From: Marcela Mašláňová <mmaslano@xxxxxxxxxx>
Currently, jobs run by at are run in the crond_t domain and not
transitioned outside of it.
With this patch, the jobs are transitioned in the same domain as the
jobs that are run by the cron daemon:
- When cron_userdomain_transition is set to off, a process for an
unconfined user will transition to unconfined_cronjob_t. For confined
user, the job is run as cronjob_t.
- When cron_userdomain_transition is set to on, the processes are run
under the user default context.
Tested-by: Laurent Bigonville <bigon@xxxxxxxx>
---
Makefile.in | 3 ++-
atd.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
config.h.in | 3 +++
configure.ac | 8 ++++++
4 files changed, 94 insertions(+), 1 deletion(-)
diff --git a/Makefile.in b/Makefile.in
index 5dd2767..2bddc13 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -40,6 +40,7 @@ LIBS = @LIBS@
LIBOBJS = @LIBOBJS@
INSTALL = @INSTALL@
PAMLIB = @PAMLIB@
+SELINUXLIB = @SELINUXLIB@
CLONES = atq atrm
ATOBJECTS = at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o
@@ -73,7 +74,7 @@ at: $(ATOBJECTS)
$(LN_S) -f at atrm
atd: $(RUNOBJECTS)
- $(CC) $(LDFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(PAMLIB)
+ $(CC) $(LDFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(PAMLIB) $(SELINUXLIB)
y.tab.c y.tab.h: parsetime.y
$(YACC) -d parsetime.y
diff --git a/atd.c b/atd.c
index d0b422e..55f6f8d 100644
--- a/atd.c
+++ b/atd.c
@@ -83,6 +83,14 @@
#include "getloadavg.h"
#endif
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+int selinux_enabled=0;
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#endif
+
/* Macros */
#define BATCH_INTERVAL_DEFAULT 60
@@ -195,6 +203,68 @@ myfork()
#define fork myfork
#endif
+#ifdef WITH_SELINUX
+static int set_selinux_context(const char *name, const char *filename) {
+ security_context_t user_context=NULL;
+ security_context_t file_context=NULL;
+ struct av_decision avd;
+ int retval=-1;
+ char *seuser=NULL;
+ char *level=NULL;
+
+ if (getseuserbyname(name, &seuser, &level) == 0) {
+ retval=get_default_context_with_level(seuser, level, NULL, &user_context);
+ free(seuser);
+ free(level);
+ if (retval) {
+ if (security_getenforce()==1) {
+ perr("execle: couldn't get security context for user %s\n", name);
+ } else {
+ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
+ return -1;
+ }
+ }
+ }
+
+ /*
+ * Since crontab files are not directly executed,
+ * crond must ensure that the crontab file has
+ * a context that is appropriate for the context of
+ * the user cron job. It performs an entrypoint
+ * permission check for this purpose.
+ */
+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
+ perr("fgetfilecon FAILED %s", filename);
+
+ retval = security_compute_av(user_context,
+ file_context,
+ SECCLASS_FILE,
+ FILE__ENTRYPOINT,
+ &avd);
+ freecon(file_context);
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+ if (security_getenforce()==1) {
+ perr("Not allowed to set exec context to %s for user %s\n", user_context,name);
+ } else {
+ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name);
+ retval = -1;
+ goto err;
+ }
+ }
+ if (setexeccon(user_context) < 0) {
+ if (security_getenforce()==1) {
+ perr("Could not set exec context to %s for user %s\n", user_context,name);
+ retval = -1;
+ } else {
+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name);
+ }
+ }
+ err:
+ freecon(user_context);
+ return 0;
+}
+#endif
+
static void
run_file(const char *filename, uid_t uid, gid_t gid)
{
@@ -424,6 +494,13 @@ run_file(const char *filename, uid_t uid, gid_t gid)
nice((tolower((int) queue) - 'a' + 1) * 2);
+#ifdef WITH_SELINUX
+ if (selinux_enabled > 0) {
+ if (set_selinux_context(pentry->pw_name, filename) < 0)
+ perr("SELinux Failed to set context\n");
+ }
+#endif
+
if (initgroups(pentry->pw_name, pentry->pw_gid))
perr("Cannot initialize the supplementary group access list");
@@ -707,6 +784,10 @@ main(int argc, char *argv[])
struct passwd *pwe;
struct group *ge;
+#ifdef WITH_SELINUX
+ selinux_enabled=is_selinux_enabled();
+#endif
+
/* We don't need root privileges all the time; running under uid and gid
* daemon is fine.
*/
diff --git a/config.h.in b/config.h.in
index 4d7dc91..681d68e 100644
--- a/config.h.in
+++ b/config.h.in
@@ -192,6 +192,9 @@
<sys/cpustats.h>. */
#undef UMAX4_3
+/* Define if you are building with_selinux */
+#undef WITH_SELINUX
+
/* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a
`char[]'. */
#undef YYTEXT_POINTER
diff --git a/configure.ac b/configure.ac
index f3d2e35..1f6494a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -239,6 +239,14 @@ AC_ARG_WITH(daemon_username,
)
AC_SUBST(DAEMON_USERNAME)
+AC_ARG_WITH(selinux,
+[ --with-selinux Define to run with selinux],
+AC_DEFINE(WITH_SELINUX, 1, [Define if you are building with_selinux]),
+)
+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
+AC_SUBST(SELINUXLIB)
+AC_SUBST(WITH_SELINUX)
+
AC_MSG_CHECKING(groupname to run under)
AC_ARG_WITH(daemon_groupname,
[ --with-daemon_groupname=DAEMON_GROUPNAME Groupname to run under (default daemon) ],
--
2.1.4
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
