From 5030df8a9ba0014ee53663304920f022b3e67f98 Mon Sep 17 00:00:00 2001 From: Thibault Godouet Date: Fri, 18 Apr 2014 16:56:23 +0100 Subject: [PATCH] Fixed SELinux issue with Linux user being used instead of the SELinux user --- conf.c | 35 ++++++++++++++++++++++++++--------- doc/en/changes.sgml | 3 +++ fileconf.c | 2 +- 3 files changed, 30 insertions(+), 10 deletions(-) diff --git a/conf.c b/conf.c index 8db0f2b..72d1e40 100644 --- a/conf.c +++ b/conf.c @@ -454,7 +454,7 @@ read_file(const char *file_name, cf_t * cf, int is_system_startup) int flask_enabled = is_selinux_enabled(); int retval; struct av_decision avd; - const char *user_name; + char *user_name = NULL; #endif /* open file */ @@ -511,30 +511,47 @@ read_file(const char *file_name, cf_t * cf, int is_system_startup) #ifdef WITH_SELINUX /* * Since fcrontab files are not directly executed, - * fcrond must ensure that the fcrontab file has + * fcron daemon must ensure that the fcrontab file has * a context that is appropriate for the context of * the user fcron job. It performs an entrypoint * permission check for this purpose. */ + if (flask_enabled) { + char *sename = NULL; + char *selevl = NULL; + + /* first, get the SELinux user for that Linux user */ #ifdef SYSFCRONTAB - if (!strcmp(cf->cf_user, SYSFCRONTAB)) - user_name = "system_u"; - else + if (!strcmp(cf->cf_user, SYSFCRONTAB)) + /* system_u is the default SELinux user for running system services */ + user_name = "system_u"; + else #endif /* def SYSFCRONTAB */ - user_name = cf->cf_user; - if (flask_enabled) { + { + if (getseuserbyname(cf->cf_user, &sename, &selevl) < 0) { + error_e("Cannot find SELinux user for user \"%s\"\n", + cf->cf_user); + goto err; + } + user_name = sename; + } + if (get_default_context(user_name, NULL, &cf->cf_user_context)) - error_e("NO CONTEXT for user \"%s\"", cf->cf_user_context); + error_e("NO CONTEXT for Linux user '%s' (SELinux user '%s')", + cf->cf_user, user_name); retval = security_compute_av(cf->cf_user_context, cf->cf_file_context, SECCLASS_FILE, FILE__ENTRYPOINT, &avd); if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { - syslog(LOG_ERR, "ENTRYPOINT FAILED for user \"%s\" " + syslog(LOG_ERR, "ENTRYPOINT FAILED for Linux user '%s' " "(CONTEXT %s) for file CONTEXT %s", cf->cf_user, cf->cf_user_context, cf->cf_file_context); goto err; } + + Free_safe(sename); + Free_safe(selevl); } #endif diff --git a/doc/en/changes.sgml b/doc/en/changes.sgml index 78b8e92..d7a5bf7 100644 --- a/doc/en/changes.sgml +++ b/doc/en/changes.sgml @@ -32,6 +32,9 @@ A copy of the license is included in gfdl.sgml. fcrontab no longer crash if mailto is empty (thanks Olaf for reporting the issue) + + Fixed SELinux issue with Linux user being used instead of the SELinux user (thanks Sven Vermeulen for the patch) + diff --git a/fileconf.c b/fileconf.c index 7a6c6d4..4ed03fe 100644 --- a/fileconf.c +++ b/fileconf.c @@ -878,7 +878,7 @@ read_opt(char *ptr, cl_t * cl) /* assign_option_string() set the value to NULL if the length is zero. * However cl_mailto must not be NULL (as expected in * conf.c:add_line_to_file()), so we check if the length is >= 0 - * before calling assign_option_string() */ + * before calling assign_option_string() */ /* Also please note that we check if the mailto is valid in conf.c */ len = option_strlen(ptr); if (len <= 0) { -- 2.47.3