Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 339832 Details for
Bug 458886
sys-process/fcron - fcrontab unable to properly handle su user
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
test-relabel.c
test-relabel.c (text/plain), 8.15 KB, created by
vespian
on 2013-02-23 18:43:55 UTC
(
hide
)
Description:
test-relabel.c
Filename:
MIME Type:
Creator:
vespian
Created:
2013-02-23 18:43:55 UTC
Size:
8.15 KB
patch
obsolete
>#include <selinux.h> >#include <get_context_list.h> >#include <selinux/selinux.h> >#include <selinux/flask.h> >#include <selinux/context.h> >#include <selinux/av_permissions.h> >#include <stdio.h> >#include <stdlib.h> >#include <stdio.h> >#include <string.h> >#include <errno.h> >#include <unistd.h> >#include <sys/types.h> >#include <unistd.h> >#include <sys/types.h> >#include <sys/wait.h> >#include <sys/stat.h> > >#define UNUSED(x) if(x) {;} > >#define TESTFILE "/var/spool/fcron/test-" >#define FCRON_SPOOL_DIR "/var/spool/fcron/" > >/* Log a "debug" level message */ >char debug_opt = 1; >#define debug if(debug_opt) Debug > >void Debug(char *fmt, ...) >{ > va_list args; > > va_start(args, fmt); > vprintf(fmt, args); > va_end(args); >} > >int SE_check_seuser_mismatch(char *user) >{ > > /* Just verify whether user used su/sudo */ > > security_context_t se_context = NULL; > char *SE_user_default = NULL; > char *SE_level = NULL; > char *SE_user_current = NULL; > context_t context_buf = NULL; > char result = -1; > > if(getcon(&se_context) < 0) { > printf("failed to fetch current context\n"); > goto end; > } > > /* Do we need to check level here ? */ > if (getseuserbyname(user, &SE_user_default, &SE_level)) { > printf("getseuserbyname(\"%s\") failed", user); > goto end; > } > > context_buf = context_new(se_context); > SE_user_current = (char *) context_user_get(context_buf); > > if (strcmp(SE_user_current, SE_user_default)) { > Debug("Selinux user context mismatch: %s != %s\n",SE_user_current,SE_user_default); > result = 1; > } else { > Debug("Selinux user contexts match\n"); > result = 0; > } > > /* Cleanup */ > end: > if (SE_user_default) > free(SE_user_default); > if (SE_level) > free(SE_level); > if (context_buf) > context_free(context_buf); > if (se_context) > freecon(se_context); > > return result; > >} > >int SE_set_file_con(security_context_t t_fcontext, char *path) >{ > int result = -1; > struct av_decision avd; > security_context_t cur_se_context = NULL; > security_context_t cur_fcontext = NULL; > > if (getcon(&cur_se_context) < 0) { > printf("failed to fetch current context\n"); > goto end; > } > > if (getfilecon(path, &cur_fcontext) < 0) { > printf("Failed to get current file context for %s\n", path); > goto end; > } > > if (security_compute_av(cur_se_context, cur_fcontext, > SECCLASS_FILE, FILE__RELABELFROM, &avd) < 0) { > printf("failed to calculate AVD decision for FILE__RELABELFROM\n"); > goto end; > } > > if ((FILE__RELABELFROM & avd.allowed) != FILE__RELABELFROM) { > printf("FILE__RELABELFROM denied for path %s, scon=%s, pcon=%s\n", > path, cur_fcontext, cur_se_context); > goto end; > } > > if (security_compute_av(cur_se_context, t_fcontext, > SECCLASS_FILE, FILE__RELABELTO, &avd) < 0) { > printf("failed to calculate AVD decision for FILE__RELABELTO\n"); > goto end; > } > > if ((FILE__RELABELTO & avd.allowed) != FILE__RELABELTO) { > printf("FILE__RELABELTO denied for path %s, tcon=%s, pcon=%s\n", > path, t_fcontext, cur_se_context); > goto end; > } > > if (setfilecon(path, t_fcontext) < 0) { > printf("Faled to set new file creation context for %s\n", path); > goto end; > } > > end: > if (cur_fcontext) > freecon(cur_fcontext); > if (cur_se_context) > freecon(cur_se_context); > > return result; >} > >int SE_fix_file_context(char *user, char *path) >{ > > int int_buf; > int result = -1; > context_t context_buf = NULL; > security_context_t seccontext_buf = NULL; > security_context_t new_context = NULL; > security_context_t