Page MenuHomeFreeBSD
Differential D53362

libutil: defer setting the MAC label until after the login class
ClosedPublic
Actions

Authored by kevans on Oct 26 2025, 3:01 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Mar 3, 8:23 AM
Unknown Object (File)
Mon, Mar 2, 8:05 PM
Unknown Object (File)
Mon, Mar 2, 8:04 PM
Unknown Object (File)
Mon, Mar 2, 8:04 PM
Unknown Object (File)
Sun, Mar 1, 12:50 AM
Unknown Object (File)
Thu, Feb 19, 7:37 PM
Unknown Object (File)
Sun, Feb 8, 10:34 AM
Unknown Object (File)
Sun, Feb 8, 8:40 AM
View All 32 Files
Subscribers
andrew_tao173.riddles.org.uk
imp

Details

Reviewers
des
olce
Commits
rG98edcbcce0a4: libutil: defer setting the MAC label until after the login class
Summary

MAC policies, like mac_biba(4), may forbid changing the login class once
a label has been applied. For setting up the initial login context,
this isn't really expected and in-fact may break some class-based
configuration.

Defer setting the MAC label until after the login class is set, and
remove the requirement that we have a pwd entry since the label is
pulled from the login class -- we only use pwd for syslog in this path.

Patch is largely by Kevin Barry, with some modifications and this commit
message by kevans@.

PR: 177698
Co-authored-by: Kevin Barry <ta0kira gmail com>

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
lib/
libutil/
55 lines

Diff 165278

View Options

lib/libutil/login_class.c

Loading...