[gentoo-commits] gentoo-x86 commit in sys-process/vixie-cron/files: vixie-cron-4.1-selinux-1.diff - gentoo-commits

From:	"Chris PeBenito (pebenito)" <pebenito@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in sys-process/vixie-cron/files: vixie-cron-4.1-selinux-1.diff
Date:	Fri, 26 Sep 2008 03:20:51
Message-Id:	`E1Kj3su-0005jg-F7@stork.gentoo.org`

1

pebenito    08/09/26 03:20:48

2

3

  Added:                vixie-cron-4.1-selinux-1.diff

4

  Log:

5

  sys-process/vixie-cron: bump to update selinux patch.

6

  (Portage version: 2.2_rc9/cvs/Linux 2.6.24-gentoo-r3 x86_64)

7

8

Revision  Changes    Path

9

1.1                  sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff

10

11

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff?rev=1.1&view=markup

12

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff?rev=1.1&content-type=text/plain

13

14

Index: vixie-cron-4.1-selinux-1.diff

15

===================================================================

16

diff -purN vixie-cron-4.1.orig/Makefile vixie-cron-4.1/Makefile

17

--- vixie-cron-4.1.orig/Makefile	2004-08-27 14:09:33.000000000 -0400

18

+++ vixie-cron-4.1/Makefile	2008-08-25 15:17:20.062720415 -0400

19

@@ -68,7 +68,8 @@ LINTFLAGS	=	-hbxa $(INCLUDE) $(DEBUGGING

20

 #<<want to use a nonstandard CC?>>

21

 CC		=	gcc -Wall -Wno-unused -Wno-comment

22

 #<<manifest defines>>

23

-DEFS		=

24

+DEFS		= -s -DWITH_SELINUX

25

+LIBS		+= 	-lselinux

26

 #(SGI IRIX systems need this)

27

 #DEFS		=	-D_BSD_SIGNALS -Dconst=

28

 #<<the name of the BSD-like install program>>

29

diff -purN vixie-cron-4.1.orig/database.c vixie-cron-4.1/database.c

30

--- vixie-cron-4.1.orig/database.c	2004-08-27 14:09:34.000000000 -0400

31

+++ vixie-cron-4.1/database.c	2008-08-27 08:19:37.948930858 -0400

32

@@ -28,6 +28,16 @@ static char rcsid[] = "$Id: database.c,v

33

34

 #include "cron.h"

35

36

+#ifdef WITH_SELINUX

37

+#include <selinux/selinux.h>

38

+#include <selinux/flask.h>

39

+#include <selinux/av_permissions.h>

40

+#include <selinux/get_context_list.h>

41

+#define SYSUSERNAME "system_u"

42

+#else

43

+#define SYSUSERNAME "*system*"

44

+#endif

45

+

46

 #define TMAX(a,b) ((a)>(b)?(a):(b))

47

48

 static	void		process_crontab(const char *, const char *,

49

@@ -183,7 +193,7 @@ process_crontab(const char *uname, const

50

 	if (fname == NULL) {

51

 		/* must be set to something for logging purposes.

52

*/

53

-		fname = "*system*";

54

+		fname = SYSUSERNAME;

55

 	} else if ((pw = getpwnam(uname)) == NULL) {

56

 		/* file doesn't have a user in passwd file.

57

*/

58

@@ -245,6 +255,56 @@ process_crontab(const char *uname, const

59

 		free_user(u);

60

 		log_it(fname, getpid(), "RELOAD", tabname);

61

}

62

+#ifdef WITH_SELINUX

63

+	if (is_selinux_enabled())	{

64

+	  security_context_t file_context=NULL;

65

+	  security_context_t user_context=NULL;

66

+	  struct av_decision avd;

67

+	  int retval=0;

68

+	  char *seuser=NULL;

69

+	  char *level=NULL;

70

+

71

+	  if (fgetfilecon(crontab_fd, &file_context) < OK) {

72

+	    log_it(fname, getpid(), "getfilecon FAILED", tabname);

73

+	    goto next_crontab;

74

+	  }

75

+

76

+	  /*

77

+	   * Since crontab files are not directly executed,

78

+	   * crond must ensure that the crontab file has

79

+	   * a context that is appropriate for the context of

80

+	   * the user cron job.  It performs an entrypoint

81

+	   * permission check for this purpose.

82

+	   */

83

+	  if (getseuserbyname(fname, &seuser, &level) < 0) {

84

+	    log_it(fname, getpid(), "NO SEUSER", tabname);

85

+	    goto next_crontab;

86

+	  }

87

+

88

+	  if (get_default_context_with_level(seuser, level, NULL, &user_context) < 0) {

89

+	    log_it(fname, getpid(), "NO CONTEXT", tabname);

90

+	    freecon(file_context);

91

+	    free(seuser);

92

+	    free(level);

93

+	    goto next_crontab;

94

+	  }

95

+

96

+	  retval = security_compute_av(user_context,

97

+				       file_context,

98

+				       SECCLASS_FILE,

99

+				       FILE__ENTRYPOINT,

100

+				       &avd);

101

+	  freecon(user_context);

102

+	  freecon(file_context);

103

+	  free(seuser);

104

+	  free(level);

105

+

106

+	  if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {

107

+	    log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);

108

+	    goto next_crontab;

109

+	  }

110

+	}

111

+#endif

112

 	u = load_user(crontab_fd, pw, fname);

113

 	if (u != NULL) {

114

 		u->mtime = statbuf->st_mtime;

115

diff -purN vixie-cron-4.1.orig/do_command.c vixie-cron-4.1/do_command.c

116

--- vixie-cron-4.1.orig/do_command.c	2004-08-27 14:09:34.000000000 -0400

117

+++ vixie-cron-4.1/do_command.c	2008-08-25 15:43:43.289174371 -0400

118

@@ -25,6 +25,11 @@ static char rcsid[] = "$Id: do_command.c

119

120

 #include "cron.h"

121

122

+#ifdef WITH_SELINUX

123

+#include <selinux/selinux.h>

124

+#include <selinux/get_context_list.h>

125

+#endif

126

+

127

 static void		child_process(entry *, user *);

128

 static int		safe_p(const char *, const char *);

129

130

@@ -265,6 +270,29 @@ child_process(entry *e, user *u) {

131

 				_exit(OK_EXIT);

132

}

133

 # endif /*DEBUGGING*/

134

+#ifdef WITH_SELINUX

135

+			if (is_selinux_enabled()) {

136

+			  char *seuser=NULL;

137

+			  char *level=NULL;

138

+			  security_context_t scontext;

139

+

140

+			  if (getseuserbyname(u->name, &seuser, &level) < 0) {

141

+			    fprintf(stderr, "getseuserbyname: Could not determine seuser for user %s\n", u->name);

142

+			    _exit(ERROR_EXIT);

143

+			  }

144

+			  if (get_default_context_with_level(seuser, level, NULL, &scontext) < 0) {

145

+			    fprintf(stderr, "get_default_context_with_level: could not get security context for user %s, seuser %s\n", u->name, seuser); 

146

+			    _exit(ERROR_EXIT);

147

+			  }

148

+			  if (setexeccon(scontext) < 0) {

149

+			    fprintf(stderr, "setexeccon: Could not set exec context to %s for user %s\n", scontext, u->name);

150

+			    _exit(ERROR_EXIT);

151

+			  }

152

+			  free(seuser);

153

+			  free(level);

154

+			  freecon(scontext);

155

+			}

156

+#endif

157

 			execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);

158

 			fprintf(stderr, "execl: couldn't exec `%s'\n", shell);

159

 			perror("execl");

