diff options
| author | Petr Štetiar | 2025-06-09 15:44:44 +0000 |
|---|---|---|
| committer | Hauke Mehrtens | 2025-07-26 16:22:30 +0000 |
| commit | 5809bfaaacca1d10c2e77bd073065d1d3b77527e (patch) | |
| tree | 466b2269292cfccd0b1f5a4b69e111f39b6c69be | |
| parent | e805d8bac94d0d52221a3cf328ecc2078ca5cfbd (diff) | |
| download | openwrt-5809bfaaacca1d10c2e77bd073065d1d3b77527e.tar.gz | |
busybox: fix login applet on selinux
Currently the system boots up, but is unusable because pressing enter
does not provide login with error:
login: can't get SID for root
This is happenning, because login.c passes the Linux username directly
to get_default_context(), while libselinux expects an SELinux user
identity, causing the call to fail for users without a matching SELinux
name (e.g., root) and aborting login on SELinux-enabled systems.
Fixes: #19075
Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-April/091407.html]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Link: https://github.com/openwrt/openwrt/pull/19080
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
| -rw-r--r-- | package/utils/busybox/patches/600-loginutils-login.c-libselinux-get_default_context-ex.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/package/utils/busybox/patches/600-loginutils-login.c-libselinux-get_default_context-ex.patch b/package/utils/busybox/patches/600-loginutils-login.c-libselinux-get_default_context-ex.patch new file mode 100644 index 0000000000..8c26ee001b --- /dev/null +++ b/package/utils/busybox/patches/600-loginutils-login.c-libselinux-get_default_context-ex.patch @@ -0,0 +1,51 @@ +From 850a6d031039237b0b13d8fab9f10a7cd4752907 Mon Sep 17 00:00:00 2001 +From: Dominick Grift <dominick.grift@defensec.nl> +Date: Sat, 5 Apr 2025 13:40:26 +0200 +Subject: [PATCH] loginutils/login.c: libselinux get_default_context() expects + seuser + +Use getseuserbyname() to get the seuser associated with username and use that +instead with get_default_context() + +>From get_default_context.3: +"These functions takes a SELinux user identity that must be defined in the SELinux policy as their input, not a Linux username." + +Fixes: #19075 +Upstream-Status: Submitted [https://lists.busybox.net/pipermail/busybox/2025-April/091407.html] +Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> +--- + loginutils/login.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/loginutils/login.c ++++ b/loginutils/login.c +@@ -183,12 +183,16 @@ static void die_if_nologin(void) + static void initselinux(char *username, char *full_tty, + security_context_t *user_sid) + { ++ char *seuser = NULL, *level = NULL; + security_context_t old_tty_sid, new_tty_sid; + + if (!is_selinux_enabled()) + return; + +- if (get_default_context(username, NULL, user_sid)) { ++ if (getseuserbyname(username, &seuser, &level)) { ++ bb_error_msg_and_die("can't get seuser for %s", username); ++ } ++ if (get_default_context(seuser, NULL, user_sid)) { + bb_error_msg_and_die("can't get SID for %s", username); + } + if (getfilecon(full_tty, &old_tty_sid) < 0) { +@@ -201,6 +205,11 @@ static void initselinux(char *username, + if (setfilecon(full_tty, new_tty_sid) != 0) { + bb_perror_msg_and_die("chsid(%s, %s) failed", full_tty, new_tty_sid); + } ++ ++ if (ENABLE_FEATURE_CLEAN_UP) { ++ free(seuser); ++ free(level); ++ } + } + #endif + |