diff options
author | Simon Stelling <blubb@gentoo.org> | 2006-01-28 18:53:32 +0000 |
---|---|---|
committer | Simon Stelling <blubb@gentoo.org> | 2006-01-28 18:53:32 +0000 |
commit | de38596df74f5f08d0709ece265a2628735a4073 (patch) | |
tree | df3e7dddf031ea736c07f6ecbc3ee840382377c5 /sys-process/vixie-cron/files | |
parent | Added to ~ppc, bug #120590 (diff) | |
download | historical-de38596df74f5f08d0709ece265a2628735a4073.tar.gz historical-de38596df74f5f08d0709ece265a2628735a4073.tar.bz2 historical-de38596df74f5f08d0709ece265a2628735a4073.zip |
no need to bzip smallish patches
Package-Manager: portage-2.1_pre3-r1
Diffstat (limited to 'sys-process/vixie-cron/files')
-rw-r--r-- | sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff | 134 | ||||
-rw-r--r-- | sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff.bz2 | bin | 1853 -> 0 bytes |
2 files changed, 134 insertions, 0 deletions
diff --git a/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff b/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff new file mode 100644 index 000000000000..eb8111986bf9 --- /dev/null +++ b/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff @@ -0,0 +1,134 @@ +--- vixie-cron-3.0.1/Makefile.selinux 2003-05-20 14:52:06.000000000 -0400 ++++ vixie-cron-3.0.1/Makefile 2003-05-20 14:52:21.000000000 -0400 +@@ -71,7 +71,8 @@ LINTFLAGS = -hbxa $(INCLUDE) $(COMPAT) $ + #<<want to use a nonstandard CC?>> + #CC = vcc + #<<manifest defines>> +-DEFS = -s ++DEFS = -s -DWITH_SELINUX ++LIBS += -lselinux + #(SGI IRIX systems need this) + #DEFS = -D_BSD_SIGNALS -Dconst= + #<<the name of the BSD-like install program>> +--- vixie-cron-3.0.1/database.c.selinux 2003-05-20 14:52:56.000000000 -0400 ++++ vixie-cron-3.0.1/database.c 2003-05-23 13:27:24.898020960 -0400 +@@ -28,6 +28,15 @@ static char rcsid[] = "$Id: database.c,v + #include <sys/stat.h> + #include <sys/file.h> + ++#ifdef WITH_SELINUX ++#include <selinux/selinux.h> ++#include <selinux/flask.h> ++#include <selinux/av_permissions.h> ++#define SYSUSERNAME "system_u" ++#else ++#define SYSUSERNAME "*system*" ++#endif ++ + + #define TMAX(a,b) ((a)>(b)?(a):(b)) + +@@ -94,7 +103,7 @@ load_database(old_db) + new_db.head = new_db.tail = NULL; + + if (syscron_stat.st_mtime) { +- process_crontab("root", "*system*", ++ process_crontab("root", SYSUSERNAME, + SYSCRONTAB, &syscron_stat, + &new_db, old_db); + } +@@ -136,7 +145,7 @@ load_database(old_db) + + snprintf(tabname, MAXNAMLEN+1, "/etc/cron.d/%s", fname); + +- process_crontab("root", "*system*", tabname, ++ process_crontab("root", SYSUSERNAME, tabname, + &crond_stat, &new_db, old_db); + } + closedir(dir); +@@ -253,7 +262,7 @@ process_crontab(uname, fname, tabname, s + int crontab_fd = OK - 1; + user *u; + +- if (strcmp(fname, "*system*") && !(pw = getpwnam(uname))) { ++ if (strcmp(fname, SYSUSERNAME) && !(pw = getpwnam(uname))) { + /* file doesn't have a user in passwd file. + */ + log_it(fname, getpid(), "ORPHAN", "no passwd entry"); +@@ -297,6 +306,43 @@ process_crontab(uname, fname, tabname, s + free_user(u); + log_it(fname, getpid(), "RELOAD", tabname); + } ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled()) { ++ security_context_t file_context=NULL; ++ security_context_t user_context=NULL; ++ struct av_decision avd; ++ int retval=0; ++ ++ if (fgetfilecon(crontab_fd, &file_context) < OK) { ++ log_it(fname, getpid(), "getfilecon FAILED", tabname); ++ goto next_crontab; ++ } ++ ++ /* ++ * Since crontab files are not directly executed, ++ * crond must ensure that the crontab file has ++ * a context that is appropriate for the context of ++ * the user cron job. It performs an entrypoint ++ * permission check for this purpose. ++ */ ++ if (get_default_context(fname, NULL, &user_context)) { ++ log_it(fname, getpid(), "NO CONTEXT", tabname); ++ freecon(file_context); ++ goto next_crontab; ++ } ++ retval = security_compute_av(user_context, ++ file_context, ++ SECCLASS_FILE, ++ FILE__ENTRYPOINT, ++ &avd); ++ freecon(user_context); ++ freecon(file_context); ++ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { ++ log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname); ++ goto next_crontab; ++ } ++ } ++#endif + u = load_user(crontab_fd, pw, fname); + if (u != NULL) { + u->mtime = statbuf->st_mtime; +--- vixie-cron-3.0.1/do_command.c.selinux 2003-05-20 14:53:12.000000000 -0400 ++++ vixie-cron-3.0.1/do_command.c 2003-05-20 14:58:06.000000000 -0400 +@@ -29,6 +29,9 @@ static char rcsid[] = "$Id: do_command.c + # include <syslog.h> + #endif + ++#ifdef WITH_SELINUX ++#include <selinux/selinux.h> ++#endif + + static void child_process __P((entry *, user *)), + do_univ __P((user *)); +@@ -251,6 +254,20 @@ child_process(e, u) + */ + (void) signal(SIGCHLD, SIG_DFL); + #endif ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled()) { ++ security_context_t scontext; ++ if (get_default_context(u->name, NULL, &scontext)) { ++ fprintf(stderr, "execle_secure: couldn't get security context for user %s\n", u->name); ++ _exit(ERROR_EXIT); ++ } ++ if (setexeccon(scontext) < 0) { ++ fprintf(stderr, "Could not set exec context to %s for user %s\n", scontext,u->name); ++ _exit(ERROR_EXIT); ++ } ++ freecon(scontext); ++ } ++#endif + execle(shell, shell, "-c", e->cmd, (char *)0, e->envp); + fprintf(stderr, "execl: couldn't exec `%s'\n", shell); + perror("execl"); diff --git a/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff.bz2 b/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff.bz2 Binary files differdeleted file mode 100644 index 9fbbcf8d8cd0..000000000000 --- a/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff.bz2 +++ /dev/null |