File vixie-cron-4.1-selinux.diff of Package cron
--- vixie-cron-4.1/Makefile
+++ vixie-cron-4.1/Makefile
@@ -60,7 +60,7 @@
INCLUDE = -I.
#INCLUDE =
#<<need getopt()>>
-LIBS = -lpam -lpam_misc
+LIBS = -lpam -lpam_misc -lselinux
#<<optimize or debug?>>
#CDEBUG = -O
CDEBUG = -O2 -pipe
@@ -69,7 +69,7 @@
#<<want to use a nonstandard CC?>>
CC = gcc -Wall -Wno-unused -Wno-comment
#<<manifest defines>>
-DEFS = -DWITH_PAM
+DEFS = -DWITH_PAM -DWITH_SELINUX
#(SGI IRIX systems need this)
#DEFS = -D_BSD_SIGNALS -Dconst=
#<<the name of the BSD-like install program>>
--- vixie-cron-4.1/database.c
+++ vixie-cron-4.1/database.c
@@ -28,6 +28,15 @@
#include "cron.h"
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#define SYSUSERNAME "system_u"
+#else
+#define SYSUSERNAME "*system*"
+#endif
+
#define TMAX(a,b) ((a)>(b)?(a):(b))
static void process_crontab(const char *, const char *,
@@ -296,7 +305,7 @@
if (fname == NULL) {
/* must be set to something for logging purposes.
*/
- fname = "*system*";
+ fname = SYSUSERNAME;
} else if ((pw = getpwnam(uname)) == NULL) {
/* file doesn't have a user in passwd file.
*/
@@ -358,6 +367,43 @@
free_user(u);
log_it(fname, getpid(), "RELOAD", tabname);
}
+#ifdef WITH_SELINUX
+ if (is_selinux_enabled()) {
+ security_context_t file_context=NULL;
+ security_context_t user_context=NULL;
+ struct av_decision avd;
+ int retval=0;
+
+ if (fgetfilecon(crontab_fd, &file_context) < OK) {
+ log_it(fname, getpid(), "getfilecon FAILED", tabname);
+ goto next_crontab;
+ }
+
+ /*
+ * Since crontab files are not directly executed,
+ * crond must ensure that the crontab file has
+ * a context that is appropriate for the context of
+ * the user cron job. It performs an entrypoint
+ * permission check for this purpose.
+ */
+ if (get_default_context(fname, NULL, &user_context)) {
+ log_it(fname, getpid(), "NO CONTEXT", tabname);
+ freecon(file_context);
+ goto next_crontab;
+ }
+ retval = security_compute_av(user_context,
+ file_context,
+ SECCLASS_FILE,
+ FILE__ENTRYPOINT,
+ &avd);
+ freecon(user_context);
+ freecon(file_context);
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+ log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
+ goto next_crontab;
+ }
+ }
+#endif
u = load_user(crontab_fd, pw, fname);
if (u != NULL) {
u->mtime = statbuf->st_mtime;
--- vixie-cron-4.1/do_command.c
+++ vixie-cron-4.1/do_command.c
@@ -37,6 +37,10 @@
}
#endif
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif
+
static void child_process(entry *, user *);
static int safe_p(const char *, const char *);
@@ -339,6 +343,20 @@
_exit(OK_EXIT);
}
# endif /*DEBUGGING*/
+#ifdef WITH_SELINUX
+ if (is_selinux_enabled()) {
+ security_context_t scontext;
+ if (get_default_context(u->name, NULL, &scontext)) {
+ fprintf(stderr, "execle_secure: couldn't get security context for user %s\n", u->name);
+ _exit(ERROR_EXIT);
+ }
+ if (setexeccon(scontext) < 0) {
+ fprintf(stderr, "Could not set exec context to %s for user %s\n", scontext,u->name);
+ _exit(ERROR_EXIT);
+ }
+ freecon(scontext);
+ }
+#endif
execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
fprintf(stderr, "execl: couldn't exec `%s'\n", shell);
perror("execl");