sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

diff -purN vixie-cron-4.1.orig/Makefile vixie-cron-4.1/Makefile
--- vixie-cron-4.1.orig/Makefile	2004-08-27 14:09:33.000000000 -0400
+++ vixie-cron-4.1/Makefile	2008-08-25 15:17:20.062720415 -0400
@@ -68,7 +68,8 @@ LINTFLAGS	=	-hbxa $(INCLUDE) $(DEBUGGING
 #<<want to use a nonstandard CC?>>
 CC		=	gcc -Wall -Wno-unused -Wno-comment
 #<<manifest defines>>
-DEFS		=
+DEFS		= -s -DWITH_SELINUX
+LIBS		+= 	-lselinux
 #(SGI IRIX systems need this)
 #DEFS		=	-D_BSD_SIGNALS -Dconst=
 #<<the name of the BSD-like install program>>
diff -purN vixie-cron-4.1.orig/database.c vixie-cron-4.1/database.c
--- vixie-cron-4.1.orig/database.c	2004-08-27 14:09:34.000000000 -0400
+++ vixie-cron-4.1/database.c	2008-08-27 08:19:37.948930858 -0400
@@ -28,6 +28,16 @@ static char rcsid[] = "# $Id$
 
 #include "cron.h"
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#include <selinux/get_context_list.h>
+#define SYSUSERNAME "system_u"
+#else
+#define SYSUSERNAME "*system*"
+#endif
+
 #define TMAX(a,b) ((a)>(b)?(a):(b))
 
 static	void		process_crontab(const char *, const char *,
@@ -183,7 +193,7 @@ process_crontab(const char *uname, const
 	if (fname == NULL) {
 		/* must be set to something for logging purposes.
 		 */
-		fname = "*system*";
+		fname = SYSUSERNAME;
 	} else if ((pw = getpwnam(uname)) == NULL) {
 		/* file doesn't have a user in passwd file.
 		 */
@@ -245,6 +255,56 @@ process_crontab(const char *uname, const
 		free_user(u);
 		log_it(fname, getpid(), "RELOAD", tabname);
 	}
+#ifdef WITH_SELINUX
+	if (is_selinux_enabled())	{
+	  security_context_t file_context=NULL;
+	  security_context_t user_context=NULL;
+	  struct av_decision avd;
+	  int retval=0;
+	  char *seuser=NULL;
+	  char *level=NULL;
+
+	  if (fgetfilecon(crontab_fd, &file_context) < OK) {
+	    log_it(fname, getpid(), "getfilecon FAILED", tabname);
+	    goto next_crontab;
+	  }
+
+	  /*
+	   * Since crontab files are not directly executed,
+	   * crond must ensure that the crontab file has
+	   * a context that is appropriate for the context of
+	   * the user cron job.  It performs an entrypoint
+	   * permission check for this purpose.
+	   */
+	  if (getseuserbyname(fname, &seuser, &level) < 0) {
+	    log_it(fname, getpid(), "NO SEUSER", tabname);
+	    goto next_crontab;
+	  }
+
+	  if (get_default_context_with_level(seuser, level, NULL, &user_context) < 0) {
+	    log_it(fname, getpid(), "NO CONTEXT", tabname);
+	    freecon(file_context);
+	    free(seuser);
+	    free(level);
+	    goto next_crontab;
+	  }
+
+	  retval = security_compute_av(user_context,
+				       file_context,
+				       SECCLASS_FILE,
+				       FILE__ENTRYPOINT,
+				       &avd);
+	  freecon(user_context);
+	  freecon(file_context);
+	  free(seuser);
+	  free(level);
+
+	  if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+	    log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
+	    goto next_crontab;
+	  }
+	}
+#endif
 	u = load_user(crontab_fd, pw, fname);
 	if (u != NULL) {
 		u->mtime = statbuf->st_mtime;
diff -purN vixie-cron-4.1.orig/do_command.c vixie-cron-4.1/do_command.c
--- vixie-cron-4.1.orig/do_command.c	2004-08-27 14:09:34.000000000 -0400
+++ vixie-cron-4.1/do_command.c	2008-08-25 15:43:43.289174371 -0400
@@ -25,6 +25,11 @@ static char rcsid[] = "# $Id$
 
 #include "cron.h"
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+#endif
+
 static void		child_process(entry *, user *);
 static int		safe_p(const char *, const char *);
 
@@ -265,6 +270,29 @@ child_process(entry *e, user *u) {
 				_exit(OK_EXIT);
 			}
 # endif /*DEBUGGING*/
+#ifdef WITH_SELINUX
+			if (is_selinux_enabled()) {
+			  char *seuser=NULL;
+			  char *level=NULL;
+			  security_context_t scontext;
+
+			  if (getseuserbyname(u->name, &seuser, &level) < 0) {
+			    fprintf(stderr, "getseuserbyname: Could not determine seuser for user %s\n", u->name);
+			    _exit(ERROR_EXIT);
+			  }
+			  if (get_default_context_with_level(seuser, level, NULL, &scontext) < 0) {
+			    fprintf(stderr, "get_default_context_with_level: could not get security context for user %s, seuser %s\n", u->name, seuser); 
+			    _exit(ERROR_EXIT);
+			  }
+			  if (setexeccon(scontext) < 0) {
+			    fprintf(stderr, "setexeccon: Could not set exec context to %s for user %s\n", scontext, u->name);
+			    _exit(ERROR_EXIT);
+			  }
+			  free(seuser);
+			  free(level);
+			  freecon(scontext);
+			}
+#endif
 			execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
 			fprintf(stderr, "execl: couldn't exec `%s'\n", shell);
 			perror("execl");