From 2eda5ed0c200c80e97bb067db078cfcc4df5f9e5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 18 2022 12:14:34 +0000 Subject: import at-3.1.13-25.el7_9 --- diff --git a/SOURCES/at-3.1.13-selinux.patch b/SOURCES/at-3.1.13-selinux.patch index 255fe2b..e81ba16 100644 --- a/SOURCES/at-3.1.13-selinux.patch +++ b/SOURCES/at-3.1.13-selinux.patch @@ -1,165 +1,241 @@ -diff -up at-3.1.13/atd.c.selinux at-3.1.13/atd.c ---- at-3.1.13/atd.c.selinux 2012-11-01 15:11:21.368772308 +0100 -+++ at-3.1.13/atd.c 2012-11-01 15:13:16.809162818 +0100 -@@ -83,6 +83,14 @@ - #include "getloadavg.h" - #endif +From 9a8a3488c465c036ca721695d17237e5c5fee25c Mon Sep 17 00:00:00 2001 +From: Laurent Bigonville +Date: Thu, 16 Jul 2015 01:06:06 +0200 +Subject: [PATCH] Add SELinux support to run jobs in the proper domain +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently, jobs run by at are run in the crond_t domain and not +transitioned outside of it. + +With this patch, the jobs are transitioned in the same domain as the +jobs that are run by the cron daemon: + +- When cron_userdomain_transition is set to off, a process for an + unconfined user will transition to unconfined_cronjob_t. For confined + user, the job is run as cronjob_t. + +- When cron_userdomain_transition is set to on, the processes are run + under the user default context. + +This patch is based on Marcela Mašláňová work + +Signed-off-by: Jan Staněk +--- + Makefile.in | 1 + + atd.c | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + config.h.in | 3 ++ + configure.ac | 8 +++++ + daemon.c | 16 ++++++++++ + daemon.h | 3 ++ + 6 files changed, 119 insertions(+) + +diff --git a/Makefile.in b/Makefile.in +index 679bf0e..895f87f 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -39,6 +39,7 @@ LIBS = @LIBS@ + LIBOBJS = @LIBOBJS@ + INSTALL = @INSTALL@ + PAMLIB = @PAMLIB@ ++SELINUXLIB = @SELINUXLIB@ + CLONES = atq atrm + ATOBJECTS = at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o +diff --git a/atd.c b/atd.c +index 63e514a..acb610f 100644 +--- a/atd.c ++++ b/atd.c +@@ -86,6 +86,13 @@ + #ifndef LOG_ATD + #define LOG_ATD LOG_DAEMON + #endif ++ +#ifdef WITH_SELINUX +#include +#include -+int selinux_enabled=0; -+#include -+#include ++int selinux_enabled = 0; +#endif + - #ifndef LOG_ATD - #define LOG_ATD LOG_DAEMON - #endif -@@ -202,6 +210,68 @@ myfork() + /* Macros */ + + #define BATCH_INTERVAL_DEFAULT 60 +@@ -202,6 +209,72 @@ myfork() #define ATD_MAIL_NAME "mailx" #endif +#ifdef WITH_SELINUX -+static int set_selinux_context(const char *name, const char *filename) { -+ security_context_t user_context=NULL; -+ security_context_t file_context=NULL; -+ struct av_decision avd; -+ int retval=-1; -+ char *seuser=NULL; -+ char *level=NULL; -+ -+ if (getseuserbyname(name, &seuser, &level) == 0) { -+ retval=get_default_context_with_level(seuser, level, NULL, &user_context); -+ free(seuser); -+ free(level); -+ if (retval) { -+ if (security_getenforce()==1) { -+ perr("execle: couldn't get security context for user %s\n", name); -+ } else { -+ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name); -+ return -1; -+ } -+ } -+ } -+ -+ /* -+ * Since crontab files are not directly executed, -+ * crond must ensure that the crontab file has -+ * a context that is appropriate for the context of -+ * the user cron job. It performs an entrypoint -+ * permission check for this purpose. -+ */ -+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0) -+ perr("fgetfilecon FAILED %s", filename); -+ -+ retval = security_compute_av(user_context, -+ file_context, -+ SECCLASS_FILE, -+ FILE__ENTRYPOINT, -+ &avd); -+ freecon(file_context); -+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { -+ if (security_getenforce()==1) { -+ perr("Not allowed to set exec context to %s for user %s\n", user_context,name); -+ } else { -+ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name); -+ retval = -1; -+ goto err; -+ } -+ } -+ if (setexeccon(user_context) < 0) { -+ if (security_getenforce()==1) { -+ perr("Could not set exec context to %s for user %s\n", user_context,name); -+ retval = -1; -+ } else { -+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name); -+ } -+ } -+ err: -+ freecon(user_context); -+ return 0; ++static int ++set_selinux_context(const char *name, const char *filename) { ++ security_context_t user_context = NULL; ++ security_context_t file_context = NULL; ++ int retval = 0; ++ char *seuser = NULL; ++ char *level = NULL; ++ ++ if (getseuserbyname(name, &seuser, &level) == 0) { ++ retval = get_default_context_with_level(seuser, level, NULL, &user_context); ++ free(seuser); ++ free(level); ++ if (retval < 0) { ++ lerr("get_default_context_with_level: couldn't get security context for user %s", name); ++ retval = -1; ++ goto err; ++ } ++ } ++ ++ /* ++ * Since crontab files are not directly executed, ++ * crond must ensure that the crontab file has ++ * a context that is appropriate for the context of ++ * the user cron job. It performs an entrypoint ++ * permission check for this purpose. ++ */ ++ if (fgetfilecon(STDIN_FILENO, &file_context) < 0) { ++ lerr("fgetfilecon FAILED %s", filename); ++ retval = -1; ++ goto err; ++ } ++ ++ retval = selinux_check_access(user_context, file_context, "file", "entrypoint", NULL); ++ freecon(file_context); ++ if (retval < 0) { ++ lerr("Not allowed to set exec context to %s for user %s", user_context, name); ++ retval = -1; ++ goto err; ++ } ++ if (setexeccon(user_context) < 0) { ++ lerr("Could not set exec context to %s for user %s", user_context, name); ++ retval = -1; ++ goto err; ++ } ++err: ++ if (retval < 0 && security_getenforce() != 1) ++ retval = 0; ++ if (user_context) ++ freecon(user_context); ++ return retval; ++} ++ ++static int ++selinux_log_callback (int type, const char *fmt, ...) ++{ ++ va_list ap; ++ ++ va_start(ap, fmt); ++ vsyslog (LOG_ERR, fmt, ap); ++ va_end(ap); ++ return 0; +} ++ +#endif + static void run_file(const char *filename, uid_t uid, gid_t gid) { -@@ -446,9 +516,23 @@ run_file(const char *filename, uid_t uid - perr("Cannot reset signal handler to default"); +@@ -433,6 +506,13 @@ run_file(const char *filename, uid_t uid, gid_t gid) + + nice((tolower((int) queue) - 'a' + 1) * 2); - chdir("/"); -- -+#ifdef WITH_SELINUX -+ if (selinux_enabled > 0) { -+ if (set_selinux_context(pentry->pw_name, filename) < 0) -+ perr("SELinux Failed to set context\n"); -+ } -+#endif - if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0) - perr("Exec failed for /bin/sh"); -+//add for fedora +#ifdef WITH_SELINUX -+ if (selinux_enabled>0) -+ if (setexeccon(NULL) < 0) -+ if (security_getenforce()==1) -+ perr("Could not resset exec context for user %s\n", pentry->pw_name); ++ if (selinux_enabled > 0) { ++ if (set_selinux_context(pentry->pw_name, filename) < 0) ++ perr("SELinux Failed to set context\n"); ++ } +#endif -+//end -+//add for fedora - #ifdef WITH_PAM - if ( ( nenvp != &nul ) && (pam_envp != 0L) && (*pam_envp != 0L)) - { -@@ -751,6 +835,10 @@ main(int argc, char *argv[]) ++ + if (initgroups(pentry->pw_name, pentry->pw_gid)) + perr("Cannot initialize the supplementary group access list"); + +@@ -751,6 +831,14 @@ main(int argc, char *argv[]) struct passwd *pwe; struct group *ge; +#ifdef WITH_SELINUX + selinux_enabled=is_selinux_enabled(); ++ ++ if (selinux_enabled) { ++ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) selinux_log_callback); ++ } +#endif + /* We don't need root privileges all the time; running under uid and gid * daemon is fine. */ -diff -up at-3.1.13/config.h.in.selinux at-3.1.13/config.h.in ---- at-3.1.13/config.h.in.selinux 2012-11-01 15:11:21.368772308 +0100 -+++ at-3.1.13/config.h.in 2012-11-01 15:11:21.371772392 +0100 -@@ -71,6 +71,9 @@ - /* Define if you are building with_pam */ - #undef WITH_PAM +diff --git a/config.h.in b/config.h.in +index 16b2ed3..d1be135 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -192,6 +192,9 @@ + . */ + #undef UMAX4_3 -+/* Define if you are building with_selinux */ ++/* Define if you are building with_selinux */ +#undef WITH_SELINUX + - /* Define to 1 if you have the `pstat_getdynamic' function. */ - #undef HAVE_PSTAT_GETDYNAMIC - -diff -up at-3.1.13/configure.ac.selinux at-3.1.13/configure.ac ---- at-3.1.13/configure.ac.selinux 2012-11-01 15:11:21.369772335 +0100 -+++ at-3.1.13/configure.ac 2012-11-01 15:11:21.372772420 +0100 -@@ -266,5 +266,13 @@ AC_ARG_WITH(daemon_groupname, - ) - AC_SUBST(DAEMON_GROUPNAME) + /* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a + `char[]'. */ + #undef YYTEXT_POINTER +diff --git a/configure.ac b/configure.ac +index d5e16b3..85174d9 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -245,6 +245,14 @@ AC_DEFINE(WITH_PAM), + AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc') + AC_SUBST(PAMLIB) +AC_ARG_WITH(selinux, +[ --with-selinux Define to run with selinux], -+AC_DEFINE(WITH_SELINUX), ++AC_DEFINE(WITH_SELINUX, 1, [Define if you are building with_selinux]), +) +AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux) +AC_SUBST(SELINUXLIB) +AC_SUBST(WITH_SELINUX) + - AC_CONFIG_FILES(Makefile atrun atd.8 atrun.8 at.1 at.allow.5 batch) - AC_OUTPUT -diff -up at-3.1.13/Makefile.in.selinux at-3.1.13/Makefile.in ---- at-3.1.13/Makefile.in.selinux 2012-11-01 15:11:21.361772115 +0100 -+++ at-3.1.13/Makefile.in 2012-11-01 15:11:21.372772420 +0100 -@@ -39,6 +39,8 @@ LIBS = @LIBS@ - LIBOBJS = @LIBOBJS@ - INSTALL = @INSTALL@ - PAMLIB = @PAMLIB@ -+SELINUXLIB = @SELINUXLIB@ + AC_MSG_CHECKING(groupname to run under) + AC_ARG_WITH(daemon_groupname, + [ --with-daemon_groupname=DAEMON_GROUPNAME Groupname to run under (default daemon) ], +diff --git a/daemon.c b/daemon.c +index 8be40d4..f9d25e7 100644 +--- a/daemon.c ++++ b/daemon.c +@@ -82,6 +82,22 @@ perr(const char *fmt,...) + exit(EXIT_FAILURE); + } + ++void ++lerr(const char *fmt,...) ++{ ++ char buf[1024]; ++ va_list args; ++ ++ va_start(args, fmt); ++ vsnprintf(buf, sizeof(buf), fmt, args); ++ va_end(args); ++ ++ if (daemon_debug) { ++ perror(buf); ++ } else ++ syslog(LOG_ERR, "%s: %m", buf); ++} + + void + pabort(const char *fmt,...) + { +diff --git a/daemon.h b/daemon.h +index c4507ae..f44ccd1 100644 +--- a/daemon.h ++++ b/daemon.h +@@ -13,5 +13,8 @@ __attribute__((noreturn)) + #endif + perr (const char *fmt, ...); - CLONES = atq atrm - ATOBJECTS = at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o ++void ++lerr (const char *fmt, ...); ++ + extern int daemon_debug; + extern int daemon_foreground; +-- +2.35.1 + diff --git a/SOURCES/at-3.1.13-usePOSIXtimers.patch b/SOURCES/at-3.1.13-usePOSIXtimers.patch index 018bae2..d63efe3 100644 --- a/SOURCES/at-3.1.13-usePOSIXtimers.patch +++ b/SOURCES/at-3.1.13-usePOSIXtimers.patch @@ -1,119 +1,112 @@ -diff -ur -x configure at-3.1.13.orig/atd.c at-3.1.13/atd.c ---- at-3.1.13.orig/atd.c 2011-11-16 11:30:22.424764253 -0500 -+++ at-3.1.13/atd.c 2011-11-16 16:41:12.102831656 -0500 -@@ -815,6 +815,54 @@ - return next_job; - } - -+#ifdef HAVE_CLOCK_GETTIME -+timer_t timer; -+struct itimerspec timeout; -+ -+void timer_setup() -+{ -+ struct sigevent sev; -+ -+ sev.sigev_notify = SIGEV_SIGNAL; -+ sev.sigev_signo = SIGHUP; -+ sev.sigev_value.sival_ptr = &timer; -+ -+ memset(&timeout, 0, sizeof(timeout)); -+ -+ if (timer_create(CLOCK_REALTIME, &sev, &timer) < 0) -+ pabort("unable to create timer"); -+} -+ -+time_t atd_gettime() -+{ -+ struct timespec curtime; -+ -+ clock_gettime(CLOCK_REALTIME, &curtime); -+ -+ return curtime.tv_sec; -+} -+ -+void atd_setalarm(time_t next) -+{ -+ timeout.it_value.tv_sec = next; -+ timer_settime(timer, TIMER_ABSTIME, &timeout, NULL); -+ pause(); -+} -+#else -+void timer_setup() -+{ -+} -+ -+time_t atd_gettime() -+{ -+ return time(NULL); -+} -+ -+void atd_setalarm(time_t next) -+{ -+ sleep(next - atd_gettime()); -+} -+#endif - /* Global functions */ - - int -@@ -835,7 +883,6 @@ - struct sigaction act; - struct passwd *pwe; - struct group *ge; -- - #ifdef WITH_SELINUX - selinux_enabled=is_selinux_enabled(); - #endif -@@ -912,7 +959,7 @@ - sigaction(SIGCHLD, &act, NULL); - - if (!run_as_daemon) { -- now = time(NULL); -+ now = atd_gettime(); - run_loop(); - exit(EXIT_SUCCESS); - } -@@ -935,13 +982,15 @@ - act.sa_handler = set_term; - sigaction(SIGINT, &act, NULL); - -+ timer_setup(); -+ - daemon_setup(); - - do { -- now = time(NULL); -+ now = atd_gettime(); - next_invocation = run_loop(); - if (next_invocation > now) { -- sleep(next_invocation - now); -+ atd_setalarm(next_invocation); - } - } while (!term_signal); - daemon_cleanup(); -diff -ur -x configure at-3.1.13.orig/config.h.in at-3.1.13/config.h.in ---- at-3.1.13.orig/config.h.in 2011-11-16 11:30:22.424764253 -0500 -+++ at-3.1.13/config.h.in 2011-11-16 16:32:44.485426754 -0500 -@@ -38,6 +38,9 @@ - /* Define to 1 if you have the `getloadavg' function. */ - #undef HAVE_GETLOADAVG - -+/* Define to 1 if you have the `clock_gettime' function. */ -+#undef HAVE_TIMER_CREATE -+ - /* Define to 1 if you have the header file. */ - #undef HAVE_GETOPT_H - -diff -ur -x configure at-3.1.13.orig/configure.ac at-3.1.13/configure.ac ---- at-3.1.13.orig/configure.ac 2011-11-16 11:30:22.425764254 -0500 -+++ at-3.1.13/configure.ac 2011-11-16 16:31:29.791561747 -0500 -@@ -274,5 +274,9 @@ - AC_SUBST(SELINUXLIB) - AC_SUBST(WITH_SELINUX) - -+dnl check for POSIX timer functions -+AC_SEARCH_LIBS([timer_create],[rt]) -+AC_CHECK_FUNCS([timer_create]) -+ - AC_CONFIG_FILES(Makefile atrun atd.8 atrun.8 at.1 at.allow.5 batch) - AC_OUTPUT +diff -up at-3.1.13/atd.c.posix at-3.1.13/atd.c +--- at-3.1.13/atd.c.posix 2022-02-15 15:41:22.766701662 +0100 ++++ at-3.1.13/atd.c 2022-02-15 15:41:22.768701680 +0100 +@@ -821,6 +821,54 @@ run_loop() + return next_job; + } + ++#ifdef HAVE_CLOCK_GETTIME ++timer_t timer; ++struct itimerspec timeout; ++ ++void