From owner-p4-projects@FreeBSD.ORG  Wed Nov  5 13:52:53 2003
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 1087816A4D0; Wed,  5 Nov 2003 13:52:53 -0800 (PST)
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C3CDC16A4CE
	for <perforce@freebsd.org>; Wed,  5 Nov 2003 13:52:52 -0800 (PST)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2E9E543F75
	for <perforce@freebsd.org>; Wed,  5 Nov 2003 13:52:52 -0800 (PST)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.12.9/8.12.9) with ESMTP id hA5LqpXJ047364
	for <perforce@freebsd.org>; Wed, 5 Nov 2003 13:52:51 -0800 (PST)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.12.9/8.12.9/Submit) id hA5Lqp6L047361
	for perforce@freebsd.org; Wed, 5 Nov 2003 13:52:51 -0800 (PST)
	(envelope-from bb+lists.freebsd.perforce@cyrus.watson.org)
Date: Wed, 5 Nov 2003 13:52:51 -0800 (PST)
Message-Id: <200311052152.hA5Lqp6L047361@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	bb+lists.freebsd.perforce@cyrus.watson.org using -f
From: Robert Watson <rwatson@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Subject: PERFORCE change 41480 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Nov 2003 21:52:53 -0000

http://perforce.freebsd.org/chv.cgi?CH=41480

Change 41480 by rwatson@rwatson_tislabs on 2003/11/05 13:52:45

	Attempt to trim SEBSDisms from trustedbsd_mac without
	trimming from trustedbsd_sebsd.  This should leave the diffs
	between MAC and SEBSD branches being the differences necessary
	to add SEBSD, rather than a subset.  More commits to come.

Affected files ...

.. //depot/projects/trustedbsd/mac/usr.bin/login/Makefile#8 edit
.. //depot/projects/trustedbsd/mac/usr.bin/login/login.c#30 edit

Differences ...

==== //depot/projects/trustedbsd/mac/usr.bin/login/Makefile#8 (text+ko) ====

@@ -4,7 +4,7 @@
 PROG=	login
 SRCS=	login.c login_fbtab.c
 CFLAGS+=-DLOGALL
-DPADD=	${LIBUTIL} ${LIBCRYPT} ${LIBPAM} ${LIBSEBSD}
+DPADD=	${LIBUTIL} ${LIBCRYPT} ${LIBPAM}
 LDADD=	-lutil -lcrypt ${MINUSLPAM}
 MAN=	login.1 login.access.5
 BINOWN=	root

==== //depot/projects/trustedbsd/mac/usr.bin/login/login.c#30 (text+ko) ====

@@ -68,7 +68,6 @@
 #include <libutil.h>
 #include <login_cap.h>
 #include <pwd.h>
-#include <sebsd.h>
 #include <setjmp.h>
 #include <signal.h>
 #include <stdio.h>
@@ -80,7 +79,6 @@
 
 #include <security/pam_appl.h>
 #include <security/openpam.h>
-#include <security/sebsd/flask.h>
 
 #include "login.h"
 #include "pathnames.h"
@@ -497,62 +495,6 @@
 	}
 
 	/*
-	 * Determine if we must execute a transition when we
-	 * run our shell, for MAC policies which require it.  For now,
-	 * this is just SEBSD, and therefore not generic at all.
-	 * When using SEBSD, the terminal device needs to be relabeled
-	 * according to what the security server reports.
-	 */
-	if (sebsd_enabled()) {
-		char *labeltext, *queried, *oldttylabeltext, *tty_queried,
-		    **contexts;
-		size_t ncontexts;
-		mac_t newttylabel;
-		int n;
-
-		if (get_ordered_context_list(username, NULL, &contexts,
-		    &ncontexts) != 0 || ncontexts == 0)
-			goto nosebsd;
-		if (query_user_context(pamh, contexts, ncontexts,
-		    &queried) != 0 ||
-		    asprintf(&labeltext, "sebsd/%s", queried) == -1 ||
-		    mac_from_text(&execlabel, labeltext) != 0) {
-			syslog(LOG_ERR, "Determining SEBSD domain transition:"
-			    " %m");
-			bail(NO_SLEEP_EXIT, 1);
-		}
-		free(labeltext);
-		mac_prepare(&oldttylabel, "sebsd");
-		if (mac_get_file(ttyn, oldttylabel) != 0 ||
-		    mac_to_text(oldttylabel, &oldttylabeltext) != 0) {
-			syslog(LOG_ERR, "Getting SEBSD label on terminal "
-			    "%s: %m", ttyn);
-			bail(NO_SLEEP_EXIT, 1);
-		}
-		if (security_change_context(queried, oldttylabeltext +
-			sizeof("sebsd/") - 1, SECCLASS_CHR_FILE,
-			&tty_queried) != 0 ||
-		    asprintf(&labeltext, "sebsd/%s", tty_queried) == -1) {
-			syslog(LOG_ERR, "Determining SEBSD label for terminal "
-			    "%s: %m", ttyn);
-			bail(NO_SLEEP_EXIT, 1);
-		}
-		free(oldttylabeltext);
-		free(tty_queried);
-		for (n = 0; n < ncontexts; n++)
-			free(contexts[n]);
-		free(contexts);
-		if (mac_from_text(&newttylabel, labeltext) != 0 ||
-		    mac_set_file(ttyn, newttylabel) != 0) {
-			syslog(LOG_ERR, "Setting SEBSD label on terminal "
-			    "%s: %m", ttyn);
-			bail(NO_SLEEP_EXIT, 1);
-		}
-		mac_free(newttylabel);
-	}
-nosebsd:
-
-	/*
 	 * Destroy environment unless user has requested its
 	 * preservation - but preserve TERM in all cases
 	 */