File at-3.1.8-selinux.patch of Package at.import4150

Overview Repositories Revisions Requests Users Attributes Meta

File at-3.1.8-selinux.patch of Package at.import4150

--- Makefile.in.orig
+++ Makefile.in
@@ -27,6 +27,7 @@ LN_S		= @LN_S@
 YACC		= @YACC@
 LEX		= @LEX@
 LEXLIB		= @LEXLIB@
+SELINUXLIB	= @SELINUXLIB@
 
 CC 		= @CC@
 CFLAGS 		= @CFLAGS@
@@ -72,7 +73,7 @@ at: $(ATOBJECTS)
 	$(LN_S) -f at atrm
 
 atd: $(RUNOBJECTS)
-	$(CC) $(CFLAGS) -o atd $(RUNOBJECTS) $(LIBS)
+	$(CC) $(CFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(SELINUXLIB)
 
 y.tab.c y.tab.h: parsetime.y
 	$(YACC) -d parsetime.y
--- atd.c.orig
+++ atd.c
@@ -85,6 +85,14 @@
 #include <syslog.h>
 #endif
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+int selinux_enabled=0;
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#endif
+
 /* Local headers */
 
 #include "privs.h"
@@ -404,6 +412,76 @@ run_file(const char *filename, uid_t uid
 
 	    chdir("/");
 
+#ifdef WITH_SELINUX
+	    if (selinux_enabled>0) {
+	      security_context_t  file_context=NULL;
+	      security_context_t *context_list=NULL;
+	      security_context_t current_con=NULL;
+	      int retval=0, list_count=0, i;
+	      struct av_decision avd;
+	      char *seuser=NULL, *level=NULL;
+
+	      if (getseuserbyname(pentry->pw_name, &seuser, &level))
+		perr("getseuserbyname FAILED for %s\n", pentry->pw_name);
+
+	      if(getcon(&current_con)) {
+	        free(seuser);
+	        free(level);
+	        perr("Can't get current context");
+	      }
+	      list_count = get_ordered_context_list_with_level(seuser, level, current_con, &context_list);
+	      freecon(current_con);
+	      free(seuser);
+	      free(level);
+	      if (list_count == -1) {
+		if (security_getenforce() > 0)
+		  perr("Couldn't get security context for user %s\n", pentry->pw_name); 
+		else
+		  syslog(LOG_WARNING, "Couldn't get security context for user %s, but in permissive mode", pentry->pw_name);
+	      }
+
+	      /*
+	       * Since crontab files are not directly executed,
+	       * crond must ensure that the crontab file has
+	       * a context that is appropriate for the context of
+	       * the user cron job.  It performs an entrypoint
+	       * permission check for this purpose.
+	       */
+	      if (list_count != -1) {
+		if (fgetfilecon(STDIN_FILENO, &file_context) < 0) {
+		  if (security_getenforce() > 0)
+		    perr("fgetfilecon FAILED for user %s", pentry->pw_name);
+	        }
+
+		for(i = 0; i < list_count; i++) {
+		  retval = security_compute_av(context_list[i],
+					   file_context,
+					   SECCLASS_FILE,
+					   FILE__ENTRYPOINT,
+					   &avd);
+	          if (!retval && ((FILE__ENTRYPOINT & avd.allowed) == FILE__ENTRYPOINT))
+		    break;
+		}
+	      }
+	      freecon(file_context);
+	      if (list_count != -1 && (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT))) {
+		if (security_getenforce()==1) 
+		  perr("Not allowed to set exec context for user %s\n", pentry->pw_name); 
+		else
+		  syslog(LOG_WARNING, "Not allowed to set exec context for user %s, but in permissive mode", pentry->pw_name); 
+	      }
+
+	      if ((list_count != -1 || retval) && setexeccon(context_list[i]) < 0) {
+		if (security_getenforce()==1) {
+		  perr("Could not set exec context to %s for user %s\n", context_list[i], pentry->pw_name); 
+		} else {
+		  syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", context_list[i], pentry->pw_name); 
+		}
+	      }
+	      freeconary(context_list);
+	    }
+#endif	
+
 	    if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
 		perr("Exec failed for /bin/sh");
 
@@ -420,6 +498,13 @@ run_file(const char *filename, uid_t uid
      */
     waitpid(pid, (int *) NULL, 0);
 
+#ifdef WITH_SELINUX
+    if (selinux_enabled>0) {
+      if (setexeccon(NULL) < 0) {
+	perr("Could not reset exec context for user %s\n", pentry->pw_name); 
+      }
+    }
+#endif	
     /* Send mail.  Unlink the output file after opening it, so it
      * doesn't hang around after the run.
      */
@@ -654,6 +739,9 @@ main(int argc, char *argv[])
     struct passwd *pwe;
     struct group *ge;
 
+#ifdef WITH_SELINUX
+    selinux_enabled=is_selinux_enabled();
+#endif	
 /* We don't need root privileges all the time; running under uid and gid
  * daemon is fine.
  */
--- config.h.in.orig
+++ config.h.in
@@ -184,3 +184,6 @@
 #undef DEFAULT_BATCH_QUEUE
 
 #undef HAVE_ATTRIBUTE_NORETURN
+
+/* Define if you are building with_selinux  */
+#undef WITH_SELINUX
--- configure.in.orig
+++ configure.in
@@ -315,4 +315,12 @@ AC_ARG_WITH(daemon_groupname,
 )
 AC_SUBST(DAEMON_GROUPNAME)
 
+AC_ARG_WITH(selinux,
+[ --with-selinux	Define to run with selinux],
+AC_DEFINE(WITH_SELINUX),
+)
+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
+AC_SUBST(SELINUXLIB)
+AC_SUBST(WITH_SELINUX)
+
 AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch)

Places

File at-3.1.8-selinux.patch of Package at.import4150

Places