[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: [selinux] loginutils/login.c::initselinux() should use the selinux seuser
From: <pchang9 () itri ! org ! tw>
Date: 2020-01-10 1:42:49
Message-ID: 1578620569195.36742 () itri ! org ! tw
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[Attachment #4 (text/plain)]
Hi,
We are working on enabling SELinux for BusyBox.
We found a potential issue below, with suggested patch:
loginutils/login.c::initselinux() should use the selinux seuser for default context, \
not the Linux username.
Patch getseuserbyname() before the get_default_context().
Reference: getseuserbyname on https://selinuxproject.org/page/LibselinuxAPISummary
Example code: https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getseuser.c
-Chang
--
本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 \
This email may contain confidential information. Please do not use or disclose it in \
any way and delete it if you are not the intended recipient.
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=big5">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} \
--></style> </head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hi,</p>
<p><br>
</p>
<p>We are working on enabling SELinux for BusyBox. </p>
<p>We found a potential issue below, with suggested patch:</p>
<p><br>
</p>
<p><em>loginutils/login.c::initselinux()</em> should use the selinux seuser for \
default context, not the Linux username.</p> <p>Patch getseuserbyname() before the \
get_default_context().</p> <p><br>
</p>
<p>Reference: getseuserbyname on <a \
href="https://selinuxproject.org/page/LibselinuxAPISummary"> \
https://selinuxproject.org/page/LibselinuxAPISummary</a><br> </p>
<p><em>Example code: <a \
href="https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getseuser.c">
https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getseuser.c</a><br>
</em></p>
<p><br>
</p>
<p>-Chang<br>
<em></em></p>
<br>
<br>
--<br>
本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 \
This email may contain confidential information. Please do not use or disclose it in \
any way and delete it if you are not the intended recipient. </body>
</html>
["use_getseuserbyname.patch" (text/x-patch)]
diff --git a/loginutils/login.c b/loginutils/login.c
index 25bb5203b..9e41f8a84 100644
--- a/loginutils/login.c
+++ b/loginutils/login.c
@@ -178,12 +178,16 @@ static void die_if_nologin(void)
static void initselinux(char *username, char *full_tty,
security_context_t *user_sid)
{
+ char *seuser = NULL, *level = NULL;
security_context_t old_tty_sid, new_tty_sid;
if (!is_selinux_enabled())
return;
- if (get_default_context(username, NULL, user_sid)) {
+ if (getseuserbyname(username, &seuser, &level)) {
+ bb_error_msg_and_die("can't get seuser for %s", username);
+ }
+ if (get_default_context(seuser, NULL, user_sid)) {
bb_error_msg_and_die("can't get SID for %s", username);
}
if (getfilecon(full_tty, &old_tty_sid) < 0) {
@@ -196,6 +200,11 @@ static void initselinux(char *username, char *full_tty,
if (setfilecon(full_tty, new_tty_sid) != 0) {
bb_perror_msg_and_die("chsid(%s, %s) failed", full_tty, new_tty_sid);
}
+
+ if (ENABLE_FEATURE_CLEAN_UP) {
+ free(seuser);
+ free(level);
+ }
}
#endif
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic