From Jan Kiszka: This patch fixes the security labelling of the login terminal

and process... There still remains some stuff to clean up (the whole set_current_security_context() appears unnecessary complex to me), but this is now at least working.
author: Rob Landley <rob@landley.net> 2006-03-27 23:04:42 +0000
committer: Rob Landley <rob@landley.net> 2006-03-27 23:04:42 +0000
commit: d1f8c1c1258d400610e2fa136fb15cc8dfb4ffe6 (patch)
tree: e1d5fc56e925feb6d3cfd984ee22809babbe44f6
parent: 164a5be04ebe59c9b5e0df97faa2543b8af2d7e8 (diff)
download: busybox-w32-d1f8c1c1258d400610e2fa136fb15cc8dfb4ffe6.tar.gz
busybox-w32-d1f8c1c1258d400610e2fa136fb15cc8dfb4ffe6.tar.bz2
busybox-w32-d1f8c1c1258d400610e2fa136fb15cc8dfb4ffe6.zip
1 files changed, 9 insertions, 13 deletions
diff --git a/loginutils/login.c b/loginutils/login.c
index eadb17ddc..277fc98ee 100644
--- a/loginutils/login.c
+++ b/loginutils/login.c
@@ -79,7 +79,7 @@ int login_main(int argc, char **argv)
        char *opt_host = 0;
        int alarmstarted = 0;
 #ifdef CONFIG_SELINUX
-        security_context_t stat_sid = NULL, sid = NULL, old_tty_sid=NULL, new_tty_sid=NULL;
+        security_context_t user_sid = NULL;
 #endif
        username[0]=0;
@@ -223,22 +223,19 @@ auth_ok:
 #ifdef CONFIG_SELINUX
        if (is_selinux_enabled())
        {
-                struct stat st;
+                security_context_t old_tty_sid, new_tty_sid;
-                int rc;
-                if (get_default_context(username, NULL, &sid))
+                if (get_default_context(username, NULL, &user_sid))
                {
                        fprintf(stderr, "Unable to get SID for %s\n", username);
                        exit(1);
                }
-                rc = getfilecon(full_tty,&stat_sid);
+                if (getfilecon(full_tty, &old_tty_sid) < 0)
-                freecon(stat_sid);
-                if ((rc<0) || (stat(full_tty, &st)<0))
                {
-                        fprintf(stderr, "stat_secure(%.100s) failed: %.100s\n", full_tty, strerror(errno));
+                        fprintf(stderr, "getfilecon(%.100s) failed: %.100s\n", full_tty, strerror(errno));
                        return EXIT_FAILURE;
                }
-                if (security_compute_relabel (sid, old_tty_sid, SECCLASS_CHR_FILE, &new_tty_sid) != 0)
+                if (security_compute_relabel(user_sid, old_tty_sid, SECCLASS_CHR_FILE, &new_tty_sid) != 0)
                {
                        fprintf(stderr, "security_change_sid(%.100s) failed: %.100s\n", full_tty, strerror(errno));
                        return EXIT_FAILURE;
@@ -248,9 +245,6 @@ auth_ok:
                        fprintf(stderr, "chsid(%.100s, %s) failed: %.100s\n", full_tty, new_tty_sid, strerror(errno));
                        return EXIT_FAILURE;
                }
-                freecon(sid);
-                freecon(old_tty_sid);
-                freecon(new_tty_sid);
        }
 #endif
        if ( !is_my_tty ( full_tty ))
@@ -273,7 +267,9 @@ auth_ok:
        if ( pw-> pw_uid == 0 )
                syslog ( LOG_INFO, "root login %s\n", fromhost );
 #ifdef CONFIG_SELINUX
-        set_current_security_context(sid);
+        /* well, a simple setexeccon() here would do the job as well,
+         * but let's play the game for now */
+        set_current_security_context(user_sid);
 #endif
        run_shell ( tmp, 1, 0, 0);      /* exec the shell finally. */
author	Rob Landley <rob@landley.net>	2006-03-27 23:04:42 +0000
committer	Rob Landley <rob@landley.net>	2006-03-27 23:04:42 +0000
commit	d1f8c1c1258d400610e2fa136fb15cc8dfb4ffe6 (patch)
tree	e1d5fc56e925feb6d3cfd984ee22809babbe44f6
parent	164a5be04ebe59c9b5e0df97faa2543b8af2d7e8 (diff)
download	busybox-w32-d1f8c1c1258d400610e2fa136fb15cc8dfb4ffe6.tar.gz busybox-w32-d1f8c1c1258d400610e2fa136fb15cc8dfb4ffe6.tar.bz2 busybox-w32-d1f8c1c1258d400610e2fa136fb15cc8dfb4ffe6.zip