|
|
bd38e4 |
diff -up at-3.1.13/atd.c.selinux at-3.1.13/atd.c
|
|
|
bd38e4 |
--- at-3.1.13/atd.c.selinux 2012-11-01 15:11:21.368772308 +0100
|
|
|
bd38e4 |
+++ at-3.1.13/atd.c 2012-11-01 15:13:16.809162818 +0100
|
|
|
bd38e4 |
@@ -83,6 +83,14 @@
|
|
|
bd38e4 |
#include "getloadavg.h"
|
|
|
bd38e4 |
#endif
|
|
|
bd38e4 |
|
|
|
bd38e4 |
+#ifdef WITH_SELINUX
|
|
|
bd38e4 |
+#include <selinux/selinux.h>
|
|
|
bd38e4 |
+#include <selinux/get_context_list.h>
|
|
|
bd38e4 |
+int selinux_enabled=0;
|
|
|
bd38e4 |
+#include <selinux/flask.h>
|
|
|
bd38e4 |
+#include <selinux/av_permissions.h>
|
|
|
bd38e4 |
+#endif
|
|
|
bd38e4 |
+
|
|
|
bd38e4 |
#ifndef LOG_ATD
|
|
|
bd38e4 |
#define LOG_ATD LOG_DAEMON
|
|
|
bd38e4 |
#endif
|
|
|
bd38e4 |
@@ -202,6 +210,68 @@ myfork()
|
|
|
bd38e4 |
#define ATD_MAIL_NAME "mailx"
|
|
|
bd38e4 |
#endif
|
|
|
bd38e4 |
|
|
|
bd38e4 |
+#ifdef WITH_SELINUX
|
|
|
bd38e4 |
+static int set_selinux_context(const char *name, const char *filename) {
|
|
|
bd38e4 |
+ security_context_t user_context=NULL;
|
|
|
bd38e4 |
+ security_context_t file_context=NULL;
|
|
|
bd38e4 |
+ struct av_decision avd;
|
|
|
bd38e4 |
+ int retval=-1;
|
|
|
bd38e4 |
+ char *seuser=NULL;
|
|
|
bd38e4 |
+ char *level=NULL;
|
|
|
bd38e4 |
+
|
|
|
bd38e4 |
+ if (getseuserbyname(name, &seuser, &level) == 0) {
|
|
|
bd38e4 |
+ retval=get_default_context_with_level(seuser, level, NULL, &user_context);
|
|
|
bd38e4 |
+ free(seuser);
|
|
|
bd38e4 |
+ free(level);
|
|
|
bd38e4 |
+ if (retval) {
|
|
|
bd38e4 |
+ if (security_getenforce()==1) {
|
|
|
bd38e4 |
+ perr("execle: couldn't get security context for user %s\n", name);
|
|
|
bd38e4 |
+ } else {
|
|
|
bd38e4 |
+ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
|
|
|
bd38e4 |
+ return -1;
|
|
|
bd38e4 |
+ }
|
|
|
bd38e4 |
+ }
|
|
|
bd38e4 |
+ }
|
|
|
bd38e4 |
+
|
|
|
bd38e4 |
+ /*
|
|
|
bd38e4 |
+ * Since crontab files are not directly executed,
|
|
|
bd38e4 |
+ * crond must ensure that the crontab file has
|
|
|
bd38e4 |
+ * a context that is appropriate for the context of
|
|
|
bd38e4 |
+ * the user cron job. It performs an entrypoint
|
|
|
bd38e4 |
+ * permission check for this purpose.
