From: James Antill <jantill@redhat.com>
To: redhat-lspp <redhat-lspp@redhat.com>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: [PATCH] cron changes needed for MLS range checking (requires at least the libselinux patches)
Date: Tue, 07 Nov 2006 17:02:58 -0500 [thread overview]
Message-ID: <1162936978.26574.20.camel@code.and.org> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 520 bytes --]
I think this is what we want for the cron patch. It's basically doing
the same checks as the PAM patches. It also limits what the user can
change to just the MLS range.
At the moment I've just copied the original functions that need to be
replaced, so you can see the old vs. the new. As the final commit the
old ones should probably just die.
I've also kept the name SELINUX_ROLE_TYPE, I'm not sure if it should be
changed to SELINUX_ROLE_RANGE or something else?
--
James Antill <jantill@redhat.com>
[-- Attachment #1.2: vixie-cron-4.1-_60-SELinux-contains-range.patch --]
[-- Type: text/x-patch, Size: 7775 bytes --]
Only in vixie-cron-4.1: crond.pam.pamd_crond
diff -rup vixie-cron-4.1-orig/security.c vixie-cron-4.1/security.c
--- vixie-cron-4.1-orig/security.c 2006-11-02 22:28:04.000000000 -0500
+++ vixie-cron-4.1/security.c 2006-11-06 18:04:21.000000000 -0500
@@ -23,12 +23,16 @@
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
+#include <selinux/context.h>
#include <selinux/flask.h>
#include <selinux/av_permissions.h>
#include <selinux/get_context_list.h>
#endif
static char ** build_env(char **cronenv);
+static int cron_get_job_range( user *u, void *scontextp, void *file_contextp, char **jobenv );
+static int cron_change_selinux_range( user *u,
+ void *scontext, void *file_context );
int cron_set_job_security_context( entry *e, user *u, char ***jobenv )
{
@@ -60,7 +64,8 @@ int cron_set_job_security_context( entry
security_context_t scontext=0, file_context=0;
- if ( cron_get_job_context(u, &scontext, &file_context, *jobenv) < OK )
+ /* if ( cron_get_job_context(u, &scontext, &file_context, *jobenv) < OK ) */
+ if ( cron_get_job_range(u, &scontext, &file_context, *jobenv) < OK )
{
syslog(LOG_ERR, "CRON (%s) ERROR: failed to get selinux context: %s",
e->pwd->pw_name, strerror(errno)
@@ -79,7 +84,8 @@ int cron_set_job_security_context( entry
}
#if WITH_SELINUX
- if ( cron_change_selinux_context( u, scontext, file_context ) != 0 )
+ /* if ( cron_change_selinux_context( u, scontext, file_context ) != 0 ) */
+ if ( cron_change_selinux_range( u, scontext, file_context ) != 0 )
{
syslog(LOG_INFO,"CRON (%s) ERROR: failed to change SELinux context",
e->pwd->pw_name);
@@ -201,6 +207,7 @@ cron_authorize_context
#ifdef WITH_SELINUX
struct av_decision avd;
int retval;
+ unsigned int bit = FILE__ENTRYPOINT;
/*
* Since crontab files are not directly executed,
* crond must ensure that the crontab file has
@@ -208,13 +215,37 @@ cron_authorize_context
* the user cron job. It performs an entrypoint
* permission check for this purpose.
*/
- retval = security_compute_av(scontext,
- file_context,
- SECCLASS_FILE,
- FILE__ENTRYPOINT,
- &avd);
+ retval = security_compute_av(scontext, file_context,
+ SECCLASS_FILE, bit, &avd);
- if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT))
+ if (retval || ((bit & avd.allowed) != bit))
+ return 0;
+#endif
+ return 1;
+}
+
+static int
+cron_authorize_range
+(
+ security_context_t scontext,
+ security_context_t file_context
+)
+{
+#ifdef WITH_SELINUX
+ struct av_decision avd;
+ int retval;
+ unsigned int bit = CONTEXT__CONTAINS;
+ /*
+ * Since crontab files are not directly executed,
+ * crond must ensure that the crontab range has
+ * a context that is appropriate for the context of
+ * the user cron job. It performs an entrypoint
+ * permission check for this purpose.
