diff --git a/at-3.1.14-selinux.patch b/at-3.1.14-selinux.patch new file mode 100644 index 0000000..e8bbc73 --- /dev/null +++ b/at-3.1.14-selinux.patch @@ -0,0 +1,164 @@ +diff -up at-3.1.14/atd.c.selinux at-3.1.14/atd.c +--- at-3.1.14/atd.c.selinux 2013-09-26 15:06:55.177049852 +0200 ++++ at-3.1.14/atd.c 2013-09-26 16:33:23.981355661 +0200 +@@ -87,6 +87,14 @@ + #define LOG_ATD LOG_DAEMON + #endif + ++#ifdef WITH_SELINUX ++#include ++#include ++int selinux_enabled=0; ++#include ++#include ++#endif ++ + /* Macros */ + + #define BATCH_INTERVAL_DEFAULT 60 +@@ -191,6 +199,68 @@ myfork() + #define fork myfork + #endif + ++#ifdef WITH_SELINUX ++static int set_selinux_context(const char *name, const char *filename) { ++ security_context_t user_context=NULL; ++ security_context_t file_context=NULL; ++ struct av_decision avd; ++ int retval=-1; ++ char *seuser=NULL; ++ char *level=NULL; ++ ++ if (getseuserbyname(name, &seuser, &level) == 0) { ++ retval=get_default_context_with_level(seuser, level, NULL, &user_context); ++ free(seuser); ++ free(level); ++ if (retval) { ++ if (security_getenforce()==1) { ++ perr("execle: couldn't get security context for user %s\n", name); ++ } else { ++ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name); ++ return -1; ++ } ++ } ++ } ++ ++ /* ++ * Since crontab files are not directly executed, ++ * crond must ensure that the crontab file has ++ * a context that is appropriate for the context of ++ * the user cron job. It performs an entrypoint ++ * permission check for this purpose. ++ */ ++ if (fgetfilecon(STDIN_FILENO, &file_context) < 0) ++ perr("fgetfilecon FAILED %s", filename); ++ ++ retval = security_compute_av(user_context, ++ file_context, ++ SECCLASS_FILE, ++ FILE__ENTRYPOINT, ++ &avd); ++ freecon(file_context); ++ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { ++ if (security_getenforce()==1) { ++ perr("Not allowed to set exec context to %s for user %s\n", user_context,name); ++ } else { ++ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name); ++ retval = -1; ++ goto err; ++ } ++ } ++ if (setexeccon(user_context) < 0) { ++ if (security_getenforce()==1) { ++ perr("Could not set exec context to %s for user %s\n", user_context,name); ++ retval = -1; ++ } else { ++ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name); ++ } ++ } ++ err: ++ freecon(user_context); ++ return 0; ++} ++#endif ++ + static void + run_file(const char *filename, uid_t uid, gid_t gid) + { +@@ -431,9 +501,23 @@ run_file(const char *filename, uid_t uid + + chdir("/"); + ++#ifdef WITH_SELINUX ++ if (selinux_enabled > 0) { ++ if (set_selinux_context(pentry->pw_name, filename) < 0) ++ perr("SELinux Failed to set context\n"); ++ } ++#endif ++ + if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0) + perr("Exec failed for /bin/sh"); + ++#ifdef WITH_SELINUX ++ if (selinux_enabled>0) ++ if (setexeccon(NULL) < 0) ++ if (security_getenforce()==1) ++ perr("Could not resset exec context for user %s\n", pentry->pw_name); ++#endif ++ + #ifdef WITH_PAM + if ( ( nenvp != &nul ) && (pam_envp != 0L) && (*pam_envp != 0L)) + { +@@ -732,6 +816,10 @@ main(int argc, char *argv[]) + struct passwd *pwe; + struct group *ge; + ++#ifdef WITH_SELINUX ++ selinux_enabled=is_selinux_enabled(); ++#endif ++ + /* We don't need root privileges all the time; running under uid and gid + * daemon is fine. + */ +diff -up at-3.1.14/config.h.in.selinux at-3.1.14/config.h.in +--- at-3.1.14/config.h.in.selinux 2013-09-26 15:06:55.177049852 +0200 ++++ at-3.1.14/config.h.in 2013-09-26 15:06:55.180049850 +0200 +@@ -71,6 +71,9 @@ + /* Define if you are building with_pam */ + #undef WITH_PAM + ++/* Define if you are building with_selinux */ ++#undef WITH_SELINUX ++ + /* Define to 1 if you have the `pstat_getdynamic' function. */ + #undef HAVE_PSTAT_GETDYNAMIC + +diff -up at-3.1.14/configure.ac.selinux at-3.1.14/configure.ac +--- at-3.1.14/configure.ac.selinux 2013-09-26 15:06:55.178049851 +0200 ++++ at-3.1.14/configure.ac 2013-09-26 15:06:55.180049850 +0200 +@@ -246,6 +246,14 @@ AC_DEFINE(WITH_PAM), + AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc') + AC_SUBST(PAMLIB) + ++AC_ARG_WITH(selinux, ++[ --with-selinux Define to run with selinux], ++AC_DEFINE(WITH_SELINUX), ++) ++AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux) ++AC_SUBST(SELINUXLIB) ++AC_SUBST(WITH_SELINUX) ++ + AC_MSG_CHECKING(groupname to run under) + AC_ARG_WITH(daemon_groupname, + [ --with-daemon_groupname=DAEMON_GROUPNAME Groupname to run under (default daemon) ], +diff -up at-3.1.14/Makefile.in.selinux at-3.1.14/Makefile.in +--- at-3.1.14/Makefile.in.selinux 2013-09-26 15:06:55.175049853 +0200 ++++ at-3.1.14/Makefile.in 2013-09-26 15:06:55.180049850 +0200 +@@ -40,6 +40,7 @@ LIBS = @LIBS@ + LIBOBJS = @LIBOBJS@ + INSTALL = @INSTALL@ + PAMLIB = @PAMLIB@ ++SELINUXLIB = @SELINUXLIB@ + + CLONES = atq atrm + ATOBJECTS = at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o diff --git a/at.spec b/at.spec index e8f807d..5853608 100644 --- a/at.spec +++ b/at.spec @@ -74,7 +74,7 @@ is not used as the system init process. cp %{SOURCE1} . %patch1 -p1 -b .make %patch2 -p1 -b .pam -#%%patch3 -p1 -b .selinux +%patch3 -p1 -b .selinux #%%patch2 -p1 -b .opt_V #%%patch3 -p1 -b .shell #%%patch4 -p1 -b .nit