1	pebenito 08/09/26 03:20:48
2
3	Added: vixie-cron-4.1-selinux-1.diff
4	Log:
5	sys-process/vixie-cron: bump to update selinux patch.
6	(Portage version: 2.2_rc9/cvs/Linux 2.6.24-gentoo-r3 x86_64)
7
8	Revision Changes Path
9	1.1 sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff
10
11	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff?rev=1.1&view=markup
12	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff?rev=1.1&content-type=text/plain
13
14	Index: vixie-cron-4.1-selinux-1.diff
15	===================================================================
16	diff -purN vixie-cron-4.1.orig/Makefile vixie-cron-4.1/Makefile
17	--- vixie-cron-4.1.orig/Makefile 2004-08-27 14:09:33.000000000 -0400
18	+++ vixie-cron-4.1/Makefile 2008-08-25 15:17:20.062720415 -0400
19	@@ -68,7 +68,8 @@ LINTFLAGS = -hbxa $(INCLUDE) $(DEBUGGING
20	#<<want to use a nonstandard CC?>>
21	CC = gcc -Wall -Wno-unused -Wno-comment
22	#<<manifest defines>>
23	-DEFS =
24	+DEFS = -s -DWITH_SELINUX
25	+LIBS += -lselinux
26	#(SGI IRIX systems need this)
27	#DEFS = -D_BSD_SIGNALS -Dconst=
28	#<<the name of the BSD-like install program>>
29	diff -purN vixie-cron-4.1.orig/database.c vixie-cron-4.1/database.c
30	--- vixie-cron-4.1.orig/database.c 2004-08-27 14:09:34.000000000 -0400
31	+++ vixie-cron-4.1/database.c 2008-08-27 08:19:37.948930858 -0400
32	@@ -28,6 +28,16 @@ static char rcsid[] = "$Id: database.c,v
33
34	#include "cron.h"
35
36	+#ifdef WITH_SELINUX
37	+#include <selinux/selinux.h>
38	+#include <selinux/flask.h>
39	+#include <selinux/av_permissions.h>
40	+#include <selinux/get_context_list.h>
41	+#define SYSUSERNAME "system_u"
42	+#else
43	+#define SYSUSERNAME "system"
44	+#endif
45	+
46	#define TMAX(a,b) ((a)>(b)?(a):(b))
47
48	static void process_crontab(const char , const char ,
49	@@ -183,7 +193,7 @@ process_crontab(const char *uname, const
50	if (fname == NULL) {
51	/* must be set to something for logging purposes.
52	*/
53	- fname = "system";
54	+ fname = SYSUSERNAME;
55	} else if ((pw = getpwnam(uname)) == NULL) {
56	/* file doesn't have a user in passwd file.
57	*/
58	@@ -245,6 +255,56 @@ process_crontab(const char *uname, const
59	free_user(u);
60	log_it(fname, getpid(), "RELOAD", tabname);
61	}
62	+#ifdef WITH_SELINUX
63	+ if (is_selinux_enabled()) {
64	+ security_context_t file_context=NULL;
65	+ security_context_t user_context=NULL;
66	+ struct av_decision avd;
67	+ int retval=0;
68	+ char *seuser=NULL;
69	+ char *level=NULL;
70	+
71	+ if (fgetfilecon(crontab_fd, &file_context) < OK) {
72	+ log_it(fname, getpid(), "getfilecon FAILED", tabname);
73	+ goto next_crontab;
74	+ }
75	+
76	+ /*
77	+ * Since crontab files are not directly executed,
78	+ * crond must ensure that the crontab file has
79	+ * a context that is appropriate for the context of
80	+ * the user cron job. It performs an entrypoint
81	+ * permission check for this purpose.
82	+ */
83	+ if (getseuserbyname(fname, &seuser, &level) < 0) {
84	+ log_it(fname, getpid(), "NO SEUSER", tabname);
85	+ goto next_crontab;
86	+ }
87	+
88	+ if (get_default_context_with_level(seuser, level, NULL, &user_context) < 0) {
89	+ log_it(fname, getpid(), "NO CONTEXT", tabname);
90	+ freecon(file_context);
91	+ free(seuser);
92	+ free(level);
93	+ goto next_crontab;
94	+ }
95	+
96	+ retval = security_compute_av(user_context,
97	+ file_context,
98	+ SECCLASS_FILE,
99	+ FILE__ENTRYPOINT,
100	+ &avd);
101	+ freecon(user_context);
102	+ freecon(file_context);
103	+ free(seuser);
104	+ free(level);
105	+
106	+ if (retval \|\| ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
107	+ log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
108	+ goto next_crontab;
109	+ }
110	+ }
111	+#endif
112	u = load_user(crontab_fd, pw, fname);
113	if (u != NULL) {
114	u->mtime = statbuf->st_mtime;
115	diff -purN vixie-cron-4.1.orig/do_command.c vixie-cron-4.1/do_command.c
116	--- vixie-cron-4.1.orig/do_command.c 2004-08-27 14:09:34.000000000 -0400
117	+++ vixie-cron-4.1/do_command.c 2008-08-25 15:43:43.289174371 -0400
118	@@ -25,6 +25,11 @@ static char rcsid[] = "$Id: do_command.c
119
120	#include "cron.h"
121
122	+#ifdef WITH_SELINUX
123	+#include <selinux/selinux.h>
124	+#include <selinux/get_context_list.h>
125	+#endif
126	+
127	static void child_process(entry , user );
128	static int safe_p(const char , const char );
129
130	@@ -265,6 +270,29 @@ child_process(entry e, user u) {
131	_exit(OK_EXIT);
132	}
133	# endif /DEBUGGING/
134	+#ifdef WITH_SELINUX
135	+ if (is_selinux_enabled()) {
136	+ char *seuser=NULL;
137	+ char *level=NULL;
138	+ security_context_t scontext;
139	+
140	+ if (getseuserbyname(u->name, &seuser, &level) < 0) {
141	+ fprintf(stderr, "getseuserbyname: Could not determine seuser for user %s\n", u->name);
142	+ _exit(ERROR_EXIT);
143	+ }
144	+ if (get_default_context_with_level(seuser, level, NULL, &scontext) < 0) {
145	+ fprintf(stderr, "get_default_context_with_level: could not get security context for user %s, seuser %s\n", u->name, seuser);
146	+ _exit(ERROR_EXIT);
147	+ }
148	+ if (setexeccon(scontext) < 0) {
149	+ fprintf(stderr, "setexeccon: Could not set exec context to %s for user %s\n", scontext, u->name);
150	+ _exit(ERROR_EXIT);
151	+ }
152	+ free(seuser);
153	+ free(level);
154	+ freecon(scontext);
155	+ }
156	+#endif
157	execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
158	fprintf(stderr, "execl: couldn't exec `%s'\n", shell);
159	perror("execl");

Gentoo Archives: gentoo-commits