You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
145 lines
4.6 KiB
145 lines
4.6 KiB
diff -purN vixie-cron-4.1.orig/Makefile vixie-cron-4.1/Makefile
|
|
--- vixie-cron-4.1.orig/Makefile 2004-08-27 14:09:33.000000000 -0400
|
|
+++ vixie-cron-4.1/Makefile 2008-08-25 15:17:20.062720415 -0400
|
|
@@ -68,7 +68,8 @@ LINTFLAGS = -hbxa $(INCLUDE) $(DEBUGGING
|
|
#<<want to use a nonstandard CC?>>
|
|
CC = gcc -Wall -Wno-unused -Wno-comment
|
|
#<<manifest defines>>
|
|
-DEFS =
|
|
+DEFS = -s -DWITH_SELINUX
|
|
+LIBS += -lselinux
|
|
#(SGI IRIX systems need this)
|
|
#DEFS = -D_BSD_SIGNALS -Dconst=
|
|
#<<the name of the BSD-like install program>>
|
|
diff -purN vixie-cron-4.1.orig/database.c vixie-cron-4.1/database.c
|
|
--- vixie-cron-4.1.orig/database.c 2004-08-27 14:09:34.000000000 -0400
|
|
+++ vixie-cron-4.1/database.c 2008-08-27 08:19:37.948930858 -0400
|
|
@@ -28,6 +28,16 @@ static char rcsid[] = "$Id: database.c,v
|
|
|
|
#include "cron.h"
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+#include <selinux/selinux.h>
|
|
+#include <selinux/flask.h>
|
|
+#include <selinux/av_permissions.h>
|
|
+#include <selinux/get_context_list.h>
|
|
+#define SYSUSERNAME "system_u"
|
|
+#else
|
|
+#define SYSUSERNAME "*system*"
|
|
+#endif
|
|
+
|
|
#define TMAX(a,b) ((a)>(b)?(a):(b))
|
|
|
|
static void process_crontab(const char *, const char *,
|
|
@@ -183,7 +193,7 @@ process_crontab(const char *uname, const
|
|
if (fname == NULL) {
|
|
/* must be set to something for logging purposes.
|
|
*/
|
|
- fname = "*system*";
|
|
+ fname = SYSUSERNAME;
|
|
} else if ((pw = getpwnam(uname)) == NULL) {
|
|
/* file doesn't have a user in passwd file.
|
|
*/
|
|
@@ -245,6 +255,56 @@ process_crontab(const char *uname, const
|
|
free_user(u);
|
|
log_it(fname, getpid(), "RELOAD", tabname);
|
|
}
|
|
+#ifdef WITH_SELINUX
|
|
+ if (is_selinux_enabled()) {
|
|
+ security_context_t file_context=NULL;
|
|
+ security_context_t user_context=NULL;
|
|
+ struct av_decision avd;
|
|
+ int retval=0;
|
|
+ char *seuser=NULL;
|
|
+ char *level=NULL;
|
|
+
|
|
+ if (fgetfilecon(crontab_fd, &file_context) < OK) {
|
|
+ log_it(fname, getpid(), "getfilecon FAILED", tabname);
|
|
+ goto next_crontab;
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * Since crontab files are not directly executed,
|
|
+ * crond must ensure that the crontab file has
|
|
+ * a context that is appropriate for the context of
|
|
+ * the user cron job. It performs an entrypoint
|
|
+ * permission check for this purpose.
|
|
+ */
|
|
+ if (getseuserbyname(fname, &seuser, &level) < 0) {
|
|
+ log_it(fname, getpid(), "NO SEUSER", tabname);
|
|
+ goto next_crontab;
|
|
+ }
|
|
+
|
|
+ if (get_default_context_with_level(seuser, level, NULL, &user_context) < 0) {
|
|
+ log_it(fname, getpid(), "NO CONTEXT", tabname);
|
|
+ freecon(file_context);
|
|
+ free(seuser);
|
|
+ free(level);
|
|
+ goto next_crontab;
|
|
+ }
|
|
+
|
|
+ retval = security_compute_av(user_context,
|
|
+ file_context,
|
|
+ SECCLASS_FILE,
|
|
+ FILE__ENTRYPOINT,
|
|
+ &avd);
|
|
+ freecon(user_context);
|
|
+ freecon(file_context);
|
|
+ free(seuser);
|
|
+ free(level);
|
|
+
|
|
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
|
|
+ log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
|
|
+ goto next_crontab;
|
|
+ }
|
|
+ }
|
|
+#endif
|
|
u = load_user(crontab_fd, pw, fname);
|
|
if (u != NULL) {
|
|
u->mtime = statbuf->st_mtime;
|
|
diff -purN vixie-cron-4.1.orig/do_command.c vixie-cron-4.1/do_command.c
|
|
--- vixie-cron-4.1.orig/do_command.c 2004-08-27 14:09:34.000000000 -0400
|
|
+++ vixie-cron-4.1/do_command.c 2008-08-25 15:43:43.289174371 -0400
|
|
@@ -25,6 +25,11 @@ static char rcsid[] = "$Id: do_command.c
|
|
|
|
#include "cron.h"
|
|
|
|
+#ifdef WITH_SELINUX
|
|
+#include <selinux/selinux.h>
|
|
+#include <selinux/get_context_list.h>
|
|
+#endif
|
|
+
|
|
static void child_process(entry *, user *);
|
|
static int safe_p(const char *, const char *);
|
|
|
|
@@ -265,6 +270,29 @@ child_process(entry *e, user *u) {
|
|
_exit(OK_EXIT);
|
|
}
|
|
# endif /*DEBUGGING*/
|
|
+#ifdef WITH_SELINUX
|
|
+ if (is_selinux_enabled()) {
|
|
+ char *seuser=NULL;
|
|
+ char *level=NULL;
|
|
+ security_context_t scontext;
|
|
+
|
|
+ if (getseuserbyname(u->name, &seuser, &level) < 0) {
|
|
+ fprintf(stderr, "getseuserbyname: Could not determine seuser for user %s\n", u->name);
|
|
+ _exit(ERROR_EXIT);
|
|
+ }
|
|
+ if (get_default_context_with_level(seuser, level, NULL, &scontext) < 0) {
|
|
+ fprintf(stderr, "get_default_context_with_level: could not get security context for user %s, seuser %s\n", u->name, seuser);
|
|
+ _exit(ERROR_EXIT);
|
|
+ }
|
|
+ if (setexeccon(scontext) < 0) {
|
|
+ fprintf(stderr, "setexeccon: Could not set exec context to %s for user %s\n", scontext, u->name);
|
|
+ _exit(ERROR_EXIT);
|
|
+ }
|
|
+ free(seuser);
|
|
+ free(level);
|
|
+ freecon(scontext);
|
|
+ }
|
|
+#endif
|
|
execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
|
|
fprintf(stderr, "execl: couldn't exec `%s'\n", shell);
|
|
perror("execl");
|