> One other note: before we can allow arbitrary ordering of class
> definitions, we need to update all userspace object managers to use
> selinux_set_mapping(). This includes cronie, usermode, pam, mcstrans,
> passwd, shadow-utils, util-linux-ng, nscd (glibc), dbus and possibly
> others I am forgetting. Also libselinux rpm_execcon().
busybox. It uses checkPasswdAccess() which internally calls
string_to_security_class() but requested access vector is
delivered without any translation.
#if ENABLE_SELINUX
static void check_selinux_update_passwd(const char *username)
{
security_context_t context;
char *seuser;
if (getuid() != (uid_t)0 || is_selinux_enabled() == 0)
return; /* No need to check */
if (getprevcon_raw(&context) < 0)
bb_perror_msg_and_die("getprevcon failed");
seuser = strtok(context, ":");
if (!seuser)
bb_error_msg_and_die("invalid context '%s'", context);
if (strcmp(seuser, username) != 0) {
if (checkPasswdAccess(PASSWD__PASSWD) != 0)
bb_error_msg_and_die("SELinux: access denied");
}
if (ENABLE_FEATURE_CLEAN_UP)
freecon(context);
}
#else
#define check_selinux_update_passwd(username) ((void)0)
#endif
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
