summaryrefslogtreecommitdiff
path: root/loginutils
diff options
context:
space:
mode:
Diffstat (limited to 'loginutils')
-rw-r--r--loginutils/login.c52
-rw-r--r--loginutils/su.c5
-rw-r--r--loginutils/sulogin.c6
3 files changed, 35 insertions, 28 deletions
diff --git a/loginutils/login.c b/loginutils/login.c
index 34095a6..5186e23 100644
--- a/loginutils/login.c
+++ b/loginutils/login.c
@@ -17,10 +17,10 @@
#include "busybox.h"
#ifdef CONFIG_SELINUX
-#include <flask_util.h>
-#include <get_sid_list.h>
-#include <proc_secure.h>
-#include <fs_secure.h>
+#include <selinux/selinux.h> /* for is_selinux_enabled() */
+#include <selinux/get_context_list.h> /* for get_default_context() */
+#include <selinux/flask.h> /* for security class definitions */
+#include <errno.h>
#endif
#ifdef CONFIG_FEATURE_U_W_TMP
@@ -79,8 +79,7 @@ extern int login_main(int argc, char **argv)
char *opt_host = 0;
int alarmstarted = 0;
#ifdef CONFIG_SELINUX
- int flask_enabled = is_flask_enabled();
- security_id_t sid = 0, old_tty_sid, new_tty_sid;
+ security_context_t stat_sid = NULL, sid = NULL, old_tty_sid=NULL, new_tty_sid=NULL;
#endif
username[0]=0;
@@ -225,41 +224,45 @@ auth_ok:
#ifdef CONFIG_FEATURE_U_W_TMP
setutmp ( username, tty );
#endif
+
+ if ( *tty != '/' )
+ snprintf ( full_tty, sizeof( full_tty ) - 1, "/dev/%s", tty);
+ else
+ safe_strncpy ( full_tty, tty, sizeof( full_tty ) - 1 );
+
#ifdef CONFIG_SELINUX
- if (flask_enabled)
+ if (is_selinux_enabled())
{
struct stat st;
+ int rc;
- if (get_default_sid(username, 0, &sid))
+ if (get_default_context(username, NULL, &sid))
{
fprintf(stderr, "Unable to get SID for %s\n", username);
exit(1);
}
- if (stat_secure(tty, &st, &old_tty_sid))
+ rc = getfilecon(full_tty,&stat_sid);
+ freecon(stat_sid);
+ if ((rc<0) || (stat(full_tty, &st)<0))
{
- fprintf(stderr, "stat_secure(%.100s) failed: %.100s\n", tty, strerror(errno));
+ fprintf(stderr, "stat_secure(%.100s) failed: %.100s\n", full_tty, strerror(errno));
return EXIT_FAILURE;
}
- if (security_change_sid (sid, old_tty_sid, SECCLASS_CHR_FILE, &new_tty_sid) != 0)
+ if (security_compute_relabel (sid, old_tty_sid, SECCLASS_CHR_FILE, &new_tty_sid) != 0)
{
- fprintf(stderr, "security_change_sid(%.100s) failed: %.100s\n", tty, strerror(errno));
+ fprintf(stderr, "security_change_sid(%.100s) failed: %.100s\n", full_tty, strerror(errno));
return EXIT_FAILURE;
}
- if(chsid(tty, new_tty_sid) != 0)
+ if(setfilecon(full_tty, new_tty_sid) != 0)
{
- fprintf(stderr, "chsid(%.100s, %d) failed: %.100s\n", tty, new_tty_sid, strerror(errno));
+ fprintf(stderr, "chsid(%.100s, %s) failed: %.100s\n", full_tty, new_tty_sid, strerror(errno));
return EXIT_FAILURE;
}
+ freecon(sid);
+ freecon(old_tty_sid);
+ freecon(new_tty_sid);
}
- else
- sid = 0;
#endif
-
- if ( *tty != '/' )
- snprintf ( full_tty, sizeof( full_tty ) - 1, "/dev/%s", tty);
- else
- safe_strncpy ( full_tty, tty, sizeof( full_tty ) - 1 );
-
if ( !is_my_tty ( full_tty ))
syslog ( LOG_ERR, "unable to determine TTY name, got %s\n", full_tty );
@@ -279,11 +282,10 @@ auth_ok:
if ( pw-> pw_uid == 0 )
syslog ( LOG_INFO, "root login %s\n", fromhost );
- run_shell ( tmp, 1, 0, 0
#ifdef CONFIG_SELINUX
- , sid
+ set_current_security_context(sid);
#endif
- ); /* exec the shell finally. */
+ run_shell ( tmp, 1, 0, 0); /* exec the shell finally. */
return EXIT_FAILURE;
}
diff --git a/loginutils/su.c b/loginutils/su.c
index ec0c16c..5f61409 100644
--- a/loginutils/su.c
+++ b/loginutils/su.c
@@ -147,11 +147,10 @@ int su_main ( int argc, char **argv )
change_identity ( pw );
setup_environment ( opt_shell, opt_loginshell, !opt_preserve, pw );
- run_shell ( opt_shell, opt_loginshell, opt_command, (const char**)opt_args
#ifdef CONFIG_SELINUX
- , 0
+ set_current_security_context(NULL);
#endif
- );
+ run_shell ( opt_shell, opt_loginshell, opt_command, (const char**)opt_args);
return EXIT_FAILURE;
}
diff --git a/loginutils/sulogin.c b/loginutils/sulogin.c
index f21b095..a458b6e 100644
--- a/loginutils/sulogin.c
+++ b/loginutils/sulogin.c
@@ -153,6 +153,12 @@ extern int sulogin_main(int argc, char **argv)
puts("Entering System Maintenance Mode\n");
fflush(stdout);
syslog(LOG_INFO, "System Maintenance Mode\n");
+
+#ifdef CONFIG_SELINUX
+ renew_current_security_context();
+#endif
+
run_shell(pwent.pw_shell, 1, 0, 0);
+
return (0);
}