselinux(char *username, char *full_tty,
 						security_context_t *user_sid)
 {
+	char *seuser = NULL, *level = NULL;
 	security_context_t old_tty_sid, new_tty_sid;
 
 	if (!is_selinux_enabled())
 		return;
 
-	if (get_default_context(username, NULL, user_sid)) {
+	if (getseuserbyname(username, &seuser, &level)) {
+		bb_error_msg_and_die("can't get seuser for %s", username);
+	}
+	if (get_default_context(seuser, NULL, user_sid)) {
 		bb_error_msg_and_die("can't get SID for %s", username);
 	}
 	if (getfilecon(full_tty, &old_tty_sid) < 0) {
@@ -196,6 +200,11 @@ static void initselinux(char *username, char *full_tty,
 	if (setfilecon(full_tty, new_tty_sid) != 0) {
 		bb_perror_msg_and_die("chsid(%s, %s) failed", full_tty, new_tty_sid);
 	}
+
+	if (ENABLE_FEATURE_CLEAN_UP) {
+		free(seuser);
+		free(level);
+	}
 }
 #endif
 


_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox


[prev in list] [next in list] [prev in thread] [next in thread]