--- vixie-cron-3.0.1/Makefile.selinux 2003-05-20 14:52:06.000000000 -0400 +++ vixie-cron-3.0.1/Makefile 2003-05-20 14:52:21.000000000 -0400 @@ -71,7 +71,8 @@ LINTFLAGS = -hbxa $(INCLUDE) $(COMPAT) $ #<<want to use a nonstandard CC?>> #CC = vcc #<<manifest defines>> -DEFS = +DEFS = -s -DWITH_SELINUX +LIBS += -lselinux #(SGI IRIX systems need this) #DEFS = -D_BSD_SIGNALS -Dconst= #<<the name of the BSD-like install program>> --- vixie-cron-3.0.1/database.c.selinux 2003-05-20 14:52:56.000000000 -0400 +++ vixie-cron-3.0.1/database.c 2003-05-23 13:27:24.898020960 -0400 @@ -28,6 +28,15 @@ #include "cron.h" +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#include <selinux/flask.h> +#include <selinux/av_permissions.h> +#define SYSUSERNAME "system_u" +#else +#define SYSUSERNAME "*system*" +#endif + #define TMAX(a,b) ((a)>(b)?(a):(b)) static void process_crontab(const char *, const char *, @@ -217,7 +226,7 @@ if (fname == NULL) { /* must be set to something for logging purposes. */ - fname = "*system*"; + fname = SYSUSERNAME; } else if ((pw = getpwnam(uname)) == NULL) { /* file doesn't have a user in passwd file. */ @@ -279,6 +288,43 @@ free_user(u); log_it(fname, getpid(), "RELOAD", tabname); } +#ifdef WITH_SELINUX + if (is_selinux_enabled()) { + security_context_t file_context=NULL; + security_context_t user_context=NULL; + struct av_decision avd; + int retval=0; + + if (fgetfilecon(crontab_fd, &file_context) < OK) { + log_it(fname, getpid(), "getfilecon FAILED", tabname); + goto next_crontab; + } + + /* + * Since crontab files are not directly executed, + * crond must ensure that the crontab file has + * a context that is appropriate for the context of + * the user cron job. It performs an entrypoint + * permission check for this purpose. + */ + if (get_default_context(fname, NULL, &user_context)) { + log_it(fname, getpid(), "NO CONTEXT", tabname); + freecon(file_context); + goto next_crontab; + } + retval = security_compute_av(user_context, + file_context, + SECCLASS_FILE, + FILE__ENTRYPOINT, + &avd); + freecon(user_context); + freecon(file_context); + if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { + log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname); + goto next_crontab; + } + } +#endif u = load_user(crontab_fd, pw, fname); if (u != NULL) { u->mtime = statbuf->st_mtime; --- vixie-cron-3.0.1/do_command.c.selinux 2003-05-20 14:53:12.000000000 -0400 +++ vixie-cron-3.0.1/do_command.c 2003-05-20 14:58:06.000000000 -0400 @@ -25,6 +25,10 @@ #include "cron.h" +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +#endif + static void child_process(entry *, user *); static int safe_p(const char *, const char *); @@ -265,6 +269,20 @@ _exit(OK_EXIT); } # endif /*DEBUGGING*/ +#ifdef WITH_SELINUX + if (is_selinux_enabled()) { + security_context_t scontext; + if (get_default_context(u->name, NULL, &scontext)) { + fprintf(stderr, "execle_secure: couldn't get security context for user %s\n", u->name); + _exit(ERROR_EXIT); + } + if (setexeccon(scontext) < 0) { + fprintf(stderr, "Could not set exec context to %s for user %s\n", scontext,u->name); + _exit(ERROR_EXIT); + } + freecon(scontext); + } +#endif execle(shell, shell, "-c", e->cmd, (char *)0, e->envp); fprintf(stderr, "execl: couldn't exec `%s'\n", shell); perror("execl");