1 |
pebenito 08/09/26 03:20:48 |
2 |
|
3 |
Added: vixie-cron-4.1-selinux-1.diff |
4 |
Log: |
5 |
sys-process/vixie-cron: bump to update selinux patch. |
6 |
(Portage version: 2.2_rc9/cvs/Linux 2.6.24-gentoo-r3 x86_64) |
7 |
|
8 |
Revision Changes Path |
9 |
1.1 sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff |
10 |
|
11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff?rev=1.1&view=markup |
12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff?rev=1.1&content-type=text/plain |
13 |
|
14 |
Index: vixie-cron-4.1-selinux-1.diff |
15 |
=================================================================== |
16 |
diff -purN vixie-cron-4.1.orig/Makefile vixie-cron-4.1/Makefile |
17 |
--- vixie-cron-4.1.orig/Makefile 2004-08-27 14:09:33.000000000 -0400 |
18 |
+++ vixie-cron-4.1/Makefile 2008-08-25 15:17:20.062720415 -0400 |
19 |
@@ -68,7 +68,8 @@ LINTFLAGS = -hbxa $(INCLUDE) $(DEBUGGING |
20 |
#<<want to use a nonstandard CC?>> |
21 |
CC = gcc -Wall -Wno-unused -Wno-comment |
22 |
#<<manifest defines>> |
23 |
-DEFS = |
24 |
+DEFS = -s -DWITH_SELINUX |
25 |
+LIBS += -lselinux |
26 |
#(SGI IRIX systems need this) |
27 |
#DEFS = -D_BSD_SIGNALS -Dconst= |
28 |
#<<the name of the BSD-like install program>> |
29 |
diff -purN vixie-cron-4.1.orig/database.c vixie-cron-4.1/database.c |
30 |
--- vixie-cron-4.1.orig/database.c 2004-08-27 14:09:34.000000000 -0400 |
31 |
+++ vixie-cron-4.1/database.c 2008-08-27 08:19:37.948930858 -0400 |
32 |
@@ -28,6 +28,16 @@ static char rcsid[] = "$Id: database.c,v |
33 |
|
34 |
#include "cron.h" |
35 |
|
36 |
+#ifdef WITH_SELINUX |
37 |
+#include <selinux/selinux.h> |
38 |
+#include <selinux/flask.h> |
39 |
+#include <selinux/av_permissions.h> |
40 |
+#include <selinux/get_context_list.h> |
41 |
+#define SYSUSERNAME "system_u" |
42 |
+#else |
43 |
+#define SYSUSERNAME "*system*" |
44 |
+#endif |
45 |
+ |
46 |
#define TMAX(a,b) ((a)>(b)?(a):(b)) |
47 |
|
48 |
static void process_crontab(const char *, const char *, |
49 |
@@ -183,7 +193,7 @@ process_crontab(const char *uname, const |
50 |
if (fname == NULL) { |
51 |
/* must be set to something for logging purposes. |
52 |
*/ |
53 |
- fname = "*system*"; |
54 |
+ fname = SYSUSERNAME; |
55 |
} else if ((pw = getpwnam(uname)) == NULL) { |
56 |
/* file doesn't have a user in passwd file. |
57 |
*/ |
58 |
@@ -245,6 +255,56 @@ process_crontab(const char *uname, const |
59 |
free_user(u); |
60 |
log_it(fname, getpid(), "RELOAD", tabname); |
61 |
} |
62 |
+#ifdef WITH_SELINUX |
63 |
+ if (is_selinux_enabled()) { |
64 |
+ security_context_t file_context=NULL; |
65 |
+ security_context_t user_context=NULL; |
66 |
+ struct av_decision avd; |
67 |
+ int retval=0; |
68 |
+ char *seuser=NULL; |
69 |
+ char *level=NULL; |
70 |
+ |
71 |
+ if (fgetfilecon(crontab_fd, &file_context) < OK) { |
72 |
+ log_it(fname, getpid(), "getfilecon FAILED", tabname); |
73 |
+ goto next_crontab; |
74 |
+ } |
75 |
+ |
76 |
+ /* |
77 |
+ * Since crontab files are not directly executed, |
78 |
+ * crond must ensure that the crontab file has |
