1 files changed, 27 insertions, 0 deletions

diff --git a/lib/libutil/login_class.c b/lib/libutil/login_class.c
index 3930c03032da..219db5881856 100644
--- a/lib/libutil/login_class.c
+++ b/lib/libutil/login_class.c
@@ -40,6 +40,7 @@ __FBSDID("$FreeBSD$");
 #include <login_cap.h>
 #include <paths.h>
 #include <sys/rtprio.h>
+#include <sys/mac.h>
 
 
 static struct login_res {
@@ -317,6 +318,7 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in
 #ifndef __NETBSD_SYSCALLS
     struct rtprio rtp;
 #endif
+    int error;
 
     if (lc == NULL) {
 	if (pwd != NULL && (lc = login_getpwclass(pwd)) != NULL)
@@ -374,6 +376,31 @@ setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned in
 	}
     }
 
+    /* Set up the user's MAC label. */
+    if ((flags & LOGIN_SETMAC) && mac_is_present(NULL) == 1) {
+	const char *label_string;
+	mac_t label;
+
+	label_string = login_getcapstr(lc, "label", NULL, NULL);
+	if (label_string != NULL) {
+	    if (mac_from_text(&label, label_string) == -1) {
+		syslog(LOG_ERR, "mac_from_text('%s') for %s: %m",
+		    pwd->pw_name, label_string);
+		    return -1;
+	    }
+	    if (mac_set_proc(label) == -1)
+		error = errno;
+	    else
+		error = 0;
+	    mac_free(label);
+	    if (error != 0) {
+		syslog(LOG_ERR, "mac_set_proc('%s') for %s: %s",
+		    label_string, pwd->pw_name, strerror(error));
+		return -1;
+	    }
+	}
+    }
+
     /* Set the sessions login */
     if ((flags & LOGIN_SETLOGIN) && setlogin(pwd->pw_name) != 0) {
 	syslog(LOG_ERR, "setlogin(%s): %m", pwd->pw_name);