From: Thibault Godouet Date: Mon, 14 Jul 2003 10:50:39 +0000 (+0000) Subject: merged SE Linux support X-Git-Tag: ver2_9_4~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4db5d353f2d4d6cbb9c65ddc522b52b12797f065;p=thirdparty%2Ffcron.git merged SE Linux support --- diff --git a/conf.c b/conf.c index 461d535..f4bd751 100644 --- a/conf.c +++ b/conf.c @@ -22,7 +22,7 @@ * `LICENSE' that comes with the fcron source distribution. */ - /* $Id: conf.c,v 1.64 2002-11-17 13:13:46 thib Exp $ */ + /* $Id: conf.c,v 1.65 2003-07-14 10:52:21 thib Exp $ */ #include "fcron.h" @@ -437,6 +437,13 @@ read_file(const char *file_name, cf_t *cf) struct passwd *pass = NULL; short int type = 0, size = 0; int rc; +#ifdef CONFIG_FLASK + int flask_enabled = is_flask_enabled(); + struct security_query qry; + struct security_response rsp; + int retval; + const char *user_name; +#endif /* open file */ if ( (ff = fopen(file_name, "r")) == NULL ) { @@ -446,6 +453,11 @@ read_file(const char *file_name, cf_t *cf) /* check if this file is owned by root : otherwise, all runas fields * of this field should be set to the owner */ +#ifdef CONFIG_FLASK + if(flask_enabled) + rc = fstat_secure(fileno(ff), &file_stat, &cf->cf_file_sid); + else +#endif rc = fstat(fileno(ff), &file_stat); if ( rc != 0 ) { error_e("Could not stat %s", file_name); @@ -467,8 +479,11 @@ read_file(const char *file_name, cf_t *cf) } runas_str = strdup2(pass->pw_name); } + cf->cf_user = strdup2(file_name + 4); } else { + if(!cf->cf_user) + cf->cf_user = strdup2(file_name); if ( file_stat.st_uid == ROOTUID ) { /* file is owned by root : either this file has already been parsed * at least once by fcron, or it is root's fcrontab */ @@ -480,6 +495,32 @@ read_file(const char *file_name, cf_t *cf) } } +#ifdef CONFIG_FLASK + /* + * Since crontab files are not directly executed, + * crond must ensure that the crontab file has + * a context that is appropriate for the context of + * the user cron job. It performs an entrypoint + * permission check for this purpose. + */ + if(!strcmp(cf->cf_user, SYSFCRONTAB)) + user_name = "system_u"; + else + user_name = cf->cf_user; + if(get_default_sid(user_name, 0, &cf->cf_user_sid)) + error_e("NO SID for user \"%s\"", cf->cf_user_sid); + qry.ssid = cf->cf_user_sid; + qry.tsid = cf->cf_file_sid; + qry.tclass = SECCLASS_FILE; + qry.requested = FILE__ENTRYPOINT; + retval = security_compute_av(&qry, &rsp); + if(retval || ((qry.requested & rsp.allowed) != qry.requested)) { + syslog(LOG_ERR, "ENTRYPOINT FAILED for \"%s\" (SID %u) for file SID %u" + , cf->cf_user, cf->cf_user_sid, cf->cf_file_sid); + goto err; + } +#endif + debug("User %s Entry", file_name); bzero(buf, sizeof(buf)); @@ -501,6 +542,8 @@ read_file(const char *file_name, cf_t *cf) goto err; } /* get the owner's name */ + /* we set cf->cf_user before for SE Linux, so we need to free it here */ + free(cf->cf_user); if ( read_strn(fileno(ff), &cf->cf_user, size) != OK ) { error("Cannot read user's name : file ignored"); goto err; diff --git a/config.h.in b/config.h.in index 11ce698..39927e9 100644 --- a/config.h.in +++ b/config.h.in @@ -21,7 +21,7 @@ * `LICENSE' that comes with the fcron source distribution. */ - /* $Id: config.h.in,v 1.47 2002-10-28 17:54:56 thib Exp $ */ + /* $Id: config.h.in,v 1.48 2003-07-14 10:53:22 thib Exp $ */ /* *********************************************************** */ @@ -389,5 +389,8 @@ /* Define if you have the shadow library (-lshadow or included in c library). */ #undef HAVE_LIBSHADOW +/* Have SE Linux support */ +#undef CONFIG_FLASK + /* Define if you have the xnet library (-lxnet). */ #undef HAVE_LIBXNET diff --git a/configure.in b/configure.in index e0b847a..3e34bc0 100644 --- a/configure.in +++ b/configure.in @@ -11,7 +11,7 @@ if test \( "$prefix" = "NONE" \) -o \( -z "$prefix" \); then fi AC_PREFIX_DEFAULT($prefix) AC_CONFIG_HEADER(config.h) -AC_PREREQ(2.7) +AC_PREREQ(2.57) vers="2.9.4" vers_quoted="\"$vers\"" @@ -44,6 +44,7 @@ AC_CHECK_HEADERS(strings.h) AC_CHECK_HEADERS(sys/types.h sys/socket.h sys/un.h) AC_CHECK_HEADERS(security/pam_appl.h crypt.h shadow.h) AC_CHECK_HEADERS(sys/resource.h) +AC_CHECK_HEADERS(flask_util.h) dnl Checks for typedefs, structures, and compiler characteristics. AC_C_CONST @@ -60,6 +61,7 @@ AC_TYPE_SIGNAL AC_FUNC_STRFTIME AC_FUNC_WAIT3 AC_CHECK_LIB(xnet, shutdown) +AC_CHECK_LIB(secure, getsecsid, [flaskavail=1], [flaskavail=0]) AC_CHECK_FUNC(getloadavg, [getloadavg=1], [getloadavg=0]) AC_CHECK_LIB(kstat, kstat_open, [kstat=1], [kstat=0]) if test $getloadavg -eq 1; then @@ -70,7 +72,7 @@ dnl Nothing to do ... elif test $kstat -eq 1; then AC_MSG_CHECKING(function to use for lavg* options) LIBS="$LIBS -lkstat" - LIBOBJS="$LIBOBJS getloadavg.o" + AC_LIBOBJ([getloadavg]) AC_DEFINE_UNQUOTED(HAVE_KSTAT, 1) AC_MSG_RESULT(kstat) else @@ -596,6 +598,44 @@ USEPAM="$usepam" AC_SUBST(USEPAM) +AC_MSG_CHECKING(if SELinux should be used) +AC_ARG_WITH(selinux, +[ --with-selinux=[yes|no] Use (or not) SELinux (default: yes).], +[ case "$withval" in + no) + useselinux=0 + AC_MSG_RESULT(no) + ;; + yes) + if test "$flaskavail" -eq 1; then + useselinux=1 + AC_MSG_RESULT(yes) + else + AC_MSG_RESULT(not available) + AC_MSG_ERROR([ + You requested the use of SELinux, but SELinux is considered + as not available by configure script. +]) + fi + ;; + *) + AC_MSG_ERROR(Must be set to either "yes" or "no".) + ;; + esac ], + if test "$flaskavail" -eq 1; then + useselinux=1 + AC_MSG_RESULT(yes) + else + useselinux=0 + AC_MSG_RESULT(not available) + fi +) +if test "$useselinux" -eq 1; then + LIBS="$LIBS -lsecure" + AC_DEFINE(CONFIG_FLASK) +fi + + dnl --------------------------------------------------------------------- dnl Users and groups ... @@ -979,7 +1019,7 @@ AC_SUBST(DB2MAN_BEFORE) AC_SUBST(DB2MAN_AFTER) -DSSSL_DIR="/usr/share/sgml/docbook/dsssl-stylesheets-1.74b/" +DSSSL_DIR="/usr/share/sgml/docbook/stylesheet/dsssl/modular" AC_MSG_CHECKING(Looking for dsssl stylsheets) AC_ARG_WITH(dsssl-dir, diff --git a/global.h b/global.h index 136cf75..ebac605 100644 --- a/global.h +++ b/global.h @@ -21,7 +21,7 @@ * `LICENSE' that comes with the fcron source distribution. */ - /* $Id: global.h,v 1.39 2002-10-28 17:53:59 thib Exp $ */ + /* $Id: global.h,v 1.40 2003-07-14 10:51:52 thib Exp $ */ /* @@ -43,10 +43,22 @@ #include #endif +#ifdef CONFIG_FLASK +#include +#include +#include +#include +#include +#endif + #ifdef HAVE_GETOPT_H #include #endif +#ifdef HAVE_LIMITS_H +#include +#endif + #include #include @@ -97,10 +109,6 @@ #include #endif -#ifdef HAVE_LIMITS_H -#include -#endif - #ifdef HAVE_LIBPAM #include "pam.h" #endif @@ -159,6 +167,10 @@ typedef struct cf_t { struct env_t *cf_env_base; /* list of all env variables to set */ int cf_running; /* number of jobs running */ signed char cf_tzdiff; /* time diff between system and local hour */ +#ifdef CONFIG_FLASK + security_id_t cf_user_sid; + security_id_t cf_file_sid; +#endif } cf_t;