File at-selinux-20040909.patch of Package at
--- at-3.1.8/configure.in.selinux 2004-04-15 13:57:37.000000000 -0400
+++ at-3.1.8/configure.in 2004-04-15 13:57:37.000000000 -0400
@@ -320,4 +320,12 @@
)
AC_SUBST(DAEMON_GROUPNAME)
+AC_ARG_WITH(selinux,
+[ --with-selinux Define to run with selinux],
+AC_DEFINE(WITH_SELINUX),
+)
+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
+AC_SUBST(SELINUXLIB)
+AC_SUBST(WITH_SELINUX)
+
AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch)
--- at-3.1.8/atd.c.selinux 2004-04-15 13:57:37.000000000 -0400
+++ at-3.1.8/atd.c 2004-05-05 13:31:31.616622776 -0400
@@ -85,6 +85,14 @@
#include <syslog.h>
#endif
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+int selinux_enabled=0;
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#endif
+
/* Local headers */
#include "privs.h"
@@ -438,6 +446,47 @@
chdir("/");
+#ifdef WITH_SELINUX
+ if (selinux_enabled>0) {
+ security_context_t user_context=NULL;
+ security_context_t file_context=NULL;
+ int retval=0;
+ struct av_decision avd;
+
+ if (get_default_context(pentry->pw_name, NULL, &user_context))
+ perr("execle: couldn't get security context for user %s\n", pentry->pw_name);
+ /*
+ * Since crontab files are not directly executed,
+ * crond must ensure that the crontab file has
+ * a context that is appropriate for the context of
+ * the user cron job. It performs an entrypoint
+ * permission check for this purpose.
+ */
+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
+ perr("fgetfilecon FAILED %s", filename);
+
+ retval = security_compute_av(user_context,
+ file_context,
+ SECCLASS_FILE,
+ FILE__ENTRYPOINT,
+ &avd);
+ freecon(file_context);
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+ if (security_getenforce()==1)
+ perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name);
+ }
+
+ if (setexeccon(user_context) < 0) {
+ if (security_getenforce()==1) {
+ perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
+ } else {
+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
+ }
+ }
+ freecon(user_context);
+ }
+#endif
+
if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
perr("Exec failed for /bin/sh");
@@ -454,6 +503,13 @@
*/
waitpid(pid, (int *) NULL, 0);
+#ifdef WITH_SELINUX
+ if (selinux_enabled>0) {
+ if (setexeccon(NULL) < 0) {
+ perr("Could not resset exec context for user %s\n", pentry->pw_name);
+ }
+ }
+#endif
/* Send mail. Unlink the output file after opening it, so it
* doesn't hang around after the run (if we are to send mail)
*/
@@ -693,6 +749,9 @@
struct passwd *pwe;
struct group *ge;
+#ifdef WITH_SELINUX
+ selinux_enabled=is_selinux_enabled();
+#endif
/* We don't need root privileges all the time; running under uid and gid
* daemon is fine.
*/
--- at-3.1.8/config.h.in.selinux 1997-05-13 08:41:28.000000000 -0400
+++ at-3.1.8/config.h.in 2004-04-15 13:57:37.000000000 -0400
@@ -184,3 +184,6 @@
#undef DEFAULT_BATCH_QUEUE
#undef HAVE_ATTRIBUTE_NORETURN
+
+/* Define if you are building with_selinux */
+#undef WITH_SELINUX
--- at-3.1.8/Makefile.in.selinux 2004-04-15 13:57:37.000000000 -0400
+++ at-3.1.8/Makefile.in 2004-04-15 13:57:37.000000000 -0400
@@ -27,6 +27,7 @@
YACC = @YACC@
LEX = @LEX@
LEXLIB = @LEXLIB@
+SELINUXLIB = @SELINUXLIB@
CC = @CC@
CFLAGS = @CFLAGS@
@@ -74,7 +75,7 @@
$(LN_S) -f at atrm
atd: $(RUNOBJECTS)
- $(CC) $(CFLAGS) -o atd $(RUNOBJECTS) $(LIBS)
+ $(CC) $(CFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(SELINUXLIB)
y.tab.c y.tab.h: parsetime.y
$(YACC) -d parsetime.y
