diff options
| author | Rob Landley <rob@landley.net> | 2006-03-27 23:04:42 +0000 |
|---|---|---|
| committer | Rob Landley <rob@landley.net> | 2006-03-27 23:04:42 +0000 |
| commit | d1f8c1c1258d400610e2fa136fb15cc8dfb4ffe6 (patch) | |
| tree | e1d5fc56e925feb6d3cfd984ee22809babbe44f6 | |
| parent | 164a5be04ebe59c9b5e0df97faa2543b8af2d7e8 (diff) | |
| download | busybox-d1f8c1c1258d400610e2fa136fb15cc8dfb4ffe6.tar.gz | |
From Jan Kiszka: This patch fixes the security labelling of the login terminal
and process... There still remains some stuff to clean up (the whole
set_current_security_context() appears unnecessary complex to me), but this is
now at least working.
| -rw-r--r-- | loginutils/login.c | 22 |
1 files changed, 9 insertions, 13 deletions
diff --git a/loginutils/login.c b/loginutils/login.c index eadb17ddc..277fc98ee 100644 --- a/loginutils/login.c +++ b/loginutils/login.c @@ -79,7 +79,7 @@ int login_main(int argc, char **argv) char *opt_host = 0; int alarmstarted = 0; #ifdef CONFIG_SELINUX - security_context_t stat_sid = NULL, sid = NULL, old_tty_sid=NULL, new_tty_sid=NULL; + security_context_t user_sid = NULL; #endif username[0]=0; @@ -223,22 +223,19 @@ auth_ok: #ifdef CONFIG_SELINUX if (is_selinux_enabled()) { - struct stat st; - int rc; + security_context_t old_tty_sid, new_tty_sid; - if (get_default_context(username, NULL, &sid)) + if (get_default_context(username, NULL, &user_sid)) { fprintf(stderr, "Unable to get SID for %s\n", username); exit(1); } - rc = getfilecon(full_tty,&stat_sid); - freecon(stat_sid); - if ((rc<0) || (stat(full_tty, &st)<0)) + if (getfilecon(full_tty, &old_tty_sid) < 0) { - fprintf(stderr, "stat_secure(%.100s) failed: %.100s\n", full_tty, strerror(errno)); + fprintf(stderr, "getfilecon(%.100s) failed: %.100s\n", full_tty, strerror(errno)); return EXIT_FAILURE; } - if (security_compute_relabel (sid, old_tty_sid, SECCLASS_CHR_FILE, &new_tty_sid) != 0) + if (security_compute_relabel(user_sid, old_tty_sid, SECCLASS_CHR_FILE, &new_tty_sid) != 0) { fprintf(stderr, "security_change_sid(%.100s) failed: %.100s\n", full_tty, strerror(errno)); return EXIT_FAILURE; @@ -248,9 +245,6 @@ auth_ok: fprintf(stderr, "chsid(%.100s, %s) failed: %.100s\n", full_tty, new_tty_sid, strerror(errno)); return EXIT_FAILURE; } - freecon(sid); - freecon(old_tty_sid); - freecon(new_tty_sid); } #endif if ( !is_my_tty ( full_tty )) @@ -273,7 +267,9 @@ auth_ok: if ( pw-> pw_uid == 0 ) syslog ( LOG_INFO, "root login %s\n", fromhost ); #ifdef CONFIG_SELINUX - set_current_security_context(sid); + /* well, a simple setexeccon() here would do the job as well, + * but let's play the game for now */ + set_current_security_context(user_sid); #endif run_shell ( tmp, 1, 0, 0); /* exec the shell finally. */ |