rpms / at

Clone
Source Code
GIT

Blame at-3.1.12-selinux.patch

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f7 f8 f9 main rawhide
  1.   e85ff306c131ab9f1c7fea8e751869efed66cc97
  2.   at-3.1.12-selinux.patch
Blob History Raw
ec83003 
diff -up at-3.1.12/config.h.in.selinux at-3.1.12/config.h.in
ec83003 
--- at-3.1.12/config.h.in.selinux	2009-12-02 16:32:19.469228959 +0100
ec83003 
+++ at-3.1.12/config.h.in	2009-12-02 16:32:57.706966488 +0100
ec83003 
@@ -71,6 +71,9 @@
ec83003 
 /* Define if you are building with_pam */
ec83003 
 #undef WITH_PAM
ec83003
ec83003 
+/* Define if you are building with_selinux  */
ec83003 
+#undef WITH_SELINUX
ec83003 
+
ec83003 
 /* Define to 1 if you have the `pstat_getdynamic' function. */
ec83003 
 #undef HAVE_PSTAT_GETDYNAMIC
ec83003
ec83003 
diff -up at-3.1.12/configure.ac.selinux at-3.1.12/configure.ac
ec83003 
--- at-3.1.12/configure.ac.selinux	2009-12-02 16:31:15.323246019 +0100
ec83003 
+++ at-3.1.12/configure.ac	2009-12-02 16:32:01.425966844 +0100
ec83003 
@@ -266,5 +266,13 @@ AC_ARG_WITH(daemon_groupname,
ec83003 
 )
ec83003 
 AC_SUBST(DAEMON_GROUPNAME)
ec83003
ec83003 
+AC_ARG_WITH(selinux,
ec83003 
+[ --with-selinux       Define to run with selinux],
ec83003 
+AC_DEFINE(WITH_SELINUX),
ec83003 
+)
ec83003 
+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
ec83003 
+AC_SUBST(SELINUXLIB)
ec83003 
+AC_SUBST(WITH_SELINUX)
ec83003 
+
ec83003 
 AC_CONFIG_FILES(Makefile atrun atd.8 atrun.8 at.1 batch)
ec83003 
 AC_OUTPUT
ec83003 
diff -up at-3.1.12/Makefile.in.selinux at-3.1.12/Makefile.in
ec83003 
--- at-3.1.12/Makefile.in.selinux	2009-12-02 16:30:11.923216529 +0100
ec83003 
+++ at-3.1.12/Makefile.in	2009-12-02 16:30:57.949215706 +0100
ec83003 
@@ -39,6 +39,7 @@ LIBS		= @LIBS@
ec83003 
 LIBOBJS		= @LIBOBJS@
ec83003 
 INSTALL		= @INSTALL@
ec83003 
 PAMLIB          = @PAMLIB@
ec83003 
+SELINUXLIB      = @SELINUXLIB@
ec83003
ec83003 
 CLONES		= atq atrm
ec83003 
 ATOBJECTS	= at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o
ec83003 
diff -up at-3.1.12/atd.c.selinux at-3.1.12/atd.c
ec83003 
--- at-3.1.12/atd.c.selinux	2009-12-03 13:03:57.182284669 +0100
ec83003 
+++ at-3.1.12/atd.c	2009-12-03 13:07:20.542272874 +0100
ec83003 
@@ -83,6 +83,14 @@
ec83003 
 #include "getloadavg.h"
ec83003 
 #endif
ec83003
ec83003 
+#ifdef WITH_SELINUX
ec83003 
+#include <selinux/selinux.h>
ec83003 
+#include <selinux/get_context_list.h>
ec83003 
+int selinux_enabled=0;
ec83003 
+#include <selinux/flask.h>
ec83003 
+#include <selinux/av_permissions.h>
ec83003 
+#endif
ec83003 
+
ec83003 
 #ifndef LOG_ATD
ec83003 
 #define LOG_ATD        LOG_DAEMON
ec83003 
 #endif
ec83003 
@@ -202,6 +210,68 @@ myfork()
ec83003 
 #define ATD_MAIL_NAME    "mailx"
ec83003 
 #endif
ec83003
ec83003 
+#ifdef WITH_SELINUX
ec83003 
+static int set_selinux_context(const char *name, const char *filename) {
ec83003 
+       security_context_t user_context=NULL;
ec83003 
+       security_context_t  file_context=NULL;
ec83003 
+       struct av_decision avd;
ec83003 
+       int retval=-1;
ec83003 
+       char *seuser=NULL;
ec83003 
+       char *level=NULL;
ec83003 
+
ec83003 
+       if (getseuserbyname(name, &seuser, &level) == 0) {
ec83003 
+               retval=get_default_context_with_level(seuser, level, NULL, &user_context);
ec83003 
+               free(seuser);
ec83003 
+               free(level);
ec83003 
+               if (retval) {
ec83003 
+                       if (security_getenforce()==1) {
