Page MenuHomeFreeBSD
Differential D53362

libutil: defer setting the MAC label until after the login class
ClosedPublic
Actions

Authored by kevans on Oct 26 2025, 3:01 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, May 18, 9:33 PM
Unknown Object (File)
Wed, May 13, 4:43 PM
Unknown Object (File)
Wed, May 13, 4:42 PM
Unknown Object (File)
Wed, May 13, 4:31 PM
Unknown Object (File)
Sun, May 10, 5:02 PM
Unknown Object (File)
Tue, Apr 28, 9:00 PM
Unknown Object (File)
Apr 27 2026, 3:07 PM
Unknown Object (File)
Apr 25 2026, 11:02 AM
View All 48 Files
Subscribers
andrew_tao173.riddles.org.uk
imp

Details

Reviewers
des
olce
Commits
rG98edcbcce0a4: libutil: defer setting the MAC label until after the login class
Summary

MAC policies, like mac_biba(4), may forbid changing the login class once
a label has been applied. For setting up the initial login context,
this isn't really expected and in-fact may break some class-based
configuration.

Defer setting the MAC label until after the login class is set, and
remove the requirement that we have a pwd entry since the label is
pulled from the login class -- we only use pwd for syslog in this path.

Patch is largely by Kevin Barry, with some modifications and this commit
message by kevans@.

PR: 177698
Co-authored-by: Kevin Barry <ta0kira gmail com>

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
lib/
libutil/
55 lines

Diff 165278

View Options

lib/libutil/login_class.c

Loading...