/[gentoo-alt]/trunk/sys-process/vixie-cron/files/vixie-cron-4.1-selinux.diff
Gentoo

Contents of /trunk/sys-process/vixie-cron/files/vixie-cron-4.1-selinux.diff

Parent Directory Parent Directory | Revision Log Revision Log


Revision 371 - (show annotations) (download)
Sat May 14 13:59:10 2005 UTC (9 years, 7 months ago) by flameeyes
File MIME type: text/plain
File size: 3557 byte(s)
Added vixie-cron with fixed pamd file and virtual/pam dependency.

1 --- vixie-cron-3.0.1/Makefile.selinux 2003-05-20 14:52:06.000000000 -0400
2 +++ vixie-cron-3.0.1/Makefile 2003-05-20 14:52:21.000000000 -0400
3 @@ -71,7 +71,8 @@ LINTFLAGS = -hbxa $(INCLUDE) $(COMPAT) $
4 #<<want to use a nonstandard CC?>>
5 #CC = vcc
6 #<<manifest defines>>
7 -DEFS =
8 +DEFS = -s -DWITH_SELINUX
9 +LIBS += -lselinux
10 #(SGI IRIX systems need this)
11 #DEFS = -D_BSD_SIGNALS -Dconst=
12 #<<the name of the BSD-like install program>>
13 --- vixie-cron-3.0.1/database.c.selinux 2003-05-20 14:52:56.000000000 -0400
14 +++ vixie-cron-3.0.1/database.c 2003-05-23 13:27:24.898020960 -0400
15 @@ -28,6 +28,15 @@
16
17 #include "cron.h"
18
19 +#ifdef WITH_SELINUX
20 +#include <selinux/selinux.h>
21 +#include <selinux/flask.h>
22 +#include <selinux/av_permissions.h>
23 +#define SYSUSERNAME "system_u"
24 +#else
25 +#define SYSUSERNAME "*system*"
26 +#endif
27 +
28 #define TMAX(a,b) ((a)>(b)?(a):(b))
29
30 static void process_crontab(const char *, const char *,
31 @@ -217,7 +226,7 @@
32 if (fname == NULL) {
33 /* must be set to something for logging purposes.
34 */
35 - fname = "*system*";
36 + fname = SYSUSERNAME;
37 } else if ((pw = getpwnam(uname)) == NULL) {
38 /* file doesn't have a user in passwd file.
39 */
40 @@ -279,6 +288,43 @@
41 free_user(u);
42 log_it(fname, getpid(), "RELOAD", tabname);
43 }
44 +#ifdef WITH_SELINUX
45 + if (is_selinux_enabled()) {
46 + security_context_t file_context=NULL;
47 + security_context_t user_context=NULL;
48 + struct av_decision avd;
49 + int retval=0;
50 +
51 + if (fgetfilecon(crontab_fd, &file_context) < OK) {
52 + log_it(fname, getpid(), "getfilecon FAILED", tabname);
53 + goto next_crontab;
54 + }
55 +
56 + /*
57 + * Since crontab files are not directly executed,
58 + * crond must ensure that the crontab file has
59 + * a context that is appropriate for the context of
60 + * the user cron job. It performs an entrypoint
61 + * permission check for this purpose.
62 + */
63 + if (get_default_context(fname, NULL, &user_context)) {
64 + log_it(fname, getpid(), "NO CONTEXT", tabname);
65 + freecon(file_context);
66 + goto next_crontab;
67 + }
68 + retval = security_compute_av(user_context,
69 + file_context,
70 + SECCLASS_FILE,
71 + FILE__ENTRYPOINT,
72 + &avd);
73 + freecon(user_context);
74 + freecon(file_context);
75 + if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
76 + log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
77 + goto next_crontab;
78 + }
79 + }
80 +#endif
81 u = load_user(crontab_fd, pw, fname);
82 if (u != NULL) {
83 u->mtime = statbuf->st_mtime;
84 --- vixie-cron-3.0.1/do_command.c.selinux 2003-05-20 14:53:12.000000000 -0400
85 +++ vixie-cron-3.0.1/do_command.c 2003-05-20 14:58:06.000000000 -0400
86 @@ -25,6 +25,10 @@
87
88 #include "cron.h"
89
90 +#ifdef WITH_SELINUX
91 +#include <selinux/selinux.h>
92 +#endif
93 +
94 static void child_process(entry *, user *);
95 static int safe_p(const char *, const char *);
96
97 @@ -265,6 +269,20 @@
98 _exit(OK_EXIT);
99 }
100 # endif /*DEBUGGING*/
101 +#ifdef WITH_SELINUX
102 + if (is_selinux_enabled()) {
103 + security_context_t scontext;
104 + if (get_default_context(u->name, NULL, &scontext)) {
105 + fprintf(stderr, "execle_secure: couldn't get security context for user %s\n", u->name);
106 + _exit(ERROR_EXIT);
107 + }
108 + if (setexeccon(scontext) < 0) {
109 + fprintf(stderr, "Could not set exec context to %s for user %s\n", scontext,u->name);
110 + _exit(ERROR_EXIT);
111 + }
112 + freecon(scontext);
113 + }
114 +#endif
115 execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
116 fprintf(stderr, "execl: couldn't exec `%s'\n", shell);
117 perror("execl");

Properties

Name Value
svn:eol-style native
svn:keywords Author Date Id Revision

  ViewVC Help
Powered by ViewVC 1.1.20