[PATCH] Use seuser for SELinux login

pchang9 at itri.org.tw pchang9 at itri.org.tw
Thu Jan 16 06:31:42 UTC 2020


Hi,


The previous mail is missing in the wild, so I resend the same patch again.


We are working on enabling SELinux for BusyBox.

We thought login should use the seuser for the SELinux default context, but the Linux username.


Reference and example:

getseuserbyname on https://selinuxproject.org/page/LibselinuxAPISummary

 https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getseuser.c

Signed-off-by: Po-Chun Chang <pchang9 at itri.org.tw>
---
 loginutils/login.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/loginutils/login.c b/loginutils/login.c
index 4e65b3a19..11a82421b 100644
--- a/loginutils/login.c
+++ b/loginutils/login.c
@@ -178,12 +178,16 @@ static void die_if_nologin(void)
 static void initselinux(char *username, char *full_tty,
                                                security_context_t *user_sid)
 {
+       char *seuser = NULL, *level = NULL;
        security_context_t old_tty_sid, new_tty_sid;

        if (!is_selinux_enabled())
                return;

-       if (get_default_context(username, NULL, user_sid)) {
+       if (getseuserbyname(username, &seuser, &level)) {
+               bb_error_msg_and_die("can't get seuser for %s", username);
+       }
+       if (get_default_context(seuser, NULL, user_sid)) {
                bb_error_msg_and_die("can't get SID for %s", username);
        }
        if (getfilecon(full_tty, &old_tty_sid) < 0) {
@@ -196,6 +200,11 @@ static void initselinux(char *username, char *full_tty,
        if (setfilecon(full_tty, new_tty_sid) != 0) {
                bb_perror_msg_and_die("chsid(%s, %s) failed", full_tty, new_tty_sid);
        }
+
+       if (ENABLE_FEATURE_CLEAN_UP) {
+               free(seuser);
+               free(level);
+       }
 }
 #endif
---




--
本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 This email may contain confidential information. Please do not use or disclose it in any way and delete it if you are not the intended recipient.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20200116/a0009510/attachment.html>


More information about the busybox mailing list