git.ipfire.org Git - thirdparty/util-linux.git/commit

author	Christian Göttsche <cgzones@googlemail.com>
	Wed, 13 Dec 2023 15:53:20 +0000 (16:53 +0100)
committer	Karel Zak <kzak@redhat.com>
	Wed, 17 Jan 2024 08:56:38 +0000 (09:56 +0100)
commit	eb02db62685cca30e5afc61652c8b6e9cd0774e9
tree	1b610f8519fd8ae3f14ddbab74d57e84ac27da87	tree \| snapshot
parent	bf6dbd34534c9233d6eb4607003a4fd1f1db94e7	commit \| diff

sulogin: relabel terminal according to SELinux policy

The common SELinux practice is to have a distinct label for terminals in
use by logged in users.  This allows to differentiate access on the
associated terminal (e.g. user_tty_device_t) vs foreign ones (e.g.
tty_device_t or sysadm_tty_device_t).  Therefore the application
performing the user login and setting up the associated terminal should
label that terminal according to the loaded SELinux policy.  Commonly
this is done by pam_selinux(7).  Since sulogin(8) does not use pam(7)
perform the necessary steps manually.

Fixes: https://github.com/util-linux/util-linux/issues/1578
Reviewed-by: James Carter <jwcart2@gmail.com>
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Karel Zak <kzak@redhat.com>

login-utils/sulogin-consoles.c		diff \| blob \| blame \| history
login-utils/sulogin-consoles.h		diff \| blob \| blame \| history
login-utils/sulogin.c		diff \| blob \| blame \| history