Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
at
at-3.1.14-selinux.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File at-3.1.14-selinux.patch of Package at
Index: atd.c =================================================================== --- atd.c.orig +++ atd.c @@ -81,10 +81,18 @@ #ifndef HAVE_GETLOADAVG #include "getloadavg.h" #endif +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#include <selinux/get_context_list.h> +int selinux_enabled=0; +#include <selinux/flask.h> +#include <selinux/av_permissions.h> +#endif + /* Macros */ #define BATCH_INTERVAL_DEFAULT 60 #define CHECK_INTERVAL 3600 @@ -193,10 +201,72 @@ myfork() } #define fork myfork #endif +#ifdef WITH_SELINUX +static int set_selinux_context(const char *name, const char *filename) { + security_context_t user_context=NULL; + security_context_t file_context=NULL; + struct av_decision avd; + int retval=-1; + char *seuser=NULL; + char *level=NULL; + + if (getseuserbyname(name, &seuser, &level) == 0) { + retval=get_default_context_with_level(seuser, level, NULL, &user_context); + free(seuser); + free(level); + if (retval) { + if (security_getenforce()==1) { + perr("execle: couldn't get security context for user %s\n", name); + } else { + syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name); + return -1; + } + } + } + + /* + * Since crontab files are not directly executed, + * crond must ensure that the crontab file has + * a context that is appropriate for the context of + * the user cron job. It performs an entrypoint + * permission check for this purpose. + */ + if (fgetfilecon(STDIN_FILENO, &file_context) < 0) + perr("fgetfilecon FAILED %s", filename); + + retval = security_compute_av(user_context, + file_context, + SECCLASS_FILE, + FILE__ENTRYPOINT, + &avd); + freecon(file_context); + if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { + if (security_getenforce()==1) { + perr("Not allowed to set exec context to %s for user %s\n", user_context,name); + } else { + syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name); + retval = -1; + goto err; + } + } + if (setexeccon(user_context) < 0) { + if (security_getenforce()==1) { + perr("Could not set exec context to %s for user %s\n", user_context,name); + retval = -1; + } else { + syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name); + } + } + err: + freecon(user_context); + return 0; +} +#endif + static void run_file(const char *filename, uid_t uid, gid_t gid) { /* Run a file by by spawning off a process which redirects I/O, * spawns a subshell, then waits for it to complete and sends @@ -440,13 +510,25 @@ run_file(const char *filename, uid_t uid if (SIG_ERR == signal(SIGCHLD, SIG_DFL)) perr("Cannot reset signal handler to default"); chdir("/"); - +#ifdef WITH_SELINUX + if (selinux_enabled > 0) { + if (set_selinux_context(pentry->pw_name, filename) < 0) + perr("SELinux Failed to set context\n"); + } +#endif if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0) perr("Exec failed for /bin/sh"); +#ifdef WITH_SELINUX + if (selinux_enabled>0) + if (setexeccon(NULL) < 0) + if (security_getenforce()==1) + perr("Could not resset exec context for user %s\n", pentry->pw_name); +#endif +//end PRIV_END } /* We're the parent. Let's wait. */ @@ -715,10 +797,14 @@ main(int argc, char *argv[]) time_t next_invocation; struct sigaction act; struct passwd *pwe; struct group *ge; +#ifdef WITH_SELINUX + selinux_enabled=is_selinux_enabled(); +#endif + /* We don't need root privileges all the time; running under uid and gid * daemon is fine. */ if ((pwe = getpwnam(DAEMON_USERNAME)) == NULL) Index: config.h.in =================================================================== --- config.h.in.orig +++ config.h.in @@ -69,10 +69,13 @@ #undef HAVE_NLIST_H /* Define to 1 for PAM support */ #undef HAVE_PAM +/* Define if you are building with_selinux */ +#undef WITH_SELINUX + /* Define to 1 if you have the `pstat_getdynamic' function. */ #undef HAVE_PSTAT_GETDYNAMIC /* Define to 1 if you have the <security/pam_appl.h> header file. */ #undef HAVE_SECURITY_PAM_APPL_H Index: configure.ac =================================================================== --- configure.ac.orig +++ configure.ac @@ -258,7 +258,15 @@ AC_ARG_WITH(daemon_groupname, DAEMON_GROUPNAME=daemon AC_MSG_RESULT(daemon) ) AC_SUBST(DAEMON_GROUPNAME) +AC_ARG_WITH(selinux, +[ --with-selinux Define to run with selinux], +AC_DEFINE(WITH_SELINUX), +) +AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux) +AC_SUBST(SELINUXLIB) +AC_SUBST(WITH_SELINUX) + AC_CONFIG_FILES(Makefile atrun atd.8 atrun.8 at.1 at.allow.5 batch) AC_OUTPUT Index: Makefile.in =================================================================== --- Makefile.in.orig +++ Makefile.in @@ -38,10 +38,12 @@ DEFS = @DEFS@ -DVERSION=\"$(VERSION)\" -DLFILE=\"$(LFILE)\" -Wall LIBS = @LIBS@ LIBOBJS = @LIBOBJS@ INSTALL = @INSTALL@ PAMLIB = @PAMLIB@ +SELINUXLIB = @SELINUXLIB@ + CLONES = atq atrm ATOBJECTS = at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o RUNOBJECTS = atd.o daemon.o $(LIBOBJS) CSRCS = at.c atd.c panic.c perm.c posixtm.c daemon.c getloadavg.c \ @@ -71,11 +72,11 @@ at: $(ATOBJECTS) rm -f $(CLONES) $(LN_S) -f at atq $(LN_S) -f at atrm atd: $(RUNOBJECTS) - $(CC) $(LDFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(PAMLIB) + $(CC) $(LDFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(PAMLIB) $(SELINUXLIB) y.tab.c y.tab.h: parsetime.y $(YACC) -d parsetime.y lex.yy.c: parsetime.l
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor