From bc6c9488f5ed69abb72a4e323a65fde2122c70be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcela=20Ma=C5=A1l=C3=A1=C5=88ov=C3=A1?= Date: Thu, 16 Dec 2010 14:02:06 +0100 Subject: [PATCH] 663193 rewritten selinux support --- cronie-1.4.6-selinux.patch | 210 +++++++++++++++++++++++++++++++++++++ cronie.spec | 10 +- 2 files changed, 219 insertions(+), 1 deletion(-) create mode 100644 cronie-1.4.6-selinux.patch diff --git a/cronie-1.4.6-selinux.patch b/cronie-1.4.6-selinux.patch new file mode 100644 index 0000000..8fe60fd --- /dev/null +++ b/cronie-1.4.6-selinux.patch @@ -0,0 +1,210 @@ +diff -up cronie-1.4.6/src/cron.c.old cronie-1.4.6/src/cron.c +--- cronie-1.4.6/src/cron.c.old 2010-10-21 07:56:27.000000000 +0200 ++++ cronie-1.4.6/src/cron.c 2010-12-16 13:44:44.000000000 +0100 +@@ -198,6 +198,11 @@ int main(int argc, char *argv[]) { + exit(1); + } + ++ if (cron_init_security() < 0) { ++ log_it("CRON", pid, "DEATH", "Critical security parameters not initialized", 0); ++ exit(1); ++ } ++ + /* Get the default locale character set for the mail + * "Content-Type: ...; charset=" header + */ +diff -up cronie-1.4.6/src/funcs.h.old cronie-1.4.6/src/funcs.h +--- cronie-1.4.6/src/funcs.h.old 2010-10-04 16:07:25.000000000 +0200 ++++ cronie-1.4.6/src/funcs.h 2010-12-16 09:59:02.000000000 +0100 +@@ -85,6 +85,8 @@ long get_gmtoff(time_t *, struct tm *); + + /* Red Hat security stuff (security.c): + */ ++int cron_init_security( void ); ++ + void cron_restore_default_security_context( void ); + + int cron_set_job_security_context( entry *e, user *u, char ***jobenvp ); +diff -up cronie-1.4.6/src/security.c.old cronie-1.4.6/src/security.c +--- cronie-1.4.6/src/security.c.old 2010-10-04 16:07:25.000000000 +0200 ++++ cronie-1.4.6/src/security.c 2010-12-16 09:59:02.000000000 +0100 +@@ -41,15 +41,14 @@ static int + cron_conv(int num_msg, const struct pam_message **msgm, + struct pam_response **response, void *appdata_ptr) + { +- struct pam_message**m = msgm; + int i; + + for (i = 0; i < num_msg; i++) { +- switch (m[i]->msg_style) { ++ switch (msgm[i]->msg_style) { + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: +- if (m[i]->msg != NULL) { +- log_it("CRON", getpid(), "pam_message", m[i]->msg, 0); ++ if (msgm[i]->msg != NULL) { ++ log_it("CRON", getpid(), "pam_message", msgm[i]->msg, 0); + } + break; + default: +@@ -81,6 +80,11 @@ static char **build_env(char **cronenv); + static int cron_change_selinux_range(user * u, security_context_t ucontext); + static int cron_get_job_range(user * u, security_context_t * ucontextp, + char **jobenv); ++ ++static security_class_t file_class; ++static security_class_t context_class; ++static access_vector_t entrypoint_bit; ++static access_vector_t contains_bit; + #endif + + void cron_restore_default_security_context() { +@@ -89,6 +93,40 @@ void cron_restore_default_security_conte + #endif + } + ++int cron_init_security() { ++#ifdef WITH_SELINUX ++ int rv = -1; ++ ++ if (is_selinux_enabled() <= 0) ++ return 0; ++ ++ if (security_getenforce() <= 0) ++ rv = 0; ++ ++ file_class = string_to_security_class("file"); ++ if (!file_class) { ++ log_it("CRON", getpid(), "ERROR", "Failed to translate security class file", errno); ++ return rv; ++ } ++ context_class = string_to_security_class("context"); ++ if (!context_class) { ++ log_it("CRON", getpid(), "ERROR", "Failed to translate security class context", errno); ++ return rv; ++ } ++ entrypoint_bit = string_to_av_perm(file_class, "entrypoint"); ++ if (!entrypoint_bit) { ++ log_it("CRON", getpid(), "ERROR", "Failed to translate av perm entrypoint", errno); ++ return rv; ++ } ++ contains_bit = string_to_av_perm(context_class, "contains"); ++ if (!contains_bit) { ++ log_it("CRON", getpid(), "ERROR", "Failed to translate av perm contains", errno); ++ return rv; ++ } ++#endif ++ return 0; ++} ++ + int cron_set_job_security_context(entry * e, user * u, char ***jobenv) { + time_t minutely_time = 0; + #ifdef WITH_PAM +@@ -254,7 +292,7 @@ static int cron_authorize_context(securi + #ifdef WITH_SELINUX + struct av_decision avd; + int retval; +- unsigned int bit = FILE__ENTRYPOINT; ++ + /* + * Since crontab files are not directly executed, + * crond must ensure that the crontab file has +@@ -262,9 +300,11 @@ static int cron_authorize_context(securi + * the user cron job. It performs an entrypoint + * permission check for this purpose. + */ ++ if (!file_class || !entrypoint_bit) ++ return 0; + retval = security_compute_av(scontext, file_context, +- SECCLASS_FILE, bit, &avd); +- if (retval || ((bit & avd.allowed) != bit)) ++ file_class, entrypoint_bit, &avd); ++ if (retval || ((entrypoint_bit & avd.allowed) != entrypoint_bit)) + return 0; + #endif + return 1; +@@ -275,16 +315,17 @@ static int cron_authorize_range(security + #ifdef WITH_SELINUX + struct av_decision avd; + int retval; +- unsigned int bit = CONTEXT__CONTAINS; + /* + * Since crontab files are not directly executed, + * so crond must ensure that any user specified range + * falls within the seusers-specified range for that Linux user. + */ ++ if (!context_class || !contains_bit) ++ return 0; + retval = security_compute_av(scontext, ucontext, +- SECCLASS_CONTEXT, bit, &avd); ++ context_class, contains_bit, &avd); + +- if (retval || ((bit & avd.allowed) != bit)) ++ if (retval || ((contains_bit & avd.allowed) != contains_bit)) + return 0; + #endif + return 1; +@@ -479,15 +520,22 @@ get_security_context(const char *name, i + } + + if (!cron_authorize_context(scontext, file_context)) { ++ char *msg=NULL; ++ if (asprintf(&msg, ++ "Unauthorized SELinux context=%s file_context=%s", (char *) scontext, file_context) >= 0) { ++ log_it(name, getpid(), msg, tabname, 0); ++ free(msg); ++ } else { ++ log_it(name, getpid(), "Unauthorized SELinux context", tabname, 0); ++ } + freecon(scontext); + freecon(file_context); + if (security_getenforce() > 0) { +- log_it(name, getpid(), "Unauthorized SELinux context", tabname, 0); + return -1; + } + else { + log_it(name, getpid(), +- "Unauthorized SELinux context, but SELinux in permissive mode, continuing", ++ "SELinux in permissive mode, continuing", + tabname, 0); + return 0; + } +@@ -515,22 +563,30 @@ int crontab_security_access(void) { + security_context_t user_context; + if (getprevcon_raw(&user_context) == 0) { + security_class_t passwd_class; ++ access_vector_t crontab_bit; + struct av_decision avd; +- int retval; ++ int retval = 0; + + passwd_class = string_to_security_class("passwd"); + if (passwd_class == 0) { +- selinux_check_passwd_access = -1; + fprintf(stderr, "Security class \"passwd\" is not defined in the SELinux policy.\n"); ++ retval = -1; ++ } ++ ++ if (retval == 0) { ++ crontab_bit = string_to_av_perm(passwd_class, "crontab"); ++ if (crontab_bit == 0) { ++ fprintf(stderr, "Security av permission \"crontab\" is not defined in the SELinux policy.\n"); ++ retval = -1; ++ } + } + +- retval = security_compute_av_raw(user_context, +- user_context, +- passwd_class, +- PASSWD__CRONTAB, +- &avd); ++ if (retval == 0) ++ retval = security_compute_av_raw(user_context, ++ user_context, passwd_class, ++ crontab_bit, &avd); + +- if ((retval == 0) && ((PASSWD__CRONTAB & avd.allowed) == PASSWD__CRONTAB)) { ++ if ((retval == 0) && ((crontab_bit & avd.allowed) == crontab_bit)) { + selinux_check_passwd_access = 0; + } + freecon(user_context); diff --git a/cronie.spec b/cronie.spec index e339406..95e851e 100644 --- a/cronie.spec +++ b/cronie.spec @@ -6,7 +6,7 @@ Summary: Cron daemon for executing programs at set times Name: cronie Version: 1.4.6 -Release: 5%{?dist} +Release: 7%{?dist} License: MIT and BSD and ISC and GPLv2 Group: System Environment/Base URL: https://fedorahosted.org/cronie @@ -14,6 +14,7 @@ Source0: https://fedorahosted.org/releases/c/r/cronie/%{name}-%{version}.tar.gz Source1: cronie.systemd Patch0: cronie-1.4.6-manpages.patch Patch1: cronie-1.4.6-anacron-locks.patch +Patch2: cronie-1.4.6-selinux.patch Requires: syslog, bash >= 2.0 Conflicts: sysklogd < 1.4.1 @@ -79,6 +80,7 @@ Old style of {hourly,daily,weekly,monthly}.jobs without anacron. No features. %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build @@ -210,6 +212,12 @@ cp -a /var/lock/subsys/crond /var/lock/subsys/cronie > /dev/null 2>&1 ||: %attr(0644,root,root) %{_sysconfdir}/cron.d/dailyjobs %changelog +* Thu Dec 16 2010 Marcela Mašláňová - 1.4.6-7 +- 663193 rewritten selinux support + +* Wed Dec 15 2010 Marcela Mašláňová - 1.4.6-6 +- apply selinux patch from dwalsh + * Fri Dec 10 2010 Tomas Mraz - 1.4.6-5 - do not lock jobs that fall out of allowed range - 661966