| Summary: | login app does not work with SELinux enabled | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | user7 <ejohanse> |
| Component: | Other | Assignee: | unassigned |
| Status: | NEW --- | ||
| Severity: | normal | CC: | busybox-cvs |
| Priority: | P5 | ||
| Version: | 1.23.x | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Host: | Target: | ||
| Build: | |||
| Attachments: | Patch to busybox to resolve the issue | ||
Created attachment 7406 [details] Patch to busybox to resolve the issue With SELinux enabled, even if only in permissive mode, the login application errors out here: loginutils/login.c initselinux() ... if (get_default_context(username, NULL, user_sid)) { bb_error_msg_and_die("can't get SID for %s", username); } After much debugging, it appears that this libselinux API requires passing in an SELinux user, not the regular Linux username (which is what busybox is passing in). I found that the Linux PAM library does the following when using a similar libselinux API, and applied a similar patch to busybox (attached) which now works. modules/pam_selinux/pam_selinux.c #ifdef HAVE_GETSEUSER if (!(service = get_item(pamh, PAM_SERVICE))) { pam_syslog(pamh, LOG_ERR, "Cannot obtain the service name"); return PAM_SESSION_ERR; } if (getseuser(username, service, &seuser, &level) == 0) { #else if (getseuserbyname(username, &seuser, &level) == 0) { #endif num_contexts = get_ordered_context_list_with_level(seuser, level, NULL, &contextlist); I have also filed a request with libselinux to improve its documentation by specifying if user names passed in are expected to be selinux users only.