summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimon Stelling <blubb@gentoo.org>2006-01-28 18:53:32 +0000
committerSimon Stelling <blubb@gentoo.org>2006-01-28 18:53:32 +0000
commitde38596df74f5f08d0709ece265a2628735a4073 (patch)
treedf3e7dddf031ea736c07f6ecbc3ee840382377c5 /sys-process/vixie-cron/files
parentAdded to ~ppc, bug #120590 (diff)
downloadhistorical-de38596df74f5f08d0709ece265a2628735a4073.tar.gz
historical-de38596df74f5f08d0709ece265a2628735a4073.tar.bz2
historical-de38596df74f5f08d0709ece265a2628735a4073.zip
no need to bzip smallish patches
Package-Manager: portage-2.1_pre3-r1
Diffstat (limited to 'sys-process/vixie-cron/files')
-rw-r--r--sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff134
-rw-r--r--sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff.bz2bin1853 -> 0 bytes
2 files changed, 134 insertions, 0 deletions
diff --git a/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff b/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff
new file mode 100644
index 000000000000..eb8111986bf9
--- /dev/null
+++ b/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff
@@ -0,0 +1,134 @@
+--- vixie-cron-3.0.1/Makefile.selinux 2003-05-20 14:52:06.000000000 -0400
++++ vixie-cron-3.0.1/Makefile 2003-05-20 14:52:21.000000000 -0400
+@@ -71,7 +71,8 @@ LINTFLAGS = -hbxa $(INCLUDE) $(COMPAT) $
+ #<<want to use a nonstandard CC?>>
+ #CC = vcc
+ #<<manifest defines>>
+-DEFS = -s
++DEFS = -s -DWITH_SELINUX
++LIBS += -lselinux
+ #(SGI IRIX systems need this)
+ #DEFS = -D_BSD_SIGNALS -Dconst=
+ #<<the name of the BSD-like install program>>
+--- vixie-cron-3.0.1/database.c.selinux 2003-05-20 14:52:56.000000000 -0400
++++ vixie-cron-3.0.1/database.c 2003-05-23 13:27:24.898020960 -0400
+@@ -28,6 +28,15 @@ static char rcsid[] = "$Id: database.c,v
+ #include <sys/stat.h>
+ #include <sys/file.h>
+
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#include <selinux/flask.h>
++#include <selinux/av_permissions.h>
++#define SYSUSERNAME "system_u"
++#else
++#define SYSUSERNAME "*system*"
++#endif
++
+
+ #define TMAX(a,b) ((a)>(b)?(a):(b))
+
+@@ -94,7 +103,7 @@ load_database(old_db)
+ new_db.head = new_db.tail = NULL;
+
+ if (syscron_stat.st_mtime) {
+- process_crontab("root", "*system*",
++ process_crontab("root", SYSUSERNAME,
+ SYSCRONTAB, &syscron_stat,
+ &new_db, old_db);
+ }
+@@ -136,7 +145,7 @@ load_database(old_db)
+
+ snprintf(tabname, MAXNAMLEN+1, "/etc/cron.d/%s", fname);
+
+- process_crontab("root", "*system*", tabname,
++ process_crontab("root", SYSUSERNAME, tabname,
+ &crond_stat, &new_db, old_db);
+ }
+ closedir(dir);
+@@ -253,7 +262,7 @@ process_crontab(uname, fname, tabname, s
+ int crontab_fd = OK - 1;
+ user *u;
+
+- if (strcmp(fname, "*system*") && !(pw = getpwnam(uname))) {
++ if (strcmp(fname, SYSUSERNAME) && !(pw = getpwnam(uname))) {
+ /* file doesn't have a user in passwd file.
+ */
+ log_it(fname, getpid(), "ORPHAN", "no passwd entry");
+@@ -297,6 +306,43 @@ process_crontab(uname, fname, tabname, s
+ free_user(u);
+ log_it(fname, getpid(), "RELOAD", tabname);
+ }
++#ifdef WITH_SELINUX
++ if (is_selinux_enabled()) {
++ security_context_t file_context=NULL;
++ security_context_t user_context=NULL;
++ struct av_decision avd;
++ int retval=0;
++
++ if (fgetfilecon(crontab_fd, &file_context) < OK) {
++ log_it(fname, getpid(), "getfilecon FAILED", tabname);
++ goto next_crontab;
++ }
++
++ /*
++ * Since crontab files are not directly executed,
++ * crond must ensure that the crontab file has
++ * a context that is appropriate for the context of
++ * the user cron job. It performs an entrypoint
++ * permission check for this purpose.
++ */
++ if (get_default_context(fname, NULL, &user_context)) {
++ log_it(fname, getpid(), "NO CONTEXT", tabname);
++ freecon(file_context);
++ goto next_crontab;
++ }
++ retval = security_compute_av(user_context,
++ file_context,
++ SECCLASS_FILE,
++ FILE__ENTRYPOINT,
++ &avd);
++ freecon(user_context);
++ freecon(file_context);
++ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
++ log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
++ goto next_crontab;
++ }
++ }
++#endif
+ u = load_user(crontab_fd, pw, fname);
+ if (u != NULL) {
+ u->mtime = statbuf->st_mtime;
+--- vixie-cron-3.0.1/do_command.c.selinux 2003-05-20 14:53:12.000000000 -0400
++++ vixie-cron-3.0.1/do_command.c 2003-05-20 14:58:06.000000000 -0400
+@@ -29,6 +29,9 @@ static char rcsid[] = "$Id: do_command.c
+ # include <syslog.h>
+ #endif
+
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#endif
+
+ static void child_process __P((entry *, user *)),
+ do_univ __P((user *));
+@@ -251,6 +254,20 @@ child_process(e, u)
+ */
+ (void) signal(SIGCHLD, SIG_DFL);
+ #endif
++#ifdef WITH_SELINUX
++ if (is_selinux_enabled()) {
++ security_context_t scontext;
++ if (get_default_context(u->name, NULL, &scontext)) {
++ fprintf(stderr, "execle_secure: couldn't get security context for user %s\n", u->name);
++ _exit(ERROR_EXIT);
++ }
++ if (setexeccon(scontext) < 0) {
++ fprintf(stderr, "Could not set exec context to %s for user %s\n", scontext,u->name);
++ _exit(ERROR_EXIT);
++ }
++ freecon(scontext);
++ }
++#endif
+ execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
+ fprintf(stderr, "execl: couldn't exec `%s'\n", shell);
+ perror("execl");
diff --git a/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff.bz2 b/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff.bz2
deleted file mode 100644
index 9fbbcf8d8cd0..000000000000
--- a/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff.bz2
+++ /dev/null
Binary files differ