diff options
Diffstat (limited to 'sys-apps')
| -rw-r--r-- | sys-apps/fcron/ChangeLog | 6 | ||||
| -rw-r--r-- | sys-apps/fcron/fcron-2.9.4.ebuild | 3 | ||||
| -rw-r--r-- | sys-apps/fcron/files/fcron-2.9.4-selinuxupdate.diff | 243 |
3 files changed, 250 insertions, 2 deletions
diff --git a/sys-apps/fcron/ChangeLog b/sys-apps/fcron/ChangeLog index bb771a412c05..3f2a9eafa684 100644 --- a/sys-apps/fcron/ChangeLog +++ b/sys-apps/fcron/ChangeLog @@ -1,6 +1,10 @@ # ChangeLog for sys-apps/fcron # Copyright 2002-2004 Gentoo Technologies, Inc.; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/fcron/ChangeLog,v 1.24 2004/04/19 18:36:52 avenj Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-apps/fcron/ChangeLog,v 1.25 2004/05/25 18:48:00 pebenito Exp $ + + 25 May 2004; Chris PeBenito <pebenito@gentoo.org> + +files/fcron-2.9.4-selinuxupdate.diff, fcron-2.9.4.ebuild: + Update SELinux support to 2.6 SELinux API. 19 Apr 2004; Jon Portnoy <avenj@gentoo.org> files/crontab : Updated to do run-crons every ten minutes rather than every minute. diff --git a/sys-apps/fcron/fcron-2.9.4.ebuild b/sys-apps/fcron/fcron-2.9.4.ebuild index 86530cd92194..dc8f541f4d0e 100644 --- a/sys-apps/fcron/fcron-2.9.4.ebuild +++ b/sys-apps/fcron/fcron-2.9.4.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2004 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/fcron/fcron-2.9.4.ebuild,v 1.1 2004/04/18 22:22:55 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-apps/fcron/fcron-2.9.4.ebuild,v 1.2 2004/05/25 18:48:00 pebenito Exp $ inherit eutils @@ -26,6 +26,7 @@ src_unpack() { unpack ${A} cd ${S} epatch ${FILESDIR}/${PV}-braindead-configure-check.patch + use selinux && epatch ${FILESDIR}/fcron-2.9.4-selinuxupdate.diff autoconf || die "autoconf failed" } diff --git a/sys-apps/fcron/files/fcron-2.9.4-selinuxupdate.diff b/sys-apps/fcron/files/fcron-2.9.4-selinuxupdate.diff new file mode 100644 index 000000000000..2b697a103c08 --- /dev/null +++ b/sys-apps/fcron/files/fcron-2.9.4-selinuxupdate.diff @@ -0,0 +1,243 @@ +--- fcron-2.9.4.orig/job.c ++++ fcron-2.9.4/job.c +@@ -41,7 +41,7 @@ + char env_shell[PATH_LEN]; + #endif + +-#ifdef CONFIG_FLASK ++#ifdef WITH_SELINUX + extern char **environ; + #endif + +@@ -249,8 +249,8 @@ + int to_stdout = foreground && is_stdout(line->cl_option); + int pipe_fd[2]; + short int mailpos = 0; /* 'empty mail file' size */ +-#ifdef CONFIG_FLASK +- int flask_enabled = is_flask_enabled(); ++#ifdef WITH_SELINUX ++ int flask_enabled = is_selinux_enabled(); + #endif + + /* */ +@@ -352,10 +352,9 @@ + debug("Execing \"%s -c %s\"", curshell, line->cl_shell); + #endif /* CHECKJOBS */ + +-#ifdef CONFIG_FLASK +- if(flask_enabled) +- execle_secure(shell, line->cl_file->cf_user_sid, shell, "-c", line->cl_shell, NULL, environ); +- else ++#ifdef WITH_SELINUX ++ if(flask_enabled && setexeccon(line->cl_file->cf_user_context) ) ++ die_e("Can't set execute context \"%s\".", line->cl_file->cf_user_context); + #endif + execl(curshell, curshell, "-c", line->cl_shell, NULL); + /* execl returns only on error */ +--- fcron-2.9.4.orig/configure.in ++++ fcron-2.9.4/configure.in +@@ -44,7 +44,6 @@ + AC_CHECK_HEADERS(sys/types.h sys/socket.h sys/un.h) + AC_CHECK_HEADERS(security/pam_appl.h pam/pam_appl.h crypt.h shadow.h) + AC_CHECK_HEADERS(sys/resource.h) +-AC_CHECK_HEADERS(flask_util.h) + + dnl Checks for typedefs, structures, and compiler characteristics. + AC_C_CONST +@@ -61,7 +60,7 @@ + AC_FUNC_STRFTIME + AC_FUNC_WAIT3 + AC_CHECK_LIB(xnet, shutdown) +-AC_CHECK_LIB(secure, getsecsid, [flaskavail=1], [flaskavail=0]) ++AC_CHECK_LIB(selinux, getcon, [selinuxavail=1], [selinuxavail=0]) + AC_CHECK_FUNC(getloadavg, [getloadavg=1], [getloadavg=0]) + AC_CHECK_LIB(kstat, kstat_open, [kstat=1], [kstat=0]) + if test $getloadavg -eq 1; then +@@ -925,7 +924,7 @@ + AC_MSG_RESULT(no) + ;; + yes) +- if test "$flaskavail" -eq 1; then ++ if test "$selinuxavail" -eq 1; then + useselinux=1 + AC_MSG_RESULT(yes) + else +@@ -940,7 +939,7 @@ + AC_MSG_ERROR(Must be set to either "yes" or "no".) + ;; + esac ], +- if test "$useselinux" != "0" && test "$flaskavail" -eq 1; then ++ if test "$useselinux" != "0" && test "$selinuxavail" -eq 1; then + useselinux=1 + AC_MSG_RESULT(yes) + else +@@ -949,8 +948,9 @@ + fi + ) + if test "$useselinux" -eq 1; then +- LIBS="$LIBS -lsecure" +- AC_DEFINE(CONFIG_FLASK) ++ LIBS="$LIBS -lselinux" ++ AC_DEFINE(WITH_SELINUX) ++ CFLAGS="$CFLAGS -I/usr/include/selinux" + fi + + +@@ -1149,4 +1149,5 @@ + echo + echo "You can now run 'make' to compile" + echo "and then (as root) 'make install' to install fcron." +-echo +\ No newline at end of file ++echo ++ +--- fcron-2.9.4.orig/global.h ++++ fcron-2.9.4/global.h +@@ -43,12 +43,11 @@ + #include <errno.h> + #endif + +-#ifdef CONFIG_FLASK +-#include <flask_util.h> +-#include <fs_secure.h> +-#include <ss.h> +-#include <linux/flask/av_permissions.h> +-#include <get_sid_list.h> ++#ifdef WITH_SELINUX ++#include <selinux.h> ++#include <get_context_list.h> ++#include <selinux/flask.h> ++#include <selinux/av_permissions.h> + #endif + + #ifdef HAVE_GETOPT_H +@@ -167,9 +166,9 @@ + struct env_t *cf_env_base; /* list of all env variables to set */ + int cf_running; /* number of jobs running */ + signed char cf_tzdiff; /* time diff between system and local hour */ +-#ifdef CONFIG_FLASK +- security_id_t cf_user_sid; +- security_id_t cf_file_sid; ++#ifdef WITH_SELINUX ++ security_context_t cf_user_context; ++ security_context_t cf_file_context; + #endif + } cf_t; + +--- fcron-2.9.4.orig/conf.c ++++ fcron-2.9.4/conf.c +@@ -437,11 +437,10 @@ + struct passwd *pass = NULL; + short int type = 0, size = 0; + int rc; +-#ifdef CONFIG_FLASK +- int flask_enabled = is_flask_enabled(); +- struct security_query qry; +- struct security_response rsp; ++#ifdef WITH_SELINUX ++ int flask_enabled = is_selinux_enabled(); + int retval; ++ struct av_decision avd; + const char *user_name; + #endif + +@@ -453,16 +452,18 @@ + + /* check if this file is owned by root : otherwise, all runas fields + * of this field should be set to the owner */ +-#ifdef CONFIG_FLASK +- if(flask_enabled) +- rc = fstat_secure(fileno(ff), &file_stat, &cf->cf_file_sid); +- else +-#endif + rc = fstat(fileno(ff), &file_stat); + if ( rc != 0 ) { + error_e("Could not stat %s", file_name); + goto err; + } ++#ifdef WITH_SELINUX ++ if(flask_enabled && fgetfilecon(fileno(ff), &cf->cf_file_context) < 0 ) ++ { ++ error_e("Could not get context of %s", file_name); ++ goto err; ++ } ++#endif + + if ( strncmp(file_name,"new.", 4) == 0 ) { + if ( file_stat.st_uid == ROOTUID ) { +@@ -495,7 +496,7 @@ + } + } + +-#ifdef CONFIG_FLASK ++#ifdef WITH_SELINUX + /* + * Since crontab files are not directly executed, + * crond must ensure that the crontab file has +@@ -507,17 +508,19 @@ + user_name = "system_u"; + else + user_name = cf->cf_user; +- if(get_default_sid(user_name, 0, &cf->cf_user_sid)) +- error_e("NO SID for user \"%s\"", cf->cf_user_sid); +- qry.ssid = cf->cf_user_sid; +- qry.tsid = cf->cf_file_sid; +- qry.tclass = SECCLASS_FILE; +- qry.requested = FILE__ENTRYPOINT; +- retval = security_compute_av(&qry, &rsp); +- if(retval || ((qry.requested & rsp.allowed) != qry.requested)) { +- syslog(LOG_ERR, "ENTRYPOINT FAILED for \"%s\" (SID %u) for file SID %u" +- , cf->cf_user, cf->cf_user_sid, cf->cf_file_sid); +- goto err; ++ if(flask_enabled) ++ { ++ if(get_default_context(user_name, NULL, &cf->cf_user_context)) ++ error_e("NO CONTEXT for user \"%s\"", cf->cf_user_context); ++ retval = security_compute_av(cf->cf_user_context, cf->cf_file_context ++ , SECCLASS_FILE, FILE__ENTRYPOINT, &avd); ++ ++ if(retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) ++ { ++ syslog(LOG_ERR, "ENTRYPOINT FAILED for user \"%s\" (CONTEXT %s) for file CONTEXT %s" ++ , cf->cf_user, cf->cf_user_context, cf->cf_file_context); ++ goto err; ++ } + } + #endif + +--- fcron-2.9.4.orig/config.h.in ++++ fcron-2.9.4/config.h.in +@@ -393,7 +393,7 @@ + #undef HAVE_LIBSHADOW + + /* Have SE Linux support */ +-#undef CONFIG_FLASK ++#undef WITH_SELINUX + + /* Define if you have the xnet library (-lxnet). */ + #undef HAVE_LIBXNET +--- fcron-2.9.4.orig/save.c ++++ fcron-2.9.4/save.c +@@ -298,12 +298,18 @@ + int fd; + + /* open file */ +-#ifdef CONFIG_FLASK +- if ( is_flask_enabled() ) +- fd = open_secure(filename, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, S_IRUSR | S_IWUSR, file->cf_file_sid); +- else ++#ifdef WITH_SELINUX ++ if ( is_selinux_enabled() && setfscreatecon(file->cf_file_context) ) ++ { ++ error_e("Could not set create context for file %s", filename); ++ return ERR; ++ } + #endif + fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, S_IRUSR|S_IWUSR); ++#ifdef WITH_SELINUX ++ if ( is_selinux_enabled() ) ++ setfscreatecon(NULL); ++#endif + if ( fd == -1 ) { + error_e("Could not open %s", filename); + return ERR; |