timer_setup() ++{ ++ struct sigevent sev; ++ ++ sev.sigev_notify = SIGEV_SIGNAL; ++ sev.sigev_signo = SIGHUP; ++ sev.sigev_value.sival_ptr = &timer; ++ ++ memset(&timeout, 0, sizeof(timeout)); ++ ++ if (timer_create(CLOCK_REALTIME, &sev, &timer) < 0) ++ pabort("unable to create timer"); ++} ++ ++time_t atd_gettime() ++{ ++ struct timespec curtime; ++ ++ clock_gettime(CLOCK_REALTIME, &curtime); ++ ++ return curtime.tv_sec; ++} ++ ++void atd_setalarm(time_t next) ++{ ++ timeout.it_value.tv_sec = next; ++ timer_settime(timer, TIMER_ABSTIME, &timeout, NULL); ++ pause(); ++} ++#else ++void timer_setup() ++{ ++} ++ ++time_t atd_gettime() ++{ ++ return time(NULL); ++} ++ ++void atd_setalarm(time_t next) ++{ ++ sleep(next - atd_gettime()); ++} ++#endif + /* Global functions */ + + int +@@ -926,7 +974,7 @@ main(int argc, char *argv[]) + sigaction(SIGCHLD, &act, NULL); + + if (!run_as_daemon) { +- now = time(NULL); ++ now = atd_gettime(); + run_loop(); + exit(EXIT_SUCCESS); + } +@@ -949,13 +997,15 @@ main(int argc, char *argv[]) + act.sa_handler = set_term; + sigaction(SIGINT, &act, NULL); + ++ timer_setup(); ++ + daemon_setup(); + + do { +- now = time(NULL); ++ now = atd_gettime(); + next_invocation = run_loop(); + if (next_invocation > now) { +- sleep(next_invocation - now); ++ atd_setalarm(next_invocation); + } + } while (!term_signal); + daemon_cleanup(); +diff -up at-3.1.13/config.h.in.posix at-3.1.13/config.h.in +--- at-3.1.13/config.h.in.posix 2022-02-15 15:41:22.758701591 +0100 ++++ at-3.1.13/config.h.in 2022-02-15 15:41:22.769701689 +0100 +@@ -38,6 +38,9 @@ + /* Define to 1 if you have the `getloadavg' function. */ + #undef HAVE_GETLOADAVG + ++/* Define to 1 if you have the `clock_gettime' function. */ ++#undef HAVE_TIMER_CREATE ++ + /* Define to 1 if you have the header file. */ + #undef HAVE_GETOPT_H + +diff -up at-3.1.13/configure.ac.posix at-3.1.13/configure.ac +--- at-3.1.13/configure.ac.posix 2022-02-15 15:41:22.770701698 +0100 ++++ at-3.1.13/configure.ac 2022-02-15 15:43:29.945835498 +0100 +@@ -253,6 +253,10 @@ AC_CHECK_LIB(selinux, is_selinux_enabled + AC_SUBST(SELINUXLIB) + AC_SUBST(WITH_SELINUX) + ++dnl check for POSIX timer functions ++AC_SEARCH_LIBS([timer_create],[rt]) ++AC_CHECK_FUNCS([timer_create]) ++ + AC_MSG_CHECKING(groupname to run under) + AC_ARG_WITH(daemon_groupname, + [ --with-daemon_groupname=DAEMON_GROUPNAME Groupname to run under (default daemon) ], diff --git a/SPECS/at.spec b/SPECS/at.spec index c266164..2a4c60e 100644 --- a/SPECS/at.spec +++ b/SPECS/at.spec @@ -4,7 +4,7 @@ Summary: Job spooling tools Name: at Version: 3.1.13 -Release: 24%{?dist} +Release: 25%{?dist} # http://packages.debian.org/changelogs/pool/main/a/at/current/copyright # + install-sh is MIT license with changes under Public Domain License: GPLv3+ and GPLv2+ and ISC and MIT and Public Domain @@ -25,7 +25,7 @@ Patch4: at-3.1.13-nitpicks.patch Patch5: at-3.1.13-pam.patch Patch6: at-3.1.13-selinux.patch Patch7: at-3.1.12-nowrap.patch -Patch8: at-3.1.12-fix_no_export.patch +Patch8: at-3.1.12-fix_no_export.patch Patch9: at-3.1.13-mailwithhostname.patch Patch10: at-3.1.13-usePOSIXtimers.patch Patch11: at-3.1.13-help.patch @@ -202,6 +202,9 @@ chown root:root %{_localstatedir}/spool/at/.SEQ %attr(0755,root,root) %{_initrddir}/atd %changelog +* Tue Feb 15 2022 Jan Staněk - 3.1.13-25 +- re-import selinux support from upstream + * Wed May 23 2018 Tomáš Mráz - 3.1.13-24 - log the jobs being run