|
|
|
bd38e4 |
+ */
|
|
|
bd38e4 |
+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
|
|
|
bd38e4 |
+ perr("fgetfilecon FAILED %s", filename);
|
|
|
bd38e4 |
+
|
|
|
bd38e4 |
+ retval = security_compute_av(user_context,
|
|
|
bd38e4 |
+ file_context,
|
|
|
bd38e4 |
+ SECCLASS_FILE,
|
|
|
bd38e4 |
+ FILE__ENTRYPOINT,
|
|
|
bd38e4 |
+ &avd);
|
|
|
bd38e4 |
+ freecon(file_context);
|
|
|
bd38e4 |
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
|
|
|
bd38e4 |
+ if (security_getenforce()==1) {
|
|
|
bd38e4 |
+ perr("Not allowed to set exec context to %s for user %s\n", user_context,name);
|
|
|
bd38e4 |
+ } else {
|
|
|
bd38e4 |
+ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name);
|
|
|
bd38e4 |
+ retval = -1;
|
|
|
bd38e4 |
+ goto err;
|
|
|
bd38e4 |
+ }
|
|
|
bd38e4 |
+ }
|
|
|
bd38e4 |
+ if (setexeccon(user_context) < 0) {
|
|
|
bd38e4 |
+ if (security_getenforce()==1) {
|
|
|
bd38e4 |
+ perr("Could not set exec context to %s for user %s\n", user_context,name);
|
|
|
bd38e4 |
+ retval = -1;
|
|
|
bd38e4 |
+ } else {
|
|
|
bd38e4 |
+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name);
|
|
|
bd38e4 |
+ }
|
|
|
bd38e4 |
+ }
|
|
|
bd38e4 |
+ err:
|
|
|
bd38e4 |
+ freecon(user_context);
|
|
|
bd38e4 |
+ return 0;
|
|
|
bd38e4 |
+}
|
|
|
bd38e4 |
+#endif
|
|
|
bd38e4 |
+
|
|
|
bd38e4 |
static void
|
|
|
bd38e4 |
run_file(const char *filename, uid_t uid, gid_t gid)
|
|
|
bd38e4 |
{
|
|
|
bd38e4 |
@@ -446,9 +516,23 @@ run_file(const char *filename, uid_t uid
|
|
|
bd38e4 |
perr("Cannot reset signal handler to default");
|
|
|
bd38e4 |
|
|
|
bd38e4 |
chdir("/");
|
|
|
bd38e4 |
-
|
|
|
bd38e4 |
+#ifdef WITH_SELINUX
|
|
|
bd38e4 |
+ if (selinux_enabled > 0) {
|
|
|
bd38e4 |
+ if (set_selinux_context(pentry->pw_name, filename) < 0)
|
|
|
bd38e4 |
+ perr("SELinux Failed to set context\n");
|
|
|
bd38e4 |
+ }
|
|
|
bd38e4 |
+#endif
|
|
|
bd38e4 |
if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
|
|
|
bd38e4 |
perr("Exec failed for /bin/sh");
|
|
|
bd38e4 |
+//add for fedora
|
|
|
bd38e4 |
+#ifdef WITH_SELINUX
|
|
|
bd38e4 |
+ if (selinux_enabled>0)
|
|
|
bd38e4 |
+ if (setexeccon(NULL) < 0)
|
|
|
bd38e4 |
+ if (security_getenforce()==1)
|
|
|
bd38e4 |
+ perr("Could not resset exec context for user %s\n", pentry->pw_name);
|
|
|
bd38e4 |
+#endif
|
|
|
bd38e4 |
+//end
|
|
|
bd38e4 |
+//add for fedora
|
|
|
bd38e4 |
#ifdef WITH_PAM
|
|
|
bd38e4 |
if ( ( nenvp != &nul ) && (pam_envp != 0L) && (*pam_envp != 0L))
|
|
|
bd38e4 |
{
|
|
|
bd38e4 |
@@ -751,6 +835,10 @@ main(int argc, char *argv[])
|
|
|
bd38e4 |
struct passwd *pwe;
|
|
|
bd38e4 |
struct group *ge;
|
|
|
bd38e4 |
|
|
|
bd38e4 |
+#ifdef WITH_SELINUX
|
|
|
bd38e4 |
+ selinux_enabled=is_selinux_enabled();
|
|
|
bd38e4 |
+#endif
|
|
|
bd38e4 |
+
|
|
|
bd38e4 |
/* We don't need root privileges all the time; running under uid and gid
|
|
|
bd38e4 |
* daemon is fine.
