Blame SOURCES/at-3.1.13-selinux.patch

bd38e4
diff -up at-3.1.13/atd.c.selinux at-3.1.13/atd.c
bd38e4
--- at-3.1.13/atd.c.selinux	2012-11-01 15:11:21.368772308 +0100
bd38e4
+++ at-3.1.13/atd.c	2012-11-01 15:13:16.809162818 +0100
bd38e4
@@ -83,6 +83,14 @@
bd38e4
 #include "getloadavg.h"
bd38e4
 #endif
bd38e4
 
bd38e4
+#ifdef WITH_SELINUX
bd38e4
+#include <selinux/selinux.h>
bd38e4
+#include <selinux/get_context_list.h>
bd38e4
+int selinux_enabled=0;
bd38e4
+#include <selinux/flask.h>
bd38e4
+#include <selinux/av_permissions.h>
bd38e4
+#endif
bd38e4
+
bd38e4
 #ifndef LOG_ATD
bd38e4
 #define LOG_ATD        LOG_DAEMON
bd38e4
 #endif
bd38e4
@@ -202,6 +210,68 @@ myfork()
bd38e4
 #define ATD_MAIL_NAME    "mailx"
bd38e4
 #endif
bd38e4
 
bd38e4
+#ifdef WITH_SELINUX
bd38e4
+static int set_selinux_context(const char *name, const char *filename) {
bd38e4
+       security_context_t user_context=NULL;
bd38e4
+       security_context_t  file_context=NULL;
bd38e4
+       struct av_decision avd;
bd38e4
+       int retval=-1;
bd38e4
+       char *seuser=NULL;
bd38e4
+       char *level=NULL;
bd38e4
+
bd38e4
+       if (getseuserbyname(name, &seuser, &level) == 0) {
bd38e4
+               retval=get_default_context_with_level(seuser, level, NULL, &user_context);
bd38e4
+               free(seuser);
bd38e4
+               free(level);
bd38e4
+               if (retval) {
bd38e4
+                       if (security_getenforce()==1) {
bd38e4
+                               perr("execle: couldn't get security context for user %s\n", name);
bd38e4
+                       } else {
bd38e4
+                               syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
bd38e4
+                               return -1;
bd38e4
+                       }
bd38e4
+               }
bd38e4
+       }
bd38e4
+
bd38e4
+       /*
bd38e4
+       * Since crontab files are not directly executed,
bd38e4
+       * crond must ensure that the crontab file has
bd38e4
+       * a context that is appropriate for the context of
bd38e4
+       * the user cron job.  It performs an entrypoint
bd38e4
+       * permission check for this purpose.
bd38e4
+       */
bd38e4
+       if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
bd38e4
+               perr("fgetfilecon FAILED %s", filename);
bd38e4
+
bd38e4
+       retval = security_compute_av(user_context,
bd38e4
+                                    file_context,
bd38e4
+                                    SECCLASS_FILE,
bd38e4
+                                    FILE__ENTRYPOINT,
bd38e4
+                                    &avd);
bd38e4
+       freecon(file_context);
bd38e4
+       if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
bd38e4
+               if (security_getenforce()==1) {
bd38e4
+                       perr("Not allowed to set exec context to %s for user  %s\n", user_context,name);
bd38e4
+               } else {
bd38e4
+                       syslog(LOG_ERR, "Not allowed to set exec context to %s for user  %s\n", user_context,name);
bd38e4
+                       retval = -1;
bd38e4
+                       goto err;
bd38e4
+               }
bd38e4
+       }
bd38e4
+       if (setexeccon(user_context) < 0) {
bd38e4
+               if (security_getenforce()==1) {
bd38e4
+                       perr("Could not set exec context to %s for user  %s\n", user_context,name);
bd38e4
+                       retval = -1;
bd38e4
+               } else {
bd38e4
+                       syslog(LOG_ERR, "Could not set exec context to %s for user  %s\n", user_context,name);
bd38e4
+               }
bd38e4
+       }
bd38e4
+  err:
bd38e4
+       freecon(user_context);
bd38e4
+       return 0;
bd38e4
+}
bd38e4
+#endif
bd38e4
+
bd38e4
 static void
bd38e4
 run_file(const char *filename, uid_t uid, gid_t gid)
bd38e4
 {
bd38e4
@@ -446,9 +516,23 @@ run_file(const char *filename, uid_t uid
bd38e4
 		perr("Cannot reset signal handler to default");
bd38e4
 
