From c905bb52b343012b6ac1bb0f5896b393e9b2bff5 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 5 Nov 2019 16:27:13 -0500 Subject: [PATCH] import cronie-1.5.2-4.el8 --- SOURCES/cronie-1.5.2-context-role.patch | 41 +++++++++++++++++++ SOURCES/cronie-1.5.2-restart-on-failure.patch | 13 ++++++ SPECS/cronie.spec | 17 +++++++- 3 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 SOURCES/cronie-1.5.2-context-role.patch create mode 100644 SOURCES/cronie-1.5.2-restart-on-failure.patch diff --git a/SOURCES/cronie-1.5.2-context-role.patch b/SOURCES/cronie-1.5.2-context-role.patch new file mode 100644 index 0000000..b30a4d4 --- /dev/null +++ b/SOURCES/cronie-1.5.2-context-role.patch @@ -0,0 +1,41 @@ +From 1f866530f5b3c49012c61b299f3c4e1dceff2a71 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 18 Oct 2018 14:25:58 +0200 +Subject: [PATCH] Use the role from the crond context for system job contexts. + +New SELinux policy added multiple roles for the system_u user on crond_t. +The default context returned from get_default_context_with_level() is now +unconfined_t instead of system_cronjob_t which is incorrect for system cron +jobs. +We use the role to limit the default context to system_cronjob_t. +--- + src/security.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/security.c b/src/security.c +index d1bdc7f..5213cf3 100644 +--- a/src/security.c ++++ b/src/security.c +@@ -505,6 +505,7 @@ get_security_context(const char *name, int crontab_fd, + retval = get_default_context_with_level(seuser, level, NULL, &scontext); + } + else { ++ const char *current_user, *current_role; + if (getcon(¤t_context_str) < 0) { + log_it(name, getpid(), "getcon FAILED", "", 0); + return (security_getenforce() > 0); +@@ -517,8 +518,9 @@ get_security_context(const char *name, int crontab_fd, + return (security_getenforce() > 0); + } + +- const char *current_user = context_user_get(current_context); +- retval = get_default_context_with_level(current_user, level, NULL, &scontext); ++ current_user = context_user_get(current_context); ++ current_role = context_role_get(current_context); ++ retval = get_default_context_with_rolelevel(current_user, current_role, level, NULL, &scontext); + + freecon(current_context_str); + context_free(current_context); +-- +2.14.5 + diff --git a/SOURCES/cronie-1.5.2-restart-on-failure.patch b/SOURCES/cronie-1.5.2-restart-on-failure.patch new file mode 100644 index 0000000..9c300a4 --- /dev/null +++ b/SOURCES/cronie-1.5.2-restart-on-failure.patch @@ -0,0 +1,13 @@ +diff -ru cronie-1.5.2/contrib/cronie.systemd cronie-1.5.2_patched/contrib/cronie.systemd +--- cronie-1.5.2/contrib/cronie.systemd 2018-11-27 15:26:46.797288342 +0100 ++++ cronie-1.5.2_patched/contrib/cronie.systemd 2018-11-27 15:26:19.479159225 +0100 +@@ -7,6 +7,8 @@ + ExecStart=/usr/sbin/crond -n $CRONDARGS + ExecReload=/bin/kill -HUP $MAINPID + KillMode=process ++Restart=on-failure ++RestartSec=30s + + [Install] + WantedBy=multi-user.target + diff --git a/SPECS/cronie.spec b/SPECS/cronie.spec index bc35331..b7002cf 100644 --- a/SPECS/cronie.spec +++ b/SPECS/cronie.spec @@ -6,7 +6,7 @@ Summary: Cron daemon for executing programs at set times Name: cronie Version: 1.5.2 -Release: 2%{?dist} +Release: 4%{?dist} License: MIT and BSD and ISC and GPLv2+ Group: System Environment/Base URL: https://github.com/cronie-crond/cronie @@ -38,9 +38,12 @@ Requires(post): systemd # Some parts of code could result in a memory leak. Patch0: fix-memory-leaks.patch - # Some parts of code could result in undefined behavior. Patch1: fix-unsafe-code.patch +# Use correct selinux role +Patch2: cronie-1.5.2-context-role.patch +# Make systemd restart crond when it fails. +Patch3: cronie-1.5.2-restart-on-failure.patch %description Cronie contains the standard UNIX daemon crond that runs specified programs at @@ -85,6 +88,8 @@ extra features. %patch0 -p1 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %configure \ @@ -213,6 +218,14 @@ exit 0 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/dailyjobs %changelog +* Wed Jun 12 2019 Marcel Plch - 1.5.2-4 +- Make crond restart on failure +- Resolves: rhbz#1715137 + +* Mon May 20 2019 Marcel Plch - 1.5.2-3 +- use role from the current context for system crontabs +- Resolves: rhbz#1708557 + * Fri Sep 07 2018 Marcel Plch - 1.5.2-2 - Covscan issues review - Fix potential memory leaks