Use getseuserbyname() to get the seuser associated with username and use that instead with get_default_context()
>From get_default_context.3: "These functions takes a SELinux user identity that must be defined in the SELinux policy as their input, not a Linux username." Signed-off-by: Dominick Grift <[email protected]> --- loginutils/login.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/loginutils/login.c b/loginutils/login.c index 301be4a34..4992bb0e6 100644 --- a/loginutils/login.c +++ b/loginutils/login.c @@ -183,12 +183,16 @@ static void die_if_nologin(void) static void initselinux(char *username, char *full_tty, security_context_t *user_sid) { + char *seuser = NULL, *level = NULL; security_context_t old_tty_sid, new_tty_sid; if (!is_selinux_enabled()) return; - if (get_default_context(username, NULL, user_sid)) { + if (getseuserbyname(username, &seuser, &level)) { + bb_error_msg_and_die("can't get seuser for %s", username); + } + if (get_default_context(seuser, NULL, user_sid)) { bb_error_msg_and_die("can't get SID for %s", username); } if (getfilecon(full_tty, &old_tty_sid) < 0) { @@ -201,6 +205,11 @@ static void initselinux(char *username, char *full_tty, if (setfilecon(full_tty, new_tty_sid) != 0) { bb_perror_msg_and_die("chsid(%s, %s) failed", full_tty, new_tty_sid); } + + if (ENABLE_FEATURE_CLEAN_UP) { + free(seuser); + free(level); + } } #endif -- 2.47.2 _______________________________________________ busybox mailing list [email protected] https://lists.busybox.net/mailman/listinfo/busybox
