Bug 10516 - login app does not work with SELinux enabled
Summary: login app does not work with SELinux enabled
Status: NEW
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: 1.23.x
Hardware: All Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-21 20:24 UTC by user7
Modified: 2017-11-21 20:24 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Patch to busybox to resolve the issue (1.02 KB, patch)
2017-11-21 20:24 UTC, user7 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description user7 2017-11-21 20:24:27 UTC 
Created attachment 7406 [details]
Patch to busybox to resolve the issue

With SELinux enabled, even if only in permissive mode, the login application errors out here:

loginutils/login.c
initselinux()
...
if (get_default_context(username, NULL, user_sid)) {
    bb_error_msg_and_die("can't get SID for %s", username);
}

After much debugging, it appears that this libselinux API requires passing in an SELinux user, not the regular Linux username (which is what busybox is passing in).  I found that the Linux PAM library does the following when using a similar libselinux API, and applied a similar patch to busybox (attached) which now works.

modules/pam_selinux/pam_selinux.c
#ifdef HAVE_GETSEUSER
  if (!(service = get_item(pamh, PAM_SERVICE))) {
    pam_syslog(pamh, LOG_ERR, "Cannot obtain the service name");
    return PAM_SESSION_ERR;
  }
  if (getseuser(username, service, &seuser, &level) == 0) {
#else
  if (getseuserbyname(username, &seuser, &level) == 0) {
#endif
    num_contexts = get_ordered_context_list_with_level(seuser, level, NULL,
                                                       &contextlist);

I have also filed a request with libselinux to improve its documentation by specifying if user names passed in are expected to be selinux users only.