diff --git a/cronie-pam.patch b/cronie-pam.patch new file mode 100644 index 0000000..7543ac0 --- /dev/null +++ b/cronie-pam.patch @@ -0,0 +1,8 @@ +diff -up cronie-1.4.3/pam/crond.ppp cronie-1.4.3/pam/crond +--- cronie-1.4.3/pam/crond.ppp 2009-09-25 08:23:18.000000000 +0200 ++++ cronie-1.4.3/pam/crond 2009-11-05 16:34:06.000000000 +0100 +@@ -7,3 +7,4 @@ account required pam_access.so + account include password-auth + session required pam_loginuid.so + session include password-auth ++auth include password-auth diff --git a/cronie-selinux_passwd.patch b/cronie-selinux_passwd.patch new file mode 100644 index 0000000..8cf75fa --- /dev/null +++ b/cronie-selinux_passwd.patch @@ -0,0 +1,44 @@ +diff -up cronie-1.4.3/src/security.c.old cronie-1.4.3/src/security.c +--- cronie-1.4.3/src/security.c.old 2009-09-25 08:23:18.000000000 +0200 ++++ cronie-1.4.3/src/security.c 2009-11-05 16:43:13.000000000 +0100 +@@ -486,9 +486,37 @@ void free_security_context(security_cont + + int crontab_security_access(void) { + #ifdef WITH_SELINUX +- if (is_selinux_enabled() > 0) +- if (selinux_check_passwd_access(PASSWD__CRONTAB) != 0) +- return -1; ++ int selinux_check_passwd_access = -1; ++ if (is_selinux_enabled() > 0) { ++ security_context_t user_context; ++ if (getprevcon_raw(&user_context) == 0) { ++ security_class_t passwd_class; ++ struct av_decision avd; ++ int retval; ++ ++ passwd_class = string_to_security_class("passwd"); ++ if (passwd_class == 0) { ++ selinux_check_passwd_access = -1; ++ fprintf(stderr, "Security class \"passwd\" is not defined in the SELinux policy.\n"); ++ } ++ ++ retval = security_compute_av_raw(user_context, ++ user_context, ++ passwd_class, ++ PASSWD__CRONTAB, ++ &avd); ++ ++ if ((retval == 0) && ((PASSWD__CRONTAB & avd.allowed) == PASSWD__CRONTAB)) { ++ selinux_check_passwd_access = 0; ++ } ++ freecon(user_context); ++ } ++ ++ if (selinux_check_passwd_access != 0 && security_getenforce() == 0) ++ selinux_check_passwd_access = 0; ++ ++ return selinux_check_passwd_access; ++ } + #endif + return 0; + } diff --git a/cronie.spec b/cronie.spec index 4b29cba..39fb7ee 100644 --- a/cronie.spec +++ b/cronie.spec @@ -6,11 +6,13 @@ Summary: Cron daemon for executing programs at set times Name: cronie Version: 1.4.3 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT and BSD and GPLv2 Group: System Environment/Base URL: https://fedorahosted.org/cronie Source0: https://fedorahosted.org/releases/c/r/cronie/%{name}-%{version}.tar.gz +Patch0: cronie-selinux_passwd.patch +Patch1: cronie-pam.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: syslog, bash >= 2.0 @@ -71,6 +73,8 @@ Old style of {hourly,daily,weekly,monthly}.jobs without anacron. No features. %prep %setup -q +%patch0 -p1 +%patch1 -p1 %build @@ -193,6 +197,9 @@ cp -a /var/lock/subsys/crond /var/lock/subsys/cronie > /dev/null 2>&1 ||: %attr(0644,root,root) %{_sysconfdir}/cron.d/dailyjobs %changelog +* Thu Nov 5 2009 Marcela Mašláňová - 1.4.3-2 +- 533189 pam needs add a line and selinux needs defined one function + * Fri Oct 30 2009 Marcela Mašláňová - 1.4.3-1 - 531963 and 532482 creating noanacron package