cur_se_context = NULL; > char *SE_user_default = NULL; > char *SE_level; > > > /* security_compute_create_name requires >=2.6.40 */ > int_buf = matchpathcon(path, S_IFREG, &new_context); > if(int_buf < 0 && errno != ENOENT) { > printf("matchpathcon(%s) failed: %s\n", path, strerror(errno)); > goto end; > } else if (int_buf == 0) { > Debug("predefined context found for crontab file: %s\n",new_context); > result = SE_set_file_con(new_context, path); > } else { > /* else - no default context for this path */ > if(getcon(&cur_se_context) < 0) { > printf("failed to fetch current context\n"); > goto end; > } > > if(getfilecon(FCRON_SPOOL_DIR,&seccontext_buf) < 0) { > printf("Failed to get file context: %s\n",strerror(errno)); > goto end; > } > > security_compute_create(cur_se_context, seccontext_buf, SECCLASS_FILE, &new_context); > > if (SE_check_seuser_mismatch(user)) { > context_buf = context_new(new_context); > if (getseuserbyname(user, &SE_user_default, &SE_level)) { > printf("getseuserbyname(\"%s\") failed", user); > goto end; > } > context_user_set(context_buf,SE_user_default); > Debug("determined correct crontab file context: %s\n", context_str(context_buf)); > result = SE_set_file_con(context_str(context_buf), path); > } else { > Debug("File creation context OK, no need to change\n"); > result = 0; > } > } > > /* Cleanup */ > end: > if (context_buf) > context_free(context_buf); > if (cur_se_context) > freecon(cur_se_context); > if (new_context) > freecon(new_context); > if (seccontext_buf) > freecon(seccontext_buf); > if (SE_level) > free(SE_level); > if (SE_user_default) > free(SE_user_default); > > return result; >} > > >int SE_check_admin_crontab(void) >{ > security_context_t cur_se_context; > context_t context_buf; > const char *se_type; > char result = -1; > > if(getcon(&cur_se_context) < 0) > { > printf("failed to fetch current context\n"); > result = -1; > goto end; > } > > Debug("Current SElinux context is %s\n",cur_se_context); > > context_buf = context_new(cur_se_context); > se_type = context_type_get(context_buf); > > if(strcmp(se_type,"admin_crontab_t")) > result = 0; > else > result = 1; > > /* Cleanup */ > context_free(context_buf); > freecon(cur_se_context); > end: > return result; > >} > >void do_some_stuff(char *path) >{ > FILE *fd; > if(access(path,F_OK) == 0) { > Debug("Test file exists, removing\n"); > unlink(path); > } > > if((fd=fopen(path,"w")) == NULL) { > Debug("Failed to create the test file: %s\n",strerror(errno)); > return; > } > > fwrite(path,1,strlen(path),fd); > fclose(fd); > >} > >int main(int argc, char *argv[]) >{ > int rv; > char *user = NULL; > char result = 1; > char *testfile = NULL; > > if (argc > 1) { > user = strdup(argv[1]); > rv = SE_check_admin_crontab(); > if (rv < 0) { > goto end; > } else if (rv == 0) { > printf("To specify an user this process must be running in admin_crontab_t context. " \ > "Try changing the role to sysadm_r and run the script once more.\n"); > goto end; > } > } else { > user = strdup(getenv("USER")); > rv = SE_check_seuser_mismatch(user); > if ( rv < 0) { > goto end; > } else if (rv == 1) { > rv = SE_check_admin_crontab(); > if (rv < 0) { > goto end; > } else if (rv == 0) { > printf("Selinux user mismatch, probably due to su/sudo use. Please make sure that the process is running in admin_crontab_t context and sysadm_r role.\n"); > goto end; > } > } > } > > testfile = (char *) malloc(strlen(TESTFILE) + strlen(user) + 1); > *testfile = '\0'; > strcat(testfile,TESTFILE); > strcat(testfile,user); > > /* zrob cos porzytecznego <?> */ > do_some_stuff(testfile); > > if (SE_fix_file_context(user, testfile) == 0) > result = 0; > > /* Cleanup */ > end: > if(user) > free(user); > if (testfile) > free(testfile); > > > return result; >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=339832">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 458886
:
339830
| 339832 |
339834
|
339836
