SOURCES: vixie-cron-selinux.patch - updated (it now includes also ...
prism
prism at pld-linux.org
Mon Jul 25 12:46:48 CEST 2005
Author: prism Date: Mon Jul 25 10:46:48 2005 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- updated (it now includes also -selinux-pld patch)
---- Files affected:
SOURCES:
vixie-cron-selinux.patch (1.3 -> 1.4)
---- Diffs:
================================================================
Index: SOURCES/vixie-cron-selinux.patch
diff -u SOURCES/vixie-cron-selinux.patch:1.3 SOURCES/vixie-cron-selinux.patch:1.4
--- SOURCES/vixie-cron-selinux.patch:1.3 Mon Mar 1 16:57:42 2004
+++ SOURCES/vixie-cron-selinux.patch Mon Jul 25 12:46:43 2005
@@ -1,73 +1,21 @@
---- vixie-cron-3.0.1.org/do_command.c 2003-12-27 22:58:34.094166552 +0100
-+++ vixie-cron-3.0.1/do_command.c 2003-12-27 22:58:43.797691392 +0100
-@@ -19,6 +19,9 @@
- static char rcsid[] = "$Id$";
- #endif
-
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#endif
-
- #include "cron.h"
- #include <sys/signal.h>
-@@ -273,6 +276,20 @@
- */
- (void) signal(SIGCHLD, SIG_DFL);
- #endif
-+#ifdef WITH_SELINUX
-+ if (is_selinux_enabled()>0) {
-+ security_context_t scontext;
-+ if (get_default_context(u->name, NULL, &scontext)) {
-+ fprintf(stderr, "execle: couldn't get security context for user %s\n", u->name);
-+ _exit(ERROR_EXIT);
-+ }
-+ if (setexeccon(scontext) < 0) {
-+ fprintf(stderr, "Could not set exec context to %s for user %s\n", scontext,u->name);
-+ _exit(ERROR_EXIT);
-+ }
-+ freecon(scontext);
-+ }
-+#endif
- execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
- fprintf(stderr, "execl: couldn't exec `%s'\n", shell);
- perror("execl");
-
---- vixie-cron-3.0.1.org/cron.c 2003-12-27 22:58:34.264140712 +0100
-+++ vixie-cron-3.0.1/cron.c 2003-12-27 22:58:43.799691088 +0100
-@@ -100,7 +100,7 @@
+diff -uNr vixie-cron-4.1.p22/cron.c vixie-cron-4.1/cron.c
+--- vixie-cron-4.1.p22/cron.c 2005-07-23 12:40:30.000000000 +0200
++++ vixie-cron-4.1/cron.c 2005-07-24 23:59:50.000000000 +0200
+@@ -110,7 +110,7 @@
+ break;
case 0:
/* child process */
- log_it("CRON",getpid(),"STARTUP","fork ok");
- (void) setsid();
+ daemon(1,0);
- break;
- default:
- /* parent process should just die */
---- vixie-cron-3.0.1.org/Makefile 2003-12-27 22:58:34.299135392 +0100
-+++ vixie-cron-3.0.1/Makefile 2003-12-27 22:59:10.474635880 +0100
-@@ -55,7 +55,7 @@
- INCLUDE = -I.
- #INCLUDE =
- #<<need getopt()>>
--LIBS = -lpam
-+LIBS = -lpam -lselinux
- #<<optimize or debug?>>
- OPTIM = $(RPM_OPT_FLAGS)
- #OPTIM = -g
-@@ -71,7 +71,7 @@
- #<<want to use a nonstandard CC?>>
- #CC = vcc
- #<<manifest defines>>
--DEFS =
-+DEFS = -DWITH_SELINUX
- #(SGI IRIX systems need this)
- #DEFS = -D_BSD_SIGNALS -Dconst=
- #<<the name of the BSD-like install program>>
---- vixie-cron-3.0.1.org/database.c 2003-12-27 22:58:34.156157128 +0100
-+++ vixie-cron-3.0.1/database.c 2003-12-27 22:58:43.795691696 +0100
-@@ -30,6 +30,15 @@
- #include <sys/stat.h>
- #include <sys/file.h>
+ if ((fd = open(_PATH_DEVNULL, O_RDWR, 0)) >= 0) {
+ (void) dup2(fd, STDIN);
+ (void) dup2(fd, STDOUT);
+diff -uNr vixie-cron-4.1.p22/database.c vixie-cron-4.1/database.c
+--- vixie-cron-4.1.p22/database.c 2005-07-24 23:50:09.000000000 +0200
++++ vixie-cron-4.1/database.c 2005-07-25 00:22:09.000000000 +0200
+@@ -28,6 +28,15 @@
+
+ #include "cron.h"
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
@@ -78,19 +26,10 @@
+#define SYSUSERNAME "*system*"
+#endif
+
-
#define TMAX(a,b) ((a)>(b)?(a):(b))
-@@ -96,7 +105,7 @@
- new_db.head = new_db.tail = NULL;
-
- if (syscron_stat.st_mtime) {
-- process_crontab("root", "*system*",
-+ process_crontab("root", SYSUSERNAME,
- SYSCRONTAB, &syscron_stat,
- &new_db, old_db);
- }
-@@ -132,7 +141,7 @@
+ static void process_crontab(const char *, const char *,
+@@ -121,7 +130,7 @@
(void) strcpy(fname, dp->d_name);
snprintf(tabname, MAXNAMLEN+1, "/etc/cron.d/%s", fname);
@@ -99,16 +38,16 @@
&crond_stat, &new_db, old_db);
}
closedir(dir);
-@@ -249,7 +258,7 @@
- int crontab_fd = OK - 1;
- user *u;
-
-- if (strcmp(fname, "*system*") && !(pw = getpwnam(uname))) {
-+ if (strcmp(fname, SYSUSERNAME) && !(pw = getpwnam(uname))) {
+@@ -226,7 +235,7 @@
+ if (fname == NULL) {
+ /* must be set to something for logging purposes.
+ */
+- fname = "*system*";
++ fname = SYSUSERNAME;
+ } else if ((pw = getpwnam(uname)) == NULL) {
/* file doesn't have a user in passwd file.
*/
- log_it(fname, getpid(), "ORPHAN", "no passwd entry");
-@@ -333,6 +342,44 @@
+@@ -293,6 +302,60 @@
free_user(u);
log_it(fname, getpid(), "RELOAD", tabname);
}
@@ -120,8 +59,13 @@
+ int retval=0;
+
+ if (fgetfilecon(crontab_fd, &file_context) < OK) {
-+ log_it(fname, getpid(), "getfilecon FAILED", tabname);
-+ goto next_crontab;
++ if (security_getenforce() > 0) {
++ log_it(fname, getpid(), "getfilecon FAILED", tabname);
++ goto next_crontab;
++ } else {
++ log_it(fname, getpid(), "getfilecon FAILED but SELinux in permissive mode, continuing", tabname);
++ goto selinux_out;
++ }
+ }
+
+ /*
@@ -132,9 +76,14 @@
+ * permission check for this purpose.
+ */
+ if (get_default_context(fname, NULL, &user_context)) {
-+ log_it(fname, getpid(), "NO CONTEXT", tabname);
+ freecon(file_context);
-+ goto next_crontab;
++ if (security_getenforce() > 0) {
++ log_it(fname, getpid(), "NO CONTEXT", tabname);
++ goto next_crontab;
++ } else {
++ log_it(fname, getpid(), "NO CONTEXT but SELinux in permissive mode, continuing", tabname);
++ goto selinux_out;
++ }
+ }
+ retval = security_compute_av(user_context,
+ file_context,
@@ -144,12 +93,79 @@
+ freecon(user_context);
+ freecon(file_context);
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
-+ log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
-+ if (security_getenforce()==1)
-+ goto next_crontab;
++ if (security_getenforce() > 0) {
++ log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
++ goto next_crontab;
++ } else {
++ log_it(fname, getpid(), "ENTRYPOINT FAILED but SELinux in permissive mode, continuing", tabname);
++ goto selinux_out;
++ }
+ }
++selinux_out:
++ ((void)0);
+ }
+#endif
u = load_user(crontab_fd, pw, fname);
if (u != NULL) {
u->mtime = statbuf->st_mtime;
+diff -uNr vixie-cron-4.1.p22/do_command.c vixie-cron-4.1/do_command.c
+--- vixie-cron-4.1.p22/do_command.c 2005-07-25 00:07:52.000000000 +0200
++++ vixie-cron-4.1/do_command.c 2005-07-25 00:21:27.000000000 +0200
+@@ -23,6 +23,10 @@
+ static char rcsid[] = "$Id$";
+ #endif
+
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#endif
++
+ #include "cron.h"
+
+ #include <security/pam_appl.h>
+@@ -295,6 +299,25 @@
+ */
+ (void) signal(SIGCHLD, SIG_DFL);
+ #endif /*USE_SIGCHLD*/
++#ifdef WITH_SELINUX
++ if (is_selinux_enabled()>0) {
++ security_context_t scontext;
++ if (get_default_context(u->name, NULL, &scontext)) {
++ if (security_getenforce() > 0) {
++ fprintf(stderr, "execle: couldn't get security context for user %s\n", u->name);
++ _exit(ERROR_EXIT);
++ }
++ } else {
++ if (setexeccon(scontext) < 0) {
++ if (security_getenforce() > 0) {
++ fprintf(stderr, "Could not set exec context to %s for user %s\n", scontext,u->name);
++ _exit(ERROR_EXIT);
++ }
++ }
++ freecon(scontext);
++ }
++ }
++#endif /*WITH_SELINUX*/
+ execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
+ fprintf(stderr, "execl: couldn't exec `%s'\n", shell);
+ perror("execl");
+diff -uNr vixie-cron-4.1.p22/Makefile vixie-cron-4.1/Makefile
+--- vixie-cron-4.1.p22/Makefile 2005-07-24 23:37:58.000000000 +0200
++++ vixie-cron-4.1/Makefile 2005-07-25 00:00:34.000000000 +0200
+@@ -59,7 +59,7 @@
+ INCLUDE = -I.
+ #INCLUDE =
+ #<<need getopt()>>
+-LIBS = -lpam
++LIBS = -lpam -lselinux
+ #<<optimize or debug?>>
+ CDEBUG = $(RPM_OPT_FLAGS)
+ #CDEBUG = -g
+@@ -68,7 +68,7 @@
+ #<<want to use a nonstandard CC?>>
+ CC = gcc -Wall -Wno-unused -Wno-comment
+ #<<manifest defines>>
+-DEFS =
++DEFS = -DWITH_SELINUX
+ #(SGI IRIX systems need this)
+ #DEFS = -D_BSD_SIGNALS -Dconst=
+ #<<the name of the BSD-like install program>>
================================================================
---- CVS-web:
http://cvs.pld-linux.org/SOURCES/vixie-cron-selinux.patch?r1=1.3&r2=1.4&f=u
More information about the pld-cvs-commit
mailing list