Bug 462724 - SELinux support not built into busybox
SELinux support not built into busybox
Status: CLOSED DUPLICATE of bug 462654
Product: Fedora
Classification: Fedora
Component: busybox (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ivana Varekova
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-18 11:16 EDT by David Quigley
Modified: 2008-12-02 09:58 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-02 09:58:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Quigley 2008-09-18 11:16:25 EDT
Description of problem:

Busybox is built with none of the SELinux functionality enabled. The reason for this that it is statically linked and there is no static library for libpam which is needed by busybox to compile in the SELinux and pam support in a static form.

Additional info:

It would appear back in 2006 the pam-devel package had static versions of libpam and libpam_misc but they were removed.
Comment 1 Ivana Varekova 2008-09-19 02:21:55 EDT

*** This bug has been marked as a duplicate of bug 462654 ***
Comment 2 Ivana Varekova 2008-09-19 03:29:49 EDT
Sorry - I'm not sure whether the version of busybox from 462654 is the same so reopen again.
Comment 3 Ivana Varekova 2008-09-19 04:23:44 EDT
I'm not sure whether you want to add only SELinux support or pam support too, but
pam package maintainer ensures me there is no plan to add pam static library to fedora - so there is only possible to add SELinux support.
Comment 4 David Quigley 2008-09-19 10:16:40 EDT
(In reply to comment #3)
> I'm not sure whether you want to add only SELinux support or pam support too,
> but
> pam package maintainer ensures me there is no plan to add pam static library to
> fedora - so there is only possible to add SELinux support.

Well you can't have full SELinux support without the SELinux pam module. The best you can do is put the ls -Z ps -Z etc commands in but that doesn't help with the fact that load_policy and a bunch of other SELinux binaries are now included in busybox. What is the problem with a static PAM library? It was built before why is it a pain to do that again?
Comment 5 David Quigley 2008-09-19 14:14:40 EDT
(In reply to comment #4)
> (In reply to comment #3)
> > I'm not sure whether you want to add only SELinux support or pam support too,
> > but
> > pam package maintainer ensures me there is no plan to add pam static library to
> > fedora - so there is only possible to add SELinux support.
> 
> Well you can't have full SELinux support without the SELinux pam module. The
> best you can do is put the ls -Z ps -Z etc commands in but that doesn't help
> with the fact that load_policy and a bunch of other SELinux binaries are now
> included in busybox. What is the problem with a static PAM library? It was
> built before why is it a pain to do that again?

So I figured out another possible way of getting this support into busybox. Instead of using the pamselinux module what could be done instead is to patch all the components in busybox that would normally use the module to set the appropriate login contexts directly. This would make it so you don't need to have PAM to use SELinux with busybox. Still it would be nice to know why a static PAM library is out of the question.
Comment 6 Daniel Walsh 2008-09-22 13:19:16 EDT
I think the proper thing to do is suck the functionality out of pam_selinux and place it in libselinux.  Then have busybox and pam_selinux both call the function in libselinux, which already has a -static package.
Comment 7 Tomas Mraz 2008-09-22 16:15:59 EDT
I'm quite curious what are the commands in busybox which really need the pam_selinux except login. Of course pulling some parts of pam_selinux into libselinux would be a good idea.
Comment 8 David Quigley 2008-09-22 17:25:24 EDT
It is problably login/sulogin/telnetd. I know the last one seems silly but it is still a login like program. I looked through all of the upstream applets and nothing else seems to need it.
Comment 9 David Quigley 2008-09-25 13:17:08 EDT
So I went looking through the busybox source code and login and sulogin have already been patched to use the appropriate libselinux calls directly. They haven't put them into telnetd but people really shouldn't be using that if they care about security. You should be able to compile busybox-1.12.0 statically with SELinux support and get the appropriate funcationality since we have static version of libselinux. I've been compiling my own busybox for now but it would be nice if the next version that Fedora ships could have the SELinux support enabled either that or have the package generate another busybox with SELinux support for those who want it and keep the original busybox package without SELinux support.
Comment 10 Bug Zapper 2008-11-25 22:07:56 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 11 Ivana Varekova 2008-12-02 09:58:34 EST

*** This bug has been marked as a duplicate of bug 462654 ***

Note You need to log in before you can comment on or make changes to this bug.