Page MenuHomeFreeBSD
Differential D53362

libutil: defer setting the MAC label until after the login class
ClosedPublic
Actions

Authored by kevans on Oct 26 2025, 3:01 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Apr 25, 11:02 AM
Unknown Object (File)
Wed, Apr 22, 1:47 PM
Unknown Object (File)
Mon, Apr 20, 6:37 PM
Unknown Object (File)
Mon, Apr 20, 3:07 PM
Unknown Object (File)
Fri, Apr 17, 5:06 PM
Unknown Object (File)
Sun, Apr 5, 7:52 PM
Unknown Object (File)
Fri, Apr 3, 5:32 AM
Unknown Object (File)
Thu, Apr 2, 2:59 PM
View All 41 Files
Subscribers
andrew_tao173.riddles.org.uk
imp

Details

Reviewers
des
olce
Commits
rG98edcbcce0a4: libutil: defer setting the MAC label until after the login class
Summary

MAC policies, like mac_biba(4), may forbid changing the login class once
a label has been applied. For setting up the initial login context,
this isn't really expected and in-fact may break some class-based
configuration.

Defer setting the MAC label until after the login class is set, and
remove the requirement that we have a pwd entry since the label is
pulled from the login class -- we only use pwd for syslog in this path.

Patch is largely by Kevin Barry, with some modifications and this commit
message by kevans@.

PR: 177698
Co-authored-by: Kevin Barry <ta0kira gmail com>

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
lib/
libutil/
55 lines

Diff 165278

View Options

lib/libutil/login_class.c

Loading...