diff options
author | Chris PeBenito <pebenito@gentoo.org> | 2008-09-26 03:20:47 +0000 |
---|---|---|
committer | Chris PeBenito <pebenito@gentoo.org> | 2008-09-26 03:20:47 +0000 |
commit | 706d735bcaf96ca9105aad6b53fb3935cfaf86f8 (patch) | |
tree | d6c8c8d510b30d8cecea2f545eac2af7cb7f5389 /sys-process/vixie-cron/files | |
parent | Version bump (diff) | |
download | historical-706d735bcaf96ca9105aad6b53fb3935cfaf86f8.tar.gz historical-706d735bcaf96ca9105aad6b53fb3935cfaf86f8.tar.bz2 historical-706d735bcaf96ca9105aad6b53fb3935cfaf86f8.zip |
sys-process/vixie-cron: bump to update selinux patch.
Package-Manager: portage-2.2_rc9/cvs/Linux 2.6.24-gentoo-r3 x86_64
Diffstat (limited to 'sys-process/vixie-cron/files')
-rw-r--r-- | sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff b/sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff new file mode 100644 index 000000000000..536eb2b43000 --- /dev/null +++ b/sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff @@ -0,0 +1,144 @@ +diff -purN vixie-cron-4.1.orig/Makefile vixie-cron-4.1/Makefile +--- vixie-cron-4.1.orig/Makefile 2004-08-27 14:09:33.000000000 -0400 ++++ vixie-cron-4.1/Makefile 2008-08-25 15:17:20.062720415 -0400 +@@ -68,7 +68,8 @@ LINTFLAGS = -hbxa $(INCLUDE) $(DEBUGGING + #<<want to use a nonstandard CC?>> + CC = gcc -Wall -Wno-unused -Wno-comment + #<<manifest defines>> +-DEFS = ++DEFS = -s -DWITH_SELINUX ++LIBS += -lselinux + #(SGI IRIX systems need this) + #DEFS = -D_BSD_SIGNALS -Dconst= + #<<the name of the BSD-like install program>> +diff -purN vixie-cron-4.1.orig/database.c vixie-cron-4.1/database.c +--- vixie-cron-4.1.orig/database.c 2004-08-27 14:09:34.000000000 -0400 ++++ vixie-cron-4.1/database.c 2008-08-27 08:19:37.948930858 -0400 +@@ -28,6 +28,16 @@ static char rcsid[] = "$Id: database.c,v + + #include "cron.h" + ++#ifdef WITH_SELINUX ++#include <selinux/selinux.h> ++#include <selinux/flask.h> ++#include <selinux/av_permissions.h> ++#include <selinux/get_context_list.h> ++#define SYSUSERNAME "system_u" ++#else ++#define SYSUSERNAME "*system*" ++#endif ++ + #define TMAX(a,b) ((a)>(b)?(a):(b)) + + static void process_crontab(const char *, const char *, +@@ -183,7 +193,7 @@ process_crontab(const char *uname, const + if (fname == NULL) { + /* must be set to something for logging purposes. + */ +- fname = "*system*"; ++ fname = SYSUSERNAME; + } else if ((pw = getpwnam(uname)) == NULL) { + /* file doesn't have a user in passwd file. + */ +@@ -245,6 +255,56 @@ process_crontab(const char *uname, const + free_user(u); + log_it(fname, getpid(), "RELOAD", tabname); + } ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled()) { ++ security_context_t file_context=NULL; ++ security_context_t user_context=NULL; ++ struct av_decision avd; ++ int retval=0; ++ char *seuser=NULL; ++ char *level=NULL; ++ ++ if (fgetfilecon(crontab_fd, &file_context) < OK) { ++ log_it(fname, getpid(), "getfilecon FAILED", tabname); ++ goto next_crontab; ++ } ++ ++ /* ++ * Since crontab files are not directly executed, ++ * crond must ensure that the crontab file has ++ * a context that is appropriate for the context of ++ * the user cron job. It performs an entrypoint ++ * permission check for this purpose. ++ */ ++ if (getseuserbyname(fname, &seuser, &level) < 0) { ++ log_it(fname, getpid(), "NO SEUSER", tabname); ++ goto next_crontab; ++ } ++ ++ if (get_default_context_with_level(seuser, level, NULL, &user_context) < 0) { ++ log_it(fname, getpid(), "NO CONTEXT", tabname); ++ freecon(file_context); ++ free(seuser); ++ free(level); ++ goto next_crontab; ++ } ++ ++ retval = security_compute_av(user_context, ++ file_context, ++ SECCLASS_FILE, ++ FILE__ENTRYPOINT, ++ &avd); ++ freecon(user_context); ++ freecon(file_context); ++ free(seuser); ++ free(level); ++ ++ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { ++ log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname); ++ goto next_crontab; ++ } ++ } ++#endif + u = load_user(crontab_fd, pw, fname); + if (u != NULL) { + u->mtime = statbuf->st_mtime; +diff -purN vixie-cron-4.1.orig/do_command.c vixie-cron-4.1/do_command.c +--- vixie-cron-4.1.orig/do_command.c 2004-08-27 14:09:34.000000000 -0400 ++++ vixie-cron-4.1/do_command.c 2008-08-25 15:43:43.289174371 -0400 +@@ -25,6 +25,11 @@ static char rcsid[] = "$Id: do_command.c + + #include "cron.h" + ++#ifdef WITH_SELINUX ++#include <selinux/selinux.h> ++#include <selinux/get_context_list.h> ++#endif ++ + static void child_process(entry *, user *); + static int safe_p(const char *, const char *); + +@@ -265,6 +270,29 @@ child_process(entry *e, user *u) { + _exit(OK_EXIT); + } + # endif /*DEBUGGING*/ ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled()) { ++ char *seuser=NULL; ++ char *level=NULL; ++ security_context_t scontext; ++ ++ if (getseuserbyname(u->name, &seuser, &level) < 0) { ++ fprintf(stderr, "getseuserbyname: Could not determine seuser for user %s\n", u->name); ++ _exit(ERROR_EXIT); ++ } ++ if (get_default_context_with_level(seuser, level, NULL, &scontext) < 0) { ++ fprintf(stderr, "get_default_context_with_level: could not get security context for user %s, seuser %s\n", u->name, seuser); ++ _exit(ERROR_EXIT); ++ } ++ if (setexeccon(scontext) < 0) { ++ fprintf(stderr, "setexeccon: Could not set exec context to %s for user %s\n", scontext, u->name); ++ _exit(ERROR_EXIT); ++ } ++ free(seuser); ++ free(level); ++ freecon(scontext); ++ } ++#endif + execle(shell, shell, "-c", e->cmd, (char *)0, e->envp); + fprintf(stderr, "execl: couldn't exec `%s'\n", shell); + perror("execl"); |