bd38e4
 	    chdir("/");
bd38e4
-
bd38e4
+#ifdef WITH_SELINUX
bd38e4
+            if (selinux_enabled > 0) {
bd38e4
+                if (set_selinux_context(pentry->pw_name, filename) < 0)
bd38e4
+                       perr("SELinux Failed to set context\n");
bd38e4
+            }
bd38e4
+#endif
bd38e4
 	    if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
bd38e4
 		perr("Exec failed for /bin/sh");
bd38e4
+//add for fedora
bd38e4
+#ifdef WITH_SELINUX
bd38e4
+               if (selinux_enabled>0)
bd38e4
+                       if (setexeccon(NULL) < 0)
bd38e4
+                               if (security_getenforce()==1)
bd38e4
+                                       perr("Could not resset exec context for user %s\n", pentry->pw_name);
bd38e4
+#endif
bd38e4
+//end
bd38e4
+//add for fedora
bd38e4
 #ifdef  WITH_PAM
bd38e4
 	    if ( ( nenvp != &nul ) && (pam_envp != 0L)  && (*pam_envp != 0L))
bd38e4
 	    {
bd38e4
@@ -751,6 +835,10 @@ main(int argc, char *argv[])
bd38e4
     struct passwd *pwe;
bd38e4
     struct group *ge;
bd38e4
 
bd38e4
+#ifdef WITH_SELINUX
bd38e4
+    selinux_enabled=is_selinux_enabled();
bd38e4
+#endif
bd38e4
+
bd38e4
 /* We don't need root privileges all the time; running under uid and gid
bd38e4
  * daemon is fine.
bd38e4
  */
bd38e4
diff -up at-3.1.13/config.h.in.selinux at-3.1.13/config.h.in
bd38e4
--- at-3.1.13/config.h.in.selinux	2012-11-01 15:11:21.368772308 +0100
bd38e4
+++ at-3.1.13/config.h.in	2012-11-01 15:11:21.371772392 +0100
bd38e4
@@ -71,6 +71,9 @@
bd38e4
 /* Define if you are building with_pam */
bd38e4
 #undef WITH_PAM
bd38e4
 
bd38e4
+/* Define if you are building with_selinux  */
bd38e4
+#undef WITH_SELINUX
bd38e4
+
bd38e4
 /* Define to 1 if you have the `pstat_getdynamic' function. */
bd38e4
 #undef HAVE_PSTAT_GETDYNAMIC
bd38e4
 
bd38e4
diff -up at-3.1.13/configure.ac.selinux at-3.1.13/configure.ac
bd38e4
--- at-3.1.13/configure.ac.selinux	2012-11-01 15:11:21.369772335 +0100
bd38e4
+++ at-3.1.13/configure.ac	2012-11-01 15:11:21.372772420 +0100
bd38e4
@@ -266,5 +266,13 @@ AC_ARG_WITH(daemon_groupname,
bd38e4
 )
bd38e4
 AC_SUBST(DAEMON_GROUPNAME)
bd38e4
 
bd38e4
+AC_ARG_WITH(selinux,
bd38e4
+[ --with-selinux       Define to run with selinux],
bd38e4
+AC_DEFINE(WITH_SELINUX),
bd38e4
+)
bd38e4
+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
bd38e4
+AC_SUBST(SELINUXLIB)
bd38e4
+AC_SUBST(WITH_SELINUX)
bd38e4
+
bd38e4
 AC_CONFIG_FILES(Makefile atrun atd.8 atrun.8 at.1 at.allow.5 batch)
bd38e4
 AC_OUTPUT
bd38e4
diff -up at-3.1.13/Makefile.in.selinux at-3.1.13/Makefile.in
bd38e4
--- at-3.1.13/Makefile.in.selinux	2012-11-01 15:11:21.361772115 +0100
bd38e4
+++ at-3.1.13/Makefile.in	2012-11-01 15:11:21.372772420 +0100
bd38e4
@@ -39,6 +39,8 @@ LIBS		= @LIBS@
bd38e4
 LIBOBJS		= @LIBOBJS@
bd38e4
 INSTALL		= @INSTALL@
bd38e4
 PAMLIB          = @PAMLIB@
bd38e4
+SELINUXLIB      = @SELINUXLIB@
bd38e4
+
bd38e4
 
bd38e4
 CLONES		= atq atrm
bd38e4
 ATOBJECTS	= at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o