[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH] Use seuser for SELinux login
From: Joerg Vehlow <lkml () jv-coder ! de>
Date: 2022-07-28 6:45:47
Message-ID: 8a659e92-7da2-686a-9679-5b9ffa73a19b () jv-coder ! de
[Download RAW message or body]
Hi,
according to the auto reply from Po-Chun, he left itri.
So don't expect a response from him.
Joerg
Am 7/28/2022 um 8:26 AM schrieb Joerg Vehlow:
> Hi,
>
> @maintainers: Is this ignored, because it is not formatted correctly?
>
> This seems to be a real bug, that makes login unusable, if selinux is
> enabled.
>
> @Po-Chun: Maybe try re-sending the patch using git send-email and with a
> clean commit message, that describes the problem and gives a hint to why
> your solution is correct.
>
> Joerg
>
> Am 1/16/2020 um 7:31 AM schrieb pchang9@itri.org.tw:
>> Hi,
>>
>>
>> The previous mail is missing in the wild, so I resend the same patch again.
>>
>>
>> We are working on enabling SELinux for BusyBox.
>>
>> We thought login should use the seuser for the SELinux default
>> context, but the Linux username.
>>
>>
>> Reference and example:
>>
>> getseuserbyname on https://selinuxproject.org/page/LibselinuxAPISummary
>> <https://selinuxproject.org/page/LibselinuxAPISummary>
>>
>> /https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getseuser.c
>> <https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getseuser.c>
>> /
>>
>> Signed-off-by: Po-Chun Chang <pchang9@itri.org.tw>
>> ---
>> loginutils/login.c | 11 ++++++++++-
>> 1 file changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/loginutils/login.c b/loginutils/login.c
>> index 4e65b3a19..11a82421b 100644
>> --- a/loginutils/login.c
>> +++ b/loginutils/login.c
>> @@ -178,12 +178,16 @@ static void die_if_nologin(void)
>> static void initselinux(char *username, char *full_tty,
>> security_context_t
>> *user_sid)
>> {
>> + char *seuser = NULL, *level = NULL;
>> security_context_t old_tty_sid, new_tty_sid;
>>
>> if (!is_selinux_enabled())
>> return;
>>
>> - if (get_default_context(username, NULL, user_sid)) {
>> + if (getseuserbyname(username, &seuser, &level)) {
>> + bb_error_msg_and_die("can't get seuser for %s", username);
>> + }
>> + if (get_default_context(seuser, NULL, user_sid)) {
>> bb_error_msg_and_die("can't get SID for %s", username);
>> }
>> if (getfilecon(full_tty, &old_tty_sid) < 0) {
>> @@ -196,6 +200,11 @@ static void initselinux(char *username, char *full_tty,
>> if (setfilecon(full_tty, new_tty_sid) != 0) {
>> bb_perror_msg_and_die("chsid(%s, %s) failed", full_tty,
>> new_tty_sid);
>> }
>> +
>> + if (ENABLE_FEATURE_CLEAN_UP) {
>> + free(seuser);
>> + free(level);
>> + }
>> }
>> #endif
>> ---
>>
>> //
>>
>>
>>
>>
>> --
>> 本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,
>> 並請銷毀此信件。 This email may contain confidential information. Please
>> do not use or disclose it in any way and delete it if you are not the
>> intended recipient.
>>
>> _______________________________________________
>> busybox mailing list
>> busybox@busybox.net
>> http://lists.busybox.net/mailman/listinfo/busybox
> _______________________________________________
> busybox mailing list
> busybox@busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic