I think this is what we want for the cron patch. It's basically doing the same checks as the PAM patches. It also limits what the user can change to just the MLS range. At the moment I've just copied the original functions that need to be replaced, so you can see the old vs. the new. As the final commit the old ones should probably just die. I've also kept the name SELINUX_ROLE_TYPE, I'm not sure if it should be changed to SELINUX_ROLE_RANGE or something else?
-- James Antill <[EMAIL PROTECTED]>
Only in vixie-cron-4.1: crond.pam.pamd_crond
diff -rup vixie-cron-4.1-orig/security.c vixie-cron-4.1/security.c
--- vixie-cron-4.1-orig/security.c 2006-11-02 22:28:04.000000000 -0500
+++ vixie-cron-4.1/security.c 2006-11-06 18:04:21.000000000 -0500
@@ -23,12 +23,16 @@
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
+#include <selinux/context.h>
#include <selinux/flask.h>
#include <selinux/av_permissions.h>
#include <selinux/get_context_list.h>
#endif
static char ** build_env(char **cronenv);
+static int cron_get_job_range( user *u, void *scontextp, void *file_contextp, char **jobenv );
+static int cron_change_selinux_range( user *u,
+ void *scontext, void *file_context );
int cron_set_job_security_context( entry *e, user *u, char ***jobenv )
{
@@ -60,7 +64,8 @@ int cron_set_job_security_context( entry
security_context_t scontext=0, file_context=0;
- if ( cron_get_job_context(u, &scontext, &file_context, *jobenv) < OK )
+ /* if ( cron_get_job_context(u, &scontext, &file_context, *jobenv) < OK ) */
+ if ( cron_get_job_range(u, &scontext, &file_context, *jobenv) < OK )
{
syslog(LOG_ERR, "CRON (%s) ERROR: failed to get selinux context: %s",
e->pwd->pw_name, strerror(errno)
@@ -79,7 +84,8 @@ int cron_set_job_security_context( entry
}
#if WITH_SELINUX
- if ( cron_change_selinux_context( u, scontext, file_context ) != 0 )
+ /* if ( cron_change_selinux_context( u, scontext, file_context ) != 0 ) */
+ if ( cron_change_selinux_range( u, scontext, file_context ) != 0 )
{
syslog(LOG_INFO,"CRON (%s) ERROR: failed to change SELinux context",
e->pwd->pw_name);
@@ -201,6 +207,7 @@ cron_authorize_context
#ifdef WITH_SELINUX
struct av_decision avd;
int retval;
+ unsigned int bit = FILE__ENTRYPOINT;
/*
* Since crontab files are not directly executed,
* crond must ensure that the crontab file has
@@ -208,13 +215,37 @@ cron_authorize_context
* the user cron job. It performs an entrypoint
* permission check for this purpose.
*/
- retval = security_compute_av(scontext,
- file_context,
- SECCLASS_FILE,
- FILE__ENTRYPOINT,
- &avd);
+ retval = security_compute_av(scontext, file_context,
+ SECCLASS_FILE, bit, &avd);
- if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT))
+ if (retval || ((bit & avd.allowed) != bit))
+ return 0;
+#endif
+ return 1;
+}
+
+static int
+cron_authorize_range
+(
+ security_context_t scontext,
+ security_context_t file_context
+)
+{
+#ifdef WITH_SELINUX
+ struct av_decision avd;
+ int retval;
+ unsigned int bit = CONTEXT__CONTAINS;
+ /*
+ * Since crontab files are not directly executed,
+ * crond must ensure that the crontab range has
+ * a context that is appropriate for the context of
+ * the user cron job. It performs an entrypoint
+ * permission check for this purpose.
+ */
+ retval = security_compute_av(scontext, file_context,
+ SECCLASS_CONTEXT, bit, &avd);
+
+ if (retval || ((bit & avd.allowed) != bit))
return 0;
#endif
return 1;
@@ -265,6 +296,98 @@ int cron_get_job_context( user *u, void
return 0;
}
+static int cron_get_job_range( user *u, void *scontextp, void *file_contextp, char **jobenv )
+{
+#if WITH_SELINUX
+ char *sroletype;
+
+ if ( is_selinux_enabled() <= 0 )
+ return 0;
+ if ( (file_contextp == 0) || (scontextp == 0L) )
+ return -1;
+
+ *((security_context_t*)scontextp) = u->scontext;
+ *((void **)file_contextp) = 0L;
+
+ if ( (sroletype = env_get("SELINUX_ROLE_TYPE",jobenv)) != 0L )
+ {
+ char crontab[MAX_FNAME];
+ context_t ccon;
+
+ if ( strcmp(u->name,"*system*") == 0 )
+ strncpy(crontab, u->tabname, MAX_FNAME);
+ else
+ snprintf(crontab, MAX_FNAME, "%s/%s", CRONDIR, u->tabname);
+
+ if ( getfilecon( crontab, file_contextp ) == -1 )
+ {
+ if ( security_getenforce() > 0 )
+ {
+ log_it(u->name,
+ getpid(), "getfilecon FAILED for SELINUX_ROLE_TYPE",
+ sroletype
+ );
+ return -1;
+ } else
+ if ( access( crontab, F_OK ) == 0 )
+ {
+ log_it(u->name,
+ getpid(),
+ "getfilecon FAILED but SELinux in permissive mode, continuing "
+ "- SELINUX_ROLE_TYPE=", sroletype
+ );
+ return 0;
+ }
+ }
+
+ if (!(ccon = context_new(file_contextp)))
+ {
+ if ( security_getenforce() > 0 )
+ {
+ log_it(u->name,
+ getpid(), "context_new FAILED for SELINUX_ROLE_TYPE",
+ sroletype
+ );
+ return -1;
+ } else
+ {
+ log_it(u->name,
+ getpid(),
+ "context_new FAILED but SELinux in permissive mode, continuing "
+ "- SELINUX_ROLE_TYPE=", sroletype
+ );
+ return 0;
+ }
+ }
+
+ if (context_range_set(ccon, sroletype))
+ {
+ if ( security_getenforce() > 0 )
+ {
+ log_it(u->name,
+ getpid(), "context_range_set FAILED for SELINUX_ROLE_TYPE",
+ sroletype
+ );
+ return -1;
+ } else
+ {
+ log_it(u->name,
+ getpid(),
+ "context_range_set FAILED but SELinux in permissive mode, continuing "
+ "- SELINUX_ROLE_TYPE=", sroletype
+ );
+ return 0;
+ }
+ }
+
+ *((security_context_t*)scontextp) = context_str(ccon);
+
+ context_free(ccon);
+ }
+#endif
+ return 0;
+}
+
int cron_change_selinux_context( user *u, void *scontext, void *file_context )
{
#ifdef WITH_SELINUX
@@ -332,6 +455,74 @@ int cron_change_selinux_context( user *u
return 0;
}
+static int cron_change_selinux_range( user *u,
+ void *scontext, void *file_context )
+{
+#ifdef WITH_SELINUX
+ if ( is_selinux_enabled() <= 0 )
+ return 0;
+
+ if ( scontext == 0L )
+ {
+ if (security_getenforce() > 0)
+ {
+ log_it( u->name, getpid(),
+ "NULL security context for user",
+ ""
+ );
+ return -1;
+ }else
+ {
+ log_it( u->name, getpid(),
+ "NULL security context for user, "
+ "but SELinux in permissive mode, continuing",
+ ""
+ );
+ return 0;
+ }
+ }
+
+ if ( file_context )
+ {
+ if ( ! cron_authorize_range( scontext, file_context ) )
+ {
+ if ( security_getenforce() > 0 )
+ {
+ syslog(LOG_ERR,
+ "CRON (%s) ERROR:"
+ "Unauthorized exec context to SELINUX_ROLE_TYPE %s for user",
+ u->name, (char*)scontext
+ );
+ return -1;
+ } else
+ {
+ syslog(LOG_INFO,
+ "CRON (%s) WARNING:"
+ "Unauthorized exec context to SELINUX_ROLE_TYPE %s for user,"
+ " but SELinux in permissive mode, continuing",
+ u->name, (char*)scontext
+ );
+ }
+ }
+ }
+
+ if ( setexeccon(scontext) < 0 )
+ {
+ if (security_getenforce() > 0)
+ {
+ syslog(LOG_ERR,
+ "CRON (%s) ERROR:"
+ "Could not set exec context to %s for user",
+ u->name, (char*)scontext
+ );
+
+ return -1;
+ }
+ }
+#endif
+ return 0;
+}
+
int get_security_context( const char *name,
int crontab_fd,
security_context_t *rcontext,
Only in vixie-cron-4.1: security.c.security
Only in vixie-cron-4.1: security.c.selinux-contains-range
signature.asc
Description: This is a digitally signed message part
-- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
