Hi,
We are working on enabling SELinux for BusyBox.
We found a potential issue below, with suggested patch:
loginutils/login.c::initselinux() should use the selinux seuser for default
context, not the Linux username.
Patch getseuserbyname() before the get_default_context().
Reference: getseuserbyname on
https://selinuxproject.org/page/LibselinuxAPISummary
Example code:
https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getseuser.c
-Chang
--
本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 This email may contain
confidential information. Please do not use or disclose it in any way and
delete it if you are not the intended recipient.
diff --git a/loginutils/login.c b/loginutils/login.c
index 25bb5203b..9e41f8a84 100644
--- a/loginutils/login.c
+++ b/loginutils/login.c
@@ -178,12 +178,16 @@ static void die_if_nologin(void)
static void initselinux(char *username, char *full_tty,
security_context_t *user_sid)
{
+ char *seuser = NULL, *level = NULL;
security_context_t old_tty_sid, new_tty_sid;
if (!is_selinux_enabled())
return;
- if (get_default_context(username, NULL, user_sid)) {
+ if (getseuserbyname(username, &seuser, &level)) {
+ bb_error_msg_and_die("can't get seuser for %s", username);
+ }
+ if (get_default_context(seuser, NULL, user_sid)) {
bb_error_msg_and_die("can't get SID for %s", username);
}
if (getfilecon(full_tty, &old_tty_sid) < 0) {
@@ -196,6 +200,11 @@ static void initselinux(char *username, char *full_tty,
if (setfilecon(full_tty, new_tty_sid) != 0) {
bb_perror_msg_and_die("chsid(%s, %s) failed", full_tty, new_tty_sid);
}
+
+ if (ENABLE_FEATURE_CLEAN_UP) {
+ free(seuser);
+ free(level);
+ }
}
#endif
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