|
|
|
bd38e4 |
*/
|
|
|
bd38e4 |
diff -up at-3.1.13/config.h.in.selinux at-3.1.13/config.h.in
|
|
|
bd38e4 |
--- at-3.1.13/config.h.in.selinux 2012-11-01 15:11:21.368772308 +0100
|
|
|
bd38e4 |
+++ at-3.1.13/config.h.in 2012-11-01 15:11:21.371772392 +0100
|
|
|
bd38e4 |
@@ -71,6 +71,9 @@
|
|
|
bd38e4 |
/* Define if you are building with_pam */
|
|
|
bd38e4 |
#undef WITH_PAM
|
|
|
bd38e4 |
|
|
|
bd38e4 |
+/* Define if you are building with_selinux */
|
|
|
bd38e4 |
+#undef WITH_SELINUX
|
|
|
bd38e4 |
+
|
|
|
bd38e4 |
/* Define to 1 if you have the `pstat_getdynamic' function. */
|
|
|
bd38e4 |
#undef HAVE_PSTAT_GETDYNAMIC
|
|
|
bd38e4 |
|
|
|
bd38e4 |
diff -up at-3.1.13/configure.ac.selinux at-3.1.13/configure.ac
|
|
|
bd38e4 |
--- at-3.1.13/configure.ac.selinux 2012-11-01 15:11:21.369772335 +0100
|
|
|
bd38e4 |
+++ at-3.1.13/configure.ac 2012-11-01 15:11:21.372772420 +0100
|
|
|
bd38e4 |
@@ -266,5 +266,13 @@ AC_ARG_WITH(daemon_groupname,
|
|
|
bd38e4 |
)
|
|
|
bd38e4 |
AC_SUBST(DAEMON_GROUPNAME)
|
|
|
bd38e4 |
|
|
|
bd38e4 |
+AC_ARG_WITH(selinux,
|
|
|
bd38e4 |
+[ --with-selinux Define to run with selinux],
|
|
|
bd38e4 |
+AC_DEFINE(WITH_SELINUX),
|
|
|
bd38e4 |
+)
|
|
|
bd38e4 |
+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
|
|
|
bd38e4 |
+AC_SUBST(SELINUXLIB)
|
|
|
bd38e4 |
+AC_SUBST(WITH_SELINUX)
|
|
|
bd38e4 |
+
|
|
|
bd38e4 |
AC_CONFIG_FILES(Makefile atrun atd.8 atrun.8 at.1 at.allow.5 batch)
|
|
|
bd38e4 |
AC_OUTPUT
|
|
|
bd38e4 |
diff -up at-3.1.13/Makefile.in.selinux at-3.1.13/Makefile.in
|
|
|
bd38e4 |
--- at-3.1.13/Makefile.in.selinux 2012-11-01 15:11:21.361772115 +0100
|
|
|
bd38e4 |
+++ at-3.1.13/Makefile.in 2012-11-01 15:11:21.372772420 +0100
|
|
|
bd38e4 |
@@ -39,6 +39,8 @@ LIBS = @LIBS@
|
|
|
bd38e4 |
LIBOBJS = @LIBOBJS@
|
|
|
bd38e4 |
INSTALL = @INSTALL@
|
|
|
bd38e4 |
PAMLIB = @PAMLIB@
|
|
|
bd38e4 |
+SELINUXLIB = @SELINUXLIB@
|
|
|
bd38e4 |
+
|
|
|
bd38e4 |
|
|
|
bd38e4 |
CLONES = atq atrm
|
|
|
bd38e4 |
ATOBJECTS = at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o
|