Hi,
The previous mail is missing in the wild, so I resend the same patch again. We are working on enabling SELinux for BusyBox. We thought login should use the seuser for the SELinux default context, but the Linux username. Reference and example: getseuserbyname on https://selinuxproject.org/page/LibselinuxAPISummary https://github.com/SELinuxProject/selinux/blob/master/libselinux/utils/getseuser.c Signed-off-by: Po-Chun Chang <[email protected]> --- loginutils/login.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/loginutils/login.c b/loginutils/login.c index 4e65b3a19..11a82421b 100644 --- a/loginutils/login.c +++ b/loginutils/login.c @@ -178,12 +178,16 @@ static void die_if_nologin(void) static void initselinux(char *username, char *full_tty, security_context_t *user_sid) { + char *seuser = NULL, *level = NULL; security_context_t old_tty_sid, new_tty_sid; if (!is_selinux_enabled()) return; - if (get_default_context(username, NULL, user_sid)) { + if (getseuserbyname(username, &seuser, &level)) { + bb_error_msg_and_die("can't get seuser for %s", username); + } + if (get_default_context(seuser, NULL, user_sid)) { bb_error_msg_and_die("can't get SID for %s", username); } if (getfilecon(full_tty, &old_tty_sid) < 0) { @@ -196,6 +200,11 @@ static void initselinux(char *username, char *full_tty, if (setfilecon(full_tty, new_tty_sid) != 0) { bb_perror_msg_and_die("chsid(%s, %s) failed", full_tty, new_tty_sid); } + + if (ENABLE_FEATURE_CLEAN_UP) { + free(seuser); + free(level); + } } #endif --- -- 本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 This email may contain confidential information. Please do not use or disclose it in any way and delete it if you are not the intended recipient.
_______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
