Page MenuHomeFreeBSD
Differential D53362

libutil: defer setting the MAC label until after the login class
ClosedPublic
Actions

Authored by kevans on Oct 26 2025, 3:01 PM.
Tags
None
Referenced Files
F150667439: D53362.diff
Fri, Apr 3, 5:32 AM
F150585827: D53362.diff
Thu, Apr 2, 2:59 PM
Unknown Object (File)
Fri, Mar 13, 11:27 PM
Unknown Object (File)
Mar 3 2026, 8:23 AM
Unknown Object (File)
Mar 2 2026, 8:05 PM
Unknown Object (File)
Mar 2 2026, 8:04 PM
Unknown Object (File)
Mar 2 2026, 8:04 PM
Unknown Object (File)
Mar 1 2026, 12:50 AM
View All 35 Files
Subscribers
andrew_tao173.riddles.org.uk
imp

Details

Reviewers
des
olce
Commits
rG98edcbcce0a4: libutil: defer setting the MAC label until after the login class
Summary

MAC policies, like mac_biba(4), may forbid changing the login class once
a label has been applied. For setting up the initial login context,
this isn't really expected and in-fact may break some class-based
configuration.

Defer setting the MAC label until after the login class is set, and
remove the requirement that we have a pwd entry since the label is
pulled from the login class -- we only use pwd for syslog in this path.

Patch is largely by Kevin Barry, with some modifications and this commit
message by kevans@.

PR: 177698
Co-authored-by: Kevin Barry <ta0kira gmail com>

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
lib/
libutil/
55 lines

Diff 165278

View Options

lib/libutil/login_class.c

Loading...