Description of problem: Busybox is built with none of the SELinux functionality enabled. The reason for this that it is statically linked and there is no static library for libpam which is needed by busybox to compile in the SELinux and pam support in a static form. Additional info: It would appear back in 2006 the pam-devel package had static versions of libpam and libpam_misc but they were removed.
*** This bug has been marked as a duplicate of bug 462654 ***
Sorry - I'm not sure whether the version of busybox from 462654 is the same so reopen again.
I'm not sure whether you want to add only SELinux support or pam support too, but pam package maintainer ensures me there is no plan to add pam static library to fedora - so there is only possible to add SELinux support.
(In reply to comment #3) > I'm not sure whether you want to add only SELinux support or pam support too, > but > pam package maintainer ensures me there is no plan to add pam static library to > fedora - so there is only possible to add SELinux support. Well you can't have full SELinux support without the SELinux pam module. The best you can do is put the ls -Z ps -Z etc commands in but that doesn't help with the fact that load_policy and a bunch of other SELinux binaries are now included in busybox. What is the problem with a static PAM library? It was built before why is it a pain to do that again?
(In reply to comment #4) > (In reply to comment #3) > > I'm not sure whether you want to add only SELinux support or pam support too, > > but > > pam package maintainer ensures me there is no plan to add pam static library to > > fedora - so there is only possible to add SELinux support. > > Well you can't have full SELinux support without the SELinux pam module. The > best you can do is put the ls -Z ps -Z etc commands in but that doesn't help > with the fact that load_policy and a bunch of other SELinux binaries are now > included in busybox. What is the problem with a static PAM library? It was > built before why is it a pain to do that again? So I figured out another possible way of getting this support into busybox. Instead of using the pamselinux module what could be done instead is to patch all the components in busybox that would normally use the module to set the appropriate login contexts directly. This would make it so you don't need to have PAM to use SELinux with busybox. Still it would be nice to know why a static PAM library is out of the question.
I think the proper thing to do is suck the functionality out of pam_selinux and place it in libselinux. Then have busybox and pam_selinux both call the function in libselinux, which already has a -static package.
I'm quite curious what are the commands in busybox which really need the pam_selinux except login. Of course pulling some parts of pam_selinux into libselinux would be a good idea.
It is problably login/sulogin/telnetd. I know the last one seems silly but it is still a login like program. I looked through all of the upstream applets and nothing else seems to need it.
So I went looking through the busybox source code and login and sulogin have already been patched to use the appropriate libselinux calls directly. They haven't put them into telnetd but people really shouldn't be using that if they care about security. You should be able to compile busybox-1.12.0 statically with SELinux support and get the appropriate funcationality since we have static version of libselinux. I've been compiling my own busybox for now but it would be nice if the next version that Fedora ships could have the SELinux support enabled either that or have the package generate another busybox with SELinux support for those who want it and keep the original busybox package without SELinux support.
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping