45 lines
1.3 KiB
Diff
45 lines
1.3 KiB
Diff
diff -up cronie-1.4.3/src/security.c.old cronie-1.4.3/src/security.c
|
|
--- cronie-1.4.3/src/security.c.old 2009-09-25 08:23:18.000000000 +0200
|
|
+++ cronie-1.4.3/src/security.c 2009-11-05 16:43:13.000000000 +0100
|
|
@@ -486,9 +486,37 @@ void free_security_context(security_cont
|
|
|
|
int crontab_security_access(void) {
|
|
#ifdef WITH_SELINUX
|
|
- if (is_selinux_enabled() > 0)
|
|
- if (selinux_check_passwd_access(PASSWD__CRONTAB) != 0)
|
|
- return -1;
|
|
+ int selinux_check_passwd_access = -1;
|
|
+ if (is_selinux_enabled() > 0) {
|
|
+ security_context_t user_context;
|
|
+ if (getprevcon_raw(&user_context) == 0) {
|
|
+ security_class_t passwd_class;
|
|
+ struct av_decision avd;
|
|
+ int retval;
|
|
+
|
|
+ passwd_class = string_to_security_class("passwd");
|
|
+ if (passwd_class == 0) {
|
|
+ selinux_check_passwd_access = -1;
|
|
+ fprintf(stderr, "Security class \"passwd\" is not defined in the SELinux policy.\n");
|
|
+ }
|
|
+
|
|
+ retval = security_compute_av_raw(user_context,
|
|
+ user_context,
|
|
+ passwd_class,
|
|
+ PASSWD__CRONTAB,
|
|
+ &avd);
|
|
+
|
|
+ if ((retval == 0) && ((PASSWD__CRONTAB & avd.allowed) == PASSWD__CRONTAB)) {
|
|
+ selinux_check_passwd_access = 0;
|
|
+ }
|
|
+ freecon(user_context);
|
|
+ }
|
|
+
|
|
+ if (selinux_check_passwd_access != 0 && security_getenforce() == 0)
|
|
+ selinux_check_passwd_access = 0;
|
|
+
|
|
+ return selinux_check_passwd_access;
|
|
+ }
|
|
#endif
|
|
return 0;
|
|
}
|