Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff
diff options
context:
space:
mode:
Diffstat (limited to 'sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff')
-rw-r--r--sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff144
1 files changed, 0 insertions, 144 deletions
diff --git a/sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff b/sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff
deleted file mode 100644
index ec2493e8c3ca..000000000000
--- a/sys-process/vixie-cron/files/vixie-cron-4.1-selinux-1.diff
+++ /dev/null
@@ -1,144 +0,0 @@
-diff -purN vixie-cron-4.1.orig/Makefile vixie-cron-4.1/Makefile
---- vixie-cron-4.1.orig/Makefile 2004-08-27 14:09:33.000000000 -0400
-+++ vixie-cron-4.1/Makefile 2008-08-25 15:17:20.062720415 -0400
-@@ -68,7 +68,8 @@ LINTFLAGS = -hbxa $(INCLUDE) $(DEBUGGING
- #<<want to use a nonstandard CC?>>
- CC = gcc -Wall -Wno-unused -Wno-comment
- #<<manifest defines>>
--DEFS =
-+DEFS = -s -DWITH_SELINUX
-+LIBS += -lselinux
- #(SGI IRIX systems need this)
- #DEFS = -D_BSD_SIGNALS -Dconst=
- #<<the name of the BSD-like install program>>
-diff -purN vixie-cron-4.1.orig/database.c vixie-cron-4.1/database.c
---- vixie-cron-4.1.orig/database.c 2004-08-27 14:09:34.000000000 -0400
-+++ vixie-cron-4.1/database.c 2008-08-27 08:19:37.948930858 -0400
-@@ -28,6 +28,16 @@ static char rcsid[] = "# $Id$
-
- #include "cron.h"
-
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#include <selinux/flask.h>
-+#include <selinux/av_permissions.h>
-+#include <selinux/get_context_list.h>
-+#define SYSUSERNAME "system_u"
-+#else
-+#define SYSUSERNAME "*system*"
-+#endif
-+
- #define TMAX(a,b) ((a)>(b)?(a):(b))
-
- static void process_crontab(const char *, const char *,
-@@ -183,7 +193,7 @@ process_crontab(const char *uname, const
- if (fname == NULL) {
- /* must be set to something for logging purposes.
- */
-- fname = "*system*";
-+ fname = SYSUSERNAME;
- } else if ((pw = getpwnam(uname)) == NULL) {
- /* file doesn't have a user in passwd file.
- */
-@@ -245,6 +255,56 @@ process_crontab(const char *uname, const
- free_user(u);
- log_it(fname, getpid(), "RELOAD", tabname);
- }
-+#ifdef WITH_SELINUX
-+ if (is_selinux_enabled()) {
-+ security_context_t file_context=NULL;
-+ security_context_t user_context=NULL;
-+ struct av_decision avd;
-+ int retval=0;
-+ char *seuser=NULL;
-+ char *level=NULL;
-+
-+ if (fgetfilecon(crontab_fd, &file_context) < OK) {
-+ log_it(fname, getpid(), "getfilecon FAILED", tabname);
-+ goto next_crontab;
-+ }
-+
-+ /*
-+ * Since crontab files are not directly executed,
-+ * crond must ensure that the crontab file has
-+ * a context that is appropriate for the context of
-+ * the user cron job. It performs an entrypoint
-+ * permission check for this purpose.
-+ */
-+ if (getseuserbyname(fname, &seuser, &level) < 0) {
-+ log_it(fname, getpid(), "NO SEUSER", tabname);
-+ goto next_crontab;
-+ }
-+
-+ if (get_default_context_with_level(seuser, level, NULL, &user_context) < 0) {
-+ log_it(fname, getpid(), "NO CONTEXT", tabname);
-+ freecon(file_context);
-+ free(seuser);
-+ free(level);
-+ goto next_crontab;
-+ }
-+
-+ retval = security_compute_av(user_context,
-+ file_context,
-+ SECCLASS_FILE,
-+ FILE__ENTRYPOINT,
-+ &avd);
-+ freecon(user_context);
-+ freecon(file_context);
-+ free(seuser);
-+ free(level);
-+
-+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
-+ log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
-+ goto next_crontab;
-+ }
-+ }
-+#endif
- u = load_user(crontab_fd, pw, fname);
- if (u != NULL) {
- u->mtime = statbuf->st_mtime;
-diff -purN vixie-cron-4.1.orig/do_command.c vixie-cron-4.1/do_command.c
---- vixie-cron-4.1.orig/do_command.c 2004-08-27 14:09:34.000000000 -0400
-+++ vixie-cron-4.1/do_command.c 2008-08-25 15:43:43.289174371 -0400
-@@ -25,6 +25,11 @@ static char rcsid[] = "# $Id$
-
- #include "cron.h"
-
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#include <selinux/get_context_list.h>
-+#endif
-+
- static void child_process(entry *, user *);
- static int safe_p(const char *, const char *);
-
-@@ -265,6 +270,29 @@ child_process(entry *e, user *u) {
- _exit(OK_EXIT);
- }
- # endif /*DEBUGGING*/
-+#ifdef WITH_SELINUX
-+ if (is_selinux_enabled()) {
-+ char *seuser=NULL;
-+ char *level=NULL;
-+ security_context_t scontext;
-+
-+ if (getseuserbyname(u->name, &seuser, &level) < 0) {
-+ fprintf(stderr, "getseuserbyname: Could not determine seuser for user %s\n", u->name);
-+ _exit(ERROR_EXIT);
-+ }
-+ if (get_default_context_with_level(seuser, level, NULL, &scontext) < 0) {
-+ fprintf(stderr, "get_default_context_with_level: could not get security context for user %s, seuser %s\n", u->name, seuser);
-+ _exit(ERROR_EXIT);
-+ }
-+ if (setexeccon(scontext) < 0) {
-+ fprintf(stderr, "setexeccon: Could not set exec context to %s for user %s\n", scontext, u->name);
-+ _exit(ERROR_EXIT);
-+ }
-+ free(seuser);
-+ free(level);
-+ freecon(scontext);
-+ }
-+#endif
- execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
- fprintf(stderr, "execl: couldn't exec `%s'\n", shell);
- perror("execl");