From 04cf46f800013923ac9bcc594b30923bb5d61d34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcela=20Ma=C5=A1l=C3=A1=C5=88ov=C3=A1?= Date: Wed, 17 Sep 2008 08:52:38 +0000 Subject: [PATCH] - thanks dwalsh for selinux patch, which fix #460873 --- at.spec | 7 +- selinux_mail.patch | 187 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 193 insertions(+), 1 deletion(-) create mode 100644 selinux_mail.patch diff --git a/at.spec b/at.spec index a8ae164..e5b414a 100644 --- a/at.spec +++ b/at.spec @@ -6,7 +6,7 @@ Summary: Job spooling tools Name: at Version: 3.1.10 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://ftp.debian.org/debian/pool/main/a/at @@ -32,6 +32,7 @@ Patch14: at-3.1.10-pam_keyring.patch Patch15: at-3.1.10-PIE.patch Patch16: at-3.1.10-pamfix.patch Patch17: nonposix.patch +Patch18: selinux_mail.patch BuildRequires: fileutils chkconfig /etc/init.d BuildRequires: flex bison autoconf @@ -83,6 +84,7 @@ cp %{SOURCE1} . %patch15 -p1 -b .PIE %patch16 -p1 -b .pamfix %patch17 -p1 -b .nonposix +%patch18 -p1 -b .mailselinux %build # patch10 touches configure.in @@ -185,6 +187,9 @@ fi %attr(4755,root,root) %{_bindir}/at %changelog +* Tue Sep 16 2008 Marcela Maslanova - 3.1.10-25 +- thanks dwalsh for selinux patch, which fix #460873 + * Fri Jul 18 2008 Marcela Maslanova - 3.1.10-24 - 446004 hope adding || into scriptlets fix removing old package after upgrade - fixes for fuzz=0 diff --git a/selinux_mail.patch b/selinux_mail.patch new file mode 100644 index 0000000..cd2af80 --- /dev/null +++ b/selinux_mail.patch @@ -0,0 +1,187 @@ +diff -up at-3.1.10/atd.c.mailselinux at-3.1.10/atd.c +--- at-3.1.10/atd.c.mailselinux 2008-09-17 10:45:38.000000000 +0200 ++++ at-3.1.10/atd.c 2008-09-17 10:49:48.000000000 +0200 +@@ -224,6 +224,69 @@ myfork() + #define ATD_MAIL_NAME "mailx" + #endif + ++#ifdef WITH_SELINUX ++static int set_selinux_context(const char *name, const char *filename) { ++ security_context_t user_context=NULL; ++ security_context_t file_context=NULL; ++ struct av_decision avd; ++ int retval=-1; ++ char *seuser=NULL; ++ char *level=NULL; ++ ++ if (getseuserbyname(name, &seuser, &level) == 0) { ++ retval=get_default_context_with_level(seuser, level, NULL, &user_context); ++ free(seuser); ++ free(level); ++ if (retval) { ++ if (security_getenforce()==1) { ++ perr("execle: couldn't get security context for user %s\n", name); ++ } else { ++ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name); ++ return -1; ++ } ++ } ++ } ++ ++ /* ++ * Since crontab files are not directly executed, ++ * crond must ensure that the crontab file has ++ * a context that is appropriate for the context of ++ * the user cron job. It performs an entrypoint ++ * permission check for this purpose. ++ */ ++ if (fgetfilecon(STDIN_FILENO, &file_context) < 0) ++ perr("fgetfilecon FAILED %s", filename); ++ ++ retval = security_compute_av(user_context, ++ file_context, ++ SECCLASS_FILE, ++ FILE__ENTRYPOINT, ++ &avd); ++ freecon(file_context); ++ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { ++ if (security_getenforce()==1) { ++ perr("Not allowed to set exec context to %s for user %s\n", user_context,name); ++ } else { ++ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name); ++ retval = -1; ++ goto err; ++ } ++ } ++ if (setexeccon(user_context) < 0) { ++ if (security_getenforce()==1) { ++ perr("Could not set exec context to %s for user %s\n", user_context,name); ++ retval = -1; ++ } else { ++ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name); ++ } ++ } ++ err: ++ freecon(user_context); ++ return 0; ++} ++#endif ++ ++ + static void + run_file(const char *filename, uid_t uid, gid_t gid) + { +@@ -486,61 +549,8 @@ run_file(const char *filename, uid_t uid + + #ifdef WITH_SELINUX + if (selinux_enabled>0) { +- security_context_t user_context=NULL; +- security_context_t file_context=NULL; +- int retval=0; +- struct av_decision avd; +- char *seuser=NULL; +- char *level=NULL; +- +- if (getseuserbyname(pentry->pw_name, &seuser, &level) == 0) { +- retval=get_default_context_with_level(seuser, level, NULL, &user_context); +- free(seuser); +- free(level); +- if (retval) { +- if (security_getenforce()==1) { +- perr("execle: couldn't get security context for user %s\n", pentry->pw_name); +- } else { +- syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", pentry->pw_name); +- goto out; +- } +- } +- } +- +- /* +- * Since crontab files are not directly executed, +- * crond must ensure that the crontab file has +- * a context that is appropriate for the context of +- * the user cron job. It performs an entrypoint +- * permission check for this purpose. +- */ +- if (fgetfilecon(STDIN_FILENO, &file_context) < 0) { +- if (security_getenforce() > 0) { +- perr("fgetfilecon FAILED %s", filename); +- } else { +- syslog(LOG_ERR, "fgetfilecon FAILED %s", filename); +- goto out; +- } +- } +- retval = security_compute_av(user_context, +- file_context, +- SECCLASS_FILE, +- FILE__ENTRYPOINT, +- &avd); +- freecon(file_context); +- if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { +- if (security_getenforce()==1) +- perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); +- } +- +- if (setexeccon(user_context) < 0) { +- if (security_getenforce()==1) { +- perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); +- } else { +- syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); +- } +- } +- freecon(user_context); ++ if (set_selinux_context(pentry->pw_name, filename) < 0) ++ perr("SELinux Failed to set context\n"); + } + #endif + +@@ -654,47 +664,8 @@ run_file(const char *filename, uid_t uid + + #ifdef WITH_SELINUX + if (selinux_enabled>0) { +- security_context_t user_context=NULL; +- security_context_t file_context=NULL; +- int retval=0; +- struct av_decision avd; +- +- if (get_default_context(pentry->pw_name, NULL, &user_context)) +- perr("execle: couldn't get security context for user %s\n", pentry->pw_name); +- /* +- * Since crontab files are not directly executed, +- * crond must ensure that the crontab file has +- * a context that is appropriate for the context of +- * the user cron job. It performs an entrypoint +- * permission check for this purpose. +- */ +- if (fgetfilecon(STDIN_FILENO, &file_context) < 0) +- perr("fgetfilecon FAILED %s", filename); +- +- retval = security_compute_av(user_context, +- file_context, +- SECCLASS_FILE, +- FILE__ENTRYPOINT, +- &avd); +- freecon(file_context); +- if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { +- if (security_getenforce()==1) { +- perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); +- } else { +- syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); +- goto out; +- } +- } +- +- if (setexeccon(user_context) < 0) { +- if (security_getenforce()==1) { +- perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); +- } else { +- syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); +- } +- } +- out: +- freecon(user_context); ++ if (set_selinux_context(pentry->pw_name, filename) < 0) ++ perr("SELinux Failed to set context\n"); + } + #endif + execl(ATD_MAIL_PROGRAM, ATD_MAIL_NAME, mailname, (char *) NULL);