ec83003 
+                               perr("execle: couldn't get security context for user %s\n", name);
ec83003 
+                       } else {
ec83003 
+                               syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
ec83003 
+                               return -1;
ec83003 
+                       }
ec83003 
+               }
ec83003 
+       }
ec83003 
+
ec83003 
+       /*
ec83003 
+       * Since crontab files are not directly executed,
ec83003 
+       * crond must ensure that the crontab file has
ec83003 
+       * a context that is appropriate for the context of
ec83003 
+       * the user cron job.  It performs an entrypoint
ec83003 
+       * permission check for this purpose.
ec83003 
+       */
ec83003 
+       if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
ec83003 
+               perr("fgetfilecon FAILED %s", filename);
ec83003 
+
ec83003 
+       retval = security_compute_av(user_context,
ec83003 
+                                    file_context,
ec83003 
+                                    SECCLASS_FILE,
ec83003 
+                                    FILE__ENTRYPOINT,
ec83003 
+                                    &avd);
ec83003 
+       freecon(file_context);
ec83003 
+       if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
ec83003 
+               if (security_getenforce()==1) {
ec83003 
+                       perr("Not allowed to set exec context to %s for user  %s\n", user_context,name);
ec83003 
+               } else {
ec83003 
+                       syslog(LOG_ERR, "Not allowed to set exec context to %s for user  %s\n", user_context,name);
ec83003 
+                       retval = -1;
ec83003 
+                       goto err;
ec83003 
+               }
ec83003 
+       }
ec83003 
+       if (setexeccon(user_context) < 0) {
ec83003 
+               if (security_getenforce()==1) {
ec83003 
+                       perr("Could not set exec context to %s for user  %s\n", user_context,name);
ec83003 
+                       retval = -1;
ec83003 
+               } else {
ec83003 
+                       syslog(LOG_ERR, "Could not set exec context to %s for user  %s\n", user_context,name);
ec83003 
+               }
ec83003 
+       }
ec83003 
+  err:
ec83003 
+       freecon(user_context);
ec83003 
+       return 0;
ec83003 
+}
ec83003 
+#endif
ec83003 
+
ec83003 
 static void
ec83003 
 run_file(const char *filename, uid_t uid, gid_t gid)
ec83003 
 {
ec83003 
@@ -452,6 +522,12 @@ run_file(const char *filename, uid_t uid
ec83003 
                 perr("Cannot reset signal handler to default");
ec83003
ec83003 
 	    chdir("/");
ec83003 
+#ifdef WITH_SELINUX
ec83003 
+            if (selinux_enabled > 0) {
ec83003 
+                if (set_selinux_context(pentry->pw_name, filename) < 0)
ec83003 
+                       perr("SELinux Failed to set context\n");
ec83003 
+            }
ec83003 
+#endif
ec83003
ec83003 
 	    if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
ec83003 
 		perr("Exec failed for /bin/sh");
ec83003 
@@ -774,6 +850,10 @@ main(int argc, char *argv[])
ec83003 
     struct passwd *pwe;
ec83003 
     struct group *ge;
ec83003
ec83003 
+#ifdef WITH_SELINUX
ec83003 
+    selinux_enabled=is_selinux_enabled();
ec83003 
+#endif
ec83003 
+
ec83003 
 /* We don't need root privileges all the time; running under uid and gid
ec83003 
  * daemon is fine.
ec83003 
  */
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.