diff options
Diffstat (limited to 'sys-process/vixie-cron/files/vixie-cron-4.1-selinux.diff')
| -rw-r--r-- | sys-process/vixie-cron/files/vixie-cron-4.1-selinux.diff | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/sys-process/vixie-cron/files/vixie-cron-4.1-selinux.diff b/sys-process/vixie-cron/files/vixie-cron-4.1-selinux.diff new file mode 100644 index 000000000000..a4621e2530da --- /dev/null +++ b/sys-process/vixie-cron/files/vixie-cron-4.1-selinux.diff @@ -0,0 +1,117 @@ +--- vixie-cron-3.0.1/Makefile.selinux 2003-05-20 14:52:06.000000000 -0400 ++++ vixie-cron-3.0.1/Makefile 2003-05-20 14:52:21.000000000 -0400 +@@ -71,7 +71,8 @@ LINTFLAGS = -hbxa $(INCLUDE) $(COMPAT) $ + #<<want to use a nonstandard CC?>> + #CC = vcc + #<<manifest defines>> +-DEFS = ++DEFS = -s -DWITH_SELINUX ++LIBS += -lselinux + #(SGI IRIX systems need this) + #DEFS = -D_BSD_SIGNALS -Dconst= + #<<the name of the BSD-like install program>> +--- vixie-cron-3.0.1/database.c.selinux 2003-05-20 14:52:56.000000000 -0400 ++++ vixie-cron-3.0.1/database.c 2003-05-23 13:27:24.898020960 -0400 +@@ -28,6 +28,15 @@ + + #include "cron.h" + ++#ifdef WITH_SELINUX ++#include <selinux/selinux.h> ++#include <selinux/flask.h> ++#include <selinux/av_permissions.h> ++#define SYSUSERNAME "system_u" ++#else ++#define SYSUSERNAME "*system*" ++#endif ++ + #define TMAX(a,b) ((a)>(b)?(a):(b)) + + static void process_crontab(const char *, const char *, +@@ -217,7 +226,7 @@ + if (fname == NULL) { + /* must be set to something for logging purposes. + */ +- fname = "*system*"; ++ fname = SYSUSERNAME; + } else if ((pw = getpwnam(uname)) == NULL) { + /* file doesn't have a user in passwd file. + */ +@@ -279,6 +288,43 @@ + free_user(u); + log_it(fname, getpid(), "RELOAD", tabname); + } ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled()) { ++ security_context_t file_context=NULL; ++ security_context_t user_context=NULL; ++ struct av_decision avd; ++ int retval=0; ++ ++ if (fgetfilecon(crontab_fd, &file_context) < OK) { ++ log_it(fname, getpid(), "getfilecon FAILED", tabname); ++ goto next_crontab; ++ } ++ ++ /* ++ * Since crontab files are not directly executed, ++ * crond must ensure that the crontab file has ++ * a context that is appropriate for the context of ++ * the user cron job. It performs an entrypoint ++ * permission check for this purpose. ++ */ ++ if (get_default_context(fname, NULL, &user_context)) { ++ log_it(fname, getpid(), "NO CONTEXT", tabname); ++ freecon(file_context); ++ goto next_crontab; ++ } ++ retval = security_compute_av(user_context, ++ file_context, ++ SECCLASS_FILE, ++ FILE__ENTRYPOINT, ++ &avd); ++ freecon(user_context); ++ freecon(file_context); ++ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { ++ log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname); ++ goto next_crontab; ++ } ++ } ++#endif + u = load_user(crontab_fd, pw, fname); + if (u != NULL) { + u->mtime = statbuf->st_mtime; +--- vixie-cron-3.0.1/do_command.c.selinux 2003-05-20 14:53:12.000000000 -0400 ++++ vixie-cron-3.0.1/do_command.c 2003-05-20 14:58:06.000000000 -0400 +@@ -25,6 +25,10 @@ + + #include "cron.h" + ++#ifdef WITH_SELINUX ++#include <selinux/selinux.h> ++#endif ++ + static void child_process(entry *, user *); + static int safe_p(const char *, const char *); + +@@ -265,6 +269,20 @@ + _exit(OK_EXIT); + } + # endif /*DEBUGGING*/ ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled()) { ++ security_context_t scontext; ++ if (get_default_context(u->name, NULL, &scontext)) { ++ fprintf(stderr, "execle_secure: couldn't get security context for user %s\n", u->name); ++ _exit(ERROR_EXIT); ++ } ++ if (setexeccon(scontext) < 0) { ++ fprintf(stderr, "Could not set exec context to %s for user %s\n", scontext,u->name); ++ _exit(ERROR_EXIT); ++ } ++ freecon(scontext); ++ } ++#endif + execle(shell, shell, "-c", e->cmd, (char *)0, e->envp); + fprintf(stderr, "execl: couldn't exec `%s'\n", shell); + perror("execl"); |