Lines 28-33
Link Here
|
28 |
|
28 |
|
29 |
#include "cron.h" |
29 |
#include "cron.h" |
30 |
|
30 |
|
|
|
31 |
#ifdef WITH_SELINUX |
32 |
#include <selinux/selinux.h> |
33 |
#include <selinux/context.h> |
34 |
#include <selinux/get_context_list.h> |
35 |
#define SYSUSERNAME "system_u" |
36 |
#else |
37 |
#define SYSUSERNAME "*system*" |
38 |
#endif |
39 |
|
31 |
#define TMAX(a,b) ((a)>(b)?(a):(b)) |
40 |
#define TMAX(a,b) ((a)>(b)?(a):(b)) |
32 |
|
41 |
|
33 |
static void process_crontab(const char *, const char *, |
42 |
static void process_crontab(const char *, const char *, |
Lines 183-189
Link Here
|
183 |
if (fname == NULL) { |
192 |
if (fname == NULL) { |
184 |
/* must be set to something for logging purposes. |
193 |
/* must be set to something for logging purposes. |
185 |
*/ |
194 |
*/ |
186 |
fname = "*system*"; |
195 |
fname = SYSUSERNAME; |
187 |
} else if ((pw = getpwnam(uname)) == NULL) { |
196 |
} else if ((pw = getpwnam(uname)) == NULL) { |
188 |
/* file doesn't have a user in passwd file. |
197 |
/* file doesn't have a user in passwd file. |
189 |
*/ |
198 |
*/ |
Lines 245-250
Link Here
|
245 |
free_user(u); |
254 |
free_user(u); |
246 |
log_it(fname, getpid(), "RELOAD", tabname); |
255 |
log_it(fname, getpid(), "RELOAD", tabname); |
247 |
} |
256 |
} |
|
|
257 |
#ifdef WITH_SELINUX |
258 |
if (is_selinux_enabled()) { |
259 |
security_context_t file_context=NULL; |
260 |
security_context_t user_context=NULL; |
261 |
context_t current_context = NULL; |
262 |
char *current_context_str = NULL; |
263 |
struct av_decision avd; |
264 |
int retval=0; |
265 |
char *seuser=NULL; |
266 |
char *level=NULL; |
267 |
int sys_user = 0; |
268 |
|
269 |
sys_user = strcmp(SYSUSERNAME, fname); |
270 |
|
271 |
if (fgetfilecon(crontab_fd, &file_context) < OK) { |
272 |
log_it(fname, getpid(), "getfilecon FAILED", tabname); |
273 |
goto next_crontab; |
274 |
} |
275 |
|
276 |
if (sys_user != 0) { |
277 |
if (getseuserbyname(fname, &seuser, &level) < 0) { |
278 |
log_it(fname, getpid(), "NO SEUSER", tabname); |
279 |
goto next_crontab; |
280 |
} |
281 |
} else { |
282 |
if (getcon(¤t_context_str) < 0) { |
283 |
log_it(fname, getpid(), "getcon FAILED", tabname); |
284 |
goto next_crontab; |
285 |
} |
286 |
|
287 |
current_context = context_new(current_context_str); |
288 |
if (current_context == 0) { |
289 |
log_it(fname, getpid(), "context new FAILED", tabname); |
290 |
freecon(current_context_str); |
291 |
goto next_crontab; |
292 |
} |
293 |
|
294 |
seuser = context_user_get(current_context); |
295 |
level = context_range_get(current_context); |
296 |
} |
297 |
|
298 |
if (get_default_context_with_level(seuser, level, NULL, &user_context) < 0) { |
299 |
log_it(fname, getpid(), "NO CONTEXT", tabname); |
300 |
freecon(file_context); |
301 |
if (sys_user != 0) { |
302 |
free(seuser); |
303 |
free(level); |
304 |
} |
305 |
freecon(current_context_str); |
306 |
context_free(current_context); |
307 |
goto next_crontab; |
308 |
} |
309 |
|
310 |
/* |
311 |
* Since crontab files are not directly executed, |
312 |
* crond must ensure that the crontab file has |
313 |
* a context that is appropriate for the context of |
314 |
* the user cron job. It performs an entrypoint |
315 |
* permission check for this purpose. |
316 |
*/ |
317 |
security_class_t file_class; |
318 |
access_vector_t entrypoint_bit; |
319 |
file_class = string_to_security_class("file"); |
320 |
if (file_class == 0) { |
321 |
log_it(fname, getpid(), "file CLASS NOT DEFINED", tabname); |
322 |
freecon(current_context_str); |
323 |
context_free(current_context); |
324 |
freecon(user_context); |
325 |
freecon(file_context); |
326 |
if (sys_user != 0) { |
327 |
free(seuser); |
328 |
free(level); |
329 |
} |
330 |
goto next_crontab; |
331 |
} |
332 |
|
333 |
entrypoint_bit = string_to_av_perm(file_class, "entrypoint"); |
334 |
if (entrypoint_bit == 0) { |
335 |
log_it(fname, getpid(), "file:entrypoint AV NOT DEFINED", tabname); |
336 |
freecon(current_context_str); |
337 |
context_free(current_context); |
338 |
freecon(user_context); |
339 |
freecon(file_context); |
340 |
if (sys_user != 0) { |
341 |
free(seuser); |
342 |
free(level); |
343 |
} |
344 |
goto next_crontab; |
345 |
} |
346 |
|
347 |
retval = security_compute_av_raw(user_context, |
348 |
file_context, |
349 |
file_class, |
350 |
entrypoint_bit, |
351 |
&avd); |
352 |
|
353 |
freecon(user_context); |
354 |
freecon(file_context); |
355 |
if (sys_user != 0) { |
356 |
free(seuser); |
357 |
free(level); |
358 |
} |
359 |
context_free(current_context); |
360 |
freecon(current_context_str); |
361 |
|
362 |
if (retval || ((entrypoint_bit & avd.allowed) != entrypoint_bit)) { |
363 |
log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname); |
364 |
goto next_crontab; |
365 |
} |
366 |
} |
367 |
#endif |
248 |
u = load_user(crontab_fd, pw, fname); |
368 |
u = load_user(crontab_fd, pw, fname); |
249 |
if (u != NULL) { |
369 |
if (u != NULL) { |
250 |
u->mtime = statbuf->st_mtime; |
370 |
u->mtime = statbuf->st_mtime; |