79 |
+ * a context that is appropriate for the context of |
80 |
+ * the user cron job. It performs an entrypoint |
81 |
+ * permission check for this purpose. |
82 |
+ */ |
83 |
+ if (getseuserbyname(fname, &seuser, &level) < 0) { |
84 |
+ log_it(fname, getpid(), "NO SEUSER", tabname); |
85 |
+ goto next_crontab; |
86 |
+ } |
87 |
+ |
88 |
+ if (get_default_context_with_level(seuser, level, NULL, &user_context) < 0) { |
89 |
+ log_it(fname, getpid(), "NO CONTEXT", tabname); |
90 |
+ freecon(file_context); |
91 |
+ free(seuser); |
92 |
+ free(level); |
93 |
+ goto next_crontab; |
94 |
+ } |
95 |
+ |
96 |
+ retval = security_compute_av(user_context, |
97 |
+ file_context, |
98 |
+ SECCLASS_FILE, |
99 |
+ FILE__ENTRYPOINT, |
100 |
+ &avd); |
101 |
+ freecon(user_context); |
102 |
+ freecon(file_context); |
103 |
+ free(seuser); |
104 |
+ free(level); |
105 |
+ |
106 |
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { |
107 |
+ log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname); |
108 |
+ goto next_crontab; |
109 |
+ } |
110 |
+ } |
111 |
+#endif |
112 |
u = load_user(crontab_fd, pw, fname); |
113 |
if (u != NULL) { |
114 |
u->mtime = statbuf->st_mtime; |
115 |
diff -purN vixie-cron-4.1.orig/do_command.c vixie-cron-4.1/do_command.c |
116 |
--- vixie-cron-4.1.orig/do_command.c 2004-08-27 14:09:34.000000000 -0400 |
117 |
+++ vixie-cron-4.1/do_command.c 2008-08-25 15:43:43.289174371 -0400 |
118 |
@@ -25,6 +25,11 @@ static char rcsid[] = "$Id: do_command.c |
119 |
|
120 |
#include "cron.h" |
121 |
|
122 |
+#ifdef WITH_SELINUX |
123 |
+#include <selinux/selinux.h> |
124 |
+#include <selinux/get_context_list.h> |
125 |
+#endif |
126 |
+ |
127 |
static void child_process(entry *, user *); |
128 |
static int safe_p(const char *, const char *); |
129 |
|
130 |
@@ -265,6 +270,29 @@ child_process(entry *e, user *u) { |
131 |
_exit(OK_EXIT); |
132 |
} |
133 |
# endif /*DEBUGGING*/ |
134 |
+#ifdef WITH_SELINUX |
135 |
+ if (is_selinux_enabled()) { |
136 |
+ char *seuser=NULL; |
137 |
+ char *level=NULL; |
138 |
+ security_context_t scontext; |
139 |
+ |
140 |
+ if (getseuserbyname(u->name, &seuser, &level) < 0) { |
141 |
+ fprintf(stderr, "getseuserbyname: Could not determine seuser for user %s\n", u->name); |
142 |
+ _exit(ERROR_EXIT); |
143 |
+ } |
144 |
+ if (get_default_context_with_level(seuser, level, NULL, &scontext) < 0) { |
145 |
+ fprintf(stderr, "get_default_context_with_level: could not get security context for user %s, seuser %s\n", u->name, seuser); |
146 |
+ _exit(ERROR_EXIT); |
147 |
+ } |
148 |
+ if (setexeccon(scontext) < 0) { |
149 |
+ fprintf(stderr, "setexeccon: Could not set exec context to %s for user %s\n", scontext, u->name); |
150 |
+ _exit(ERROR_EXIT); |
151 |
+ } |
152 |
+ free(seuser); |
153 |
+ free(level); |
154 |
+ freecon(scontext); |
155 |
+ } |
156 |
+#endif |
157 |
execle(shell, shell, "-c", e->cmd, (char *)0, e->envp); |
158 |
fprintf(stderr, "execl: couldn't exec `%s'\n", shell); |
159 |
perror("execl"); |