rpms/cronie
7
0
Fork 1
Code Issues Pull Requests Releases Activity

use role from the current context for system crontabs (#1639381)

Browse Source
This commit is contained in:
Tomas Mraz 2018-10-31 13:34:14 +01:00
parent 16ea7b2230
commit b372458e40
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
cronie-1.5.2-context-role.patch Normal file
View File

@ -0,0 +1,41 @@
From 1f866530f5b3c49012c61b299f3c4e1dceff2a71 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Thu, 18 Oct 2018 14:25:58 +0200
Subject: [PATCH] Use the role from the crond context for system job contexts.
New SELinux policy added multiple roles for the system_u user on crond_t.
The default context returned from get_default_context_with_level() is now
unconfined_t instead of system_cronjob_t which is incorrect for system cron
jobs.
We use the role to limit the default context to system_cronjob_t.
---
src/security.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/security.c b/src/security.c
index d1bdc7f..5213cf3 100644
--- a/src/security.c
+++ b/src/security.c
@@ -505,6 +505,7 @@ get_security_context(const char *name, int crontab_fd,
retval = get_default_context_with_level(seuser, level, NULL, &scontext);
}
else {
+ const char *current_user, *current_role;
if (getcon(&current_context_str) < 0) {
log_it(name, getpid(), "getcon FAILED", "", 0);
return (security_getenforce() > 0);
@@ -517,8 +518,9 @@ get_security_context(const char *name, int crontab_fd,
return (security_getenforce() > 0);
}
- const char *current_user = context_user_get(current_context);
- retval = get_default_context_with_level(current_user, level, NULL, &scontext);
+ current_user = context_user_get(current_context);
+ current_role = context_role_get(current_context);
+ retval = get_default_context_with_rolelevel(current_user, current_role, level, NULL, &scontext);
freecon(current_context_str);
context_free(current_context);
--
2.14.5

7
cronie.spec
View File

@ -6,11 +6,12 @@
Summary: Cron daemon for executing programs at set times Summary: Cron daemon for executing programs at set times
Name: cronie Name: cronie
Version: 1.5.2 Version: 1.5.2
Release: 2%{?dist} Release: 3%{?dist}
License: MIT and BSD and ISC and GPLv2+ License: MIT and BSD and ISC and GPLv2+
Group: System Environment/Base Group: System Environment/Base
URL: https://github.com/cronie-crond/cronie URL: https://github.com/cronie-crond/cronie
Source0: https://github.com/cronie-crond/cronie/releases/download/cronie-%{version}/cronie-%{version}.tar.gz Source0: https://github.com/cronie-crond/cronie/releases/download/cronie-%{version}/cronie-%{version}.tar.gz
Patch1: cronie-1.5.2-context-role.patch
Requires: dailyjobs Requires: dailyjobs
@ -76,6 +77,7 @@ extra features.
%prep %prep
%setup -q %setup -q
%patch1 -p1 -b .context-role
%build %build
%configure \ %configure \
@ -204,6 +206,9 @@ exit 0
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/dailyjobs %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/cron.d/dailyjobs
%changelog %changelog
* Wed Oct 31 2018 Tomáš Mráz <tmraz@redhat.com> - 1.5.2-3
- use role from the current context for system crontabs (#1639381)
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.2-2 * Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.5.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild