[at] Change patch for SElinux.
Marcela Mašláňová
mmaslano at fedoraproject.org
Mon Dec 2 16:08:20 UTC 2013
commit d5e10f209caafe2fdc5e91d82c7f61d1618e1252
Author: Marcela Mašláňová <mmaslano at redhat.com>
Date: Thu Sep 26 16:37:12 2013 +0200
Change patch for SElinux.
at-3.1.14-selinux.patch | 164 +++++++++++++++++++++++++++++++++++++++++++++++
at.spec | 2 +-
2 files changed, 165 insertions(+), 1 deletions(-)
---
diff --git a/at-3.1.14-selinux.patch b/at-3.1.14-selinux.patch
new file mode 100644
index 0000000..e8bbc73
--- /dev/null
+++ b/at-3.1.14-selinux.patch
@@ -0,0 +1,164 @@
+diff -up at-3.1.14/atd.c.selinux at-3.1.14/atd.c
+--- at-3.1.14/atd.c.selinux 2013-09-26 15:06:55.177049852 +0200
++++ at-3.1.14/atd.c 2013-09-26 16:33:23.981355661 +0200
+@@ -87,6 +87,14 @@
+ #define LOG_ATD LOG_DAEMON
+ #endif
+
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#include <selinux/get_context_list.h>
++int selinux_enabled=0;
++#include <selinux/flask.h>
++#include <selinux/av_permissions.h>
++#endif
++
+ /* Macros */
+
+ #define BATCH_INTERVAL_DEFAULT 60
+@@ -191,6 +199,68 @@ myfork()
+ #define fork myfork
+ #endif
+
++#ifdef WITH_SELINUX
++static int set_selinux_context(const char *name, const char *filename) {
++ security_context_t user_context=NULL;
++ security_context_t file_context=NULL;
++ struct av_decision avd;
++ int retval=-1;
++ char *seuser=NULL;
++ char *level=NULL;
++
++ if (getseuserbyname(name, &seuser, &level) == 0) {
++ retval=get_default_context_with_level(seuser, level, NULL, &user_context);
++ free(seuser);
++ free(level);
++ if (retval) {
++ if (security_getenforce()==1) {
++ perr("execle: couldn't get security context for user %s\n", name);
++ } else {
++ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
++ return -1;
++ }
++ }
++ }
++
++ /*
++ * Since crontab files are not directly executed,
++ * crond must ensure that the crontab file has
++ * a context that is appropriate for the context of
++ * the user cron job. It performs an entrypoint
++ * permission check for this purpose.
++ */
++ if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
++ perr("fgetfilecon FAILED %s", filename);
++
++ retval = security_compute_av(user_context,
++ file_context,
++ SECCLASS_FILE,
++ FILE__ENTRYPOINT,
++ &avd);
++ freecon(file_context);
++ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
++ if (security_getenforce()==1) {
++ perr("Not allowed to set exec context to %s for user %s\n", user_context,name);
++ } else {
++ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name);
++ retval = -1;
++ goto err;
++ }
++ }
++ if (setexeccon(user_context) < 0) {
++ if (security_getenforce()==1) {
++ perr("Could not set exec context to %s for user %s\n", user_context,name);
++ retval = -1;
++ } else {
++ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name);
++ }
++ }
++ err:
++ freecon(user_context);
++ return 0;
++}
++#endif
++
+ static void
+ run_file(const char *filename, uid_t uid, gid_t gid)
+ {
+@@ -431,9 +501,23 @@ run_file(const char *filename, uid_t uid
+
+ chdir("/");
+
++#ifdef WITH_SELINUX
++ if (selinux_enabled > 0) {
++ if (set_selinux_context(pentry->pw_name, filename) < 0)
++ perr("SELinux Failed to set context\n");
++ }
++#endif
++
+ if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
+ perr("Exec failed for /bin/sh");
+
++#ifdef WITH_SELINUX
++ if (selinux_enabled>0)
++ if (setexeccon(NULL) < 0)
++ if (security_getenforce()==1)
++ perr("Could not resset exec context for user %s\n", pentry->pw_name);
++#endif
++
+ #ifdef WITH_PAM
+ if ( ( nenvp != &nul ) && (pam_envp != 0L) && (*pam_envp != 0L))
+ {
+@@ -732,6 +816,10 @@ main(int argc, char *argv[])
+ struct passwd *pwe;
+ struct group *ge;
+
++#ifdef WITH_SELINUX
++ selinux_enabled=is_selinux_enabled();
++#endif
++
+ /* We don't need root privileges all the time; running under uid and gid
+ * daemon is fine.
+ */
+diff -up at-3.1.14/config.h.in.selinux at-3.1.14/config.h.in
+--- at-3.1.14/config.h.in.selinux 2013-09-26 15:06:55.177049852 +0200
++++ at-3.1.14/config.h.in 2013-09-26 15:06:55.180049850 +0200
+@@ -71,6 +71,9 @@
+ /* Define if you are building with_pam */
+ #undef WITH_PAM
+
++/* Define if you are building with_selinux */
++#undef WITH_SELINUX
++
+ /* Define to 1 if you have the `pstat_getdynamic' function. */
+ #undef HAVE_PSTAT_GETDYNAMIC
+
+diff -up at-3.1.14/configure.ac.selinux at-3.1.14/configure.ac
+--- at-3.1.14/configure.ac.selinux 2013-09-26 15:06:55.178049851 +0200
++++ at-3.1.14/configure.ac 2013-09-26 15:06:55.180049850 +0200
+@@ -246,6 +246,14 @@ AC_DEFINE(WITH_PAM),
+ AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc')
+ AC_SUBST(PAMLIB)
+
++AC_ARG_WITH(selinux,
++[ --with-selinux Define to run with selinux],
++AC_DEFINE(WITH_SELINUX),
++)
++AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
++AC_SUBST(SELINUXLIB)
++AC_SUBST(WITH_SELINUX)
++
+ AC_MSG_CHECKING(groupname to run under)
+ AC_ARG_WITH(daemon_groupname,
+ [ --with-daemon_groupname=DAEMON_GROUPNAME Groupname to run under (default daemon) ],
+diff -up at-3.1.14/Makefile.in.selinux at-3.1.14/Makefile.in
+--- at-3.1.14/Makefile.in.selinux 2013-09-26 15:06:55.175049853 +0200
++++ at-3.1.14/Makefile.in 2013-09-26 15:06:55.180049850 +0200
+@@ -40,6 +40,7 @@ LIBS = @LIBS@
+ LIBOBJS = @LIBOBJS@
+ INSTALL = @INSTALL@
+ PAMLIB = @PAMLIB@
++SELINUXLIB = @SELINUXLIB@
+
+ CLONES = atq atrm
+ ATOBJECTS = at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o
diff --git a/at.spec b/at.spec
index e8f807d..5853608 100644
--- a/at.spec
+++ b/at.spec
@@ -74,7 +74,7 @@ is not used as the system init process.
cp %{SOURCE1} .
%patch1 -p1 -b .make
%patch2 -p1 -b .pam
-#%%patch3 -p1 -b .selinux
+%patch3 -p1 -b .selinux
#%%patch2 -p1 -b .opt_V
#%%patch3 -p1 -b .shell
#%%patch4 -p1 -b .nit
More information about the scm-commits
mailing list