+ */
+ retval = security_compute_av(scontext, file_context,
+ SECCLASS_CONTEXT, bit, &avd);
+
+ if (retval || ((bit & avd.allowed) != bit))
return 0;
#endif
return 1;
@@ -265,6 +296,98 @@ int cron_get_job_context( user *u, void
return 0;
}
+static int cron_get_job_range( user *u, void *scontextp, void *file_contextp, char **jobenv )
+{
+#if WITH_SELINUX
+ char *sroletype;
+
+ if ( is_selinux_enabled() <= 0 )
+ return 0;
+ if ( (file_contextp == 0) || (scontextp == 0L) )
+ return -1;
+
+ *((security_context_t*)scontextp) = u->scontext;
+ *((void **)file_contextp) = 0L;
+
+ if ( (sroletype = env_get("SELINUX_ROLE_TYPE",jobenv)) != 0L )
+ {
+ char crontab[MAX_FNAME];
+ context_t ccon;
+
+ if ( strcmp(u->name,"*system*") == 0 )
+ strncpy(crontab, u->tabname, MAX_FNAME);
+ else
+ snprintf(crontab, MAX_FNAME, "%s/%s", CRONDIR, u->tabname);
+
+ if ( getfilecon( crontab, file_contextp ) == -1 )
+ {
+ if ( security_getenforce() > 0 )
+ {
+ log_it(u->name,
+ getpid(), "getfilecon FAILED for SELINUX_ROLE_TYPE",
+ sroletype
+ );
+ return -1;
+ } else
+ if ( access( crontab, F_OK ) == 0 )
+ {
+ log_it(u->name,
+ getpid(),
+ "getfilecon FAILED but SELinux in permissive mode, continuing "
+ "- SELINUX_ROLE_TYPE=", sroletype
+ );
+ return 0;
+ }
+ }
+
+ if (!(ccon = context_new(file_contextp)))
+ {
+ if ( security_getenforce() > 0 )
+ {
+ log_it(u->name,
+ getpid(), "context_new FAILED for SELINUX_ROLE_TYPE",
+ sroletype
+ );
+ return -1;
+ } else
+ {
+ log_it(u->name,
+ getpid(),
+ "context_new FAILED but SELinux in permissive mode, continuing "
+ "- SELINUX_ROLE_TYPE=", sroletype
+ );
+ return 0;
+ }
+ }
+
+ if (context_range_set(ccon, sroletype))
+ {
+ if ( security_getenforce() > 0 )
+ {
+ log_it(u->name,
+ getpid(), "context_range_set FAILED for SELINUX_ROLE_TYPE",
+ sroletype
+ );
+ return -1;
+ } else
+ {
+ log_it(u->name,
+ getpid(),
+ "context_range_set FAILED but SELinux in permissive mode, continuing "
+ "- SELINUX_ROLE_TYPE=", sroletype
+ );
+ return 0;
+ }
+ }
+
+ *((security_context_t*)scontextp) = context_str(ccon);
+
+ context_free(ccon);
+ }
+#endif
+ return 0;
+}
+
int cron_change_selinux_context( user *u, void *scontext, void *file_context )
{
#ifdef WITH_SELINUX
@@ -332,6 +455,74 @@ int cron_change_selinux_context( user *u
return 0;
}
+static int cron_change_selinux_range( user *u,
+ void *scontext, void *file_context )
+{
+#ifdef WITH_SELINUX
+ if ( is_selinux_enabled() <= 0 )
+ return 0;
+
+ if ( scontext == 0L )
+ {
+ if (security_getenforce() > 0)
+ {
+ log_it( u->name, getpid(),
+ "NULL security context for user",
+ ""
+ );
+ return -1;
+ }else
+ {
+ log_it( u->name, getpid(),
+ "NULL security context for user, "
+ "but SELinux in permissive mode, continuing",
+ ""
+ );
+ return 0;
+ }
+ }
+
+ if ( file_context )
+ {
+ if ( ! cron_authorize_range( scontext, file_context ) )
+ {
+ if ( security_getenforce() > 0 )
+ {
+ syslog(LOG_ERR,
+ "CRON (%s) ERROR:"
+ "Unauthorized exec context to SELINUX_ROLE_TYPE %s for user",
+ u->name, (char*)scontext
+ );
+ return -1;
+ } else
+ {
+ syslog(LOG_INFO,
+ "CRON (%s) WARNING:"
+ "Unauthorized exec context to SELINUX_ROLE_TYPE %s for user,"
+ " but SELinux in permissive mode, continuing",
+ u->name, (char*)scontext
+ );
+ }
+ }
+ }
+
+ if ( setexeccon(scontext) < 0 )
+ {
+ if (security_getenforce() > 0)
+ {
+ syslog(LOG_ERR,
+ "CRON (%s) ERROR:"
+ "Could not set exec context to %s for user",
+ u->name, (char*)scontext
+ );
+
+ return -1;
+ }
+ }
+#endif
+ return 0;
+}
+
int get_security_context( const char *name,
int crontab_fd,
security_context_t *rcontext,
Only in vixie-cron-4.1: security.c.security
Only in vixie-cron-4.1: security.c.selinux-contains-range
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next reply other threads:[~2006-11-07 22:02 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-07 22:02 James Antill [this message]
2006-11-08 14:04 ` [PATCH] cron changes needed for MLS range checking (requires at least the libselinux patches) Stephen Smalley
2006-11-08 20:32 ` James Antill
2006-11-08 20:53 ` Stephen Smalley
2006-11-08 21:57 ` James Antill
2006-11-08 22:13 ` Stephen Smalley
2006-11-08 23:47 ` James Antill
2006-11-09 15:07 ` Stephen Smalley
2006-11-09 15:40 ` James Antill
2006-11-09 15:57 ` Stephen Smalley
2006-11-09 16:28 ` James Antill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1162936978.26574.20.camel@code.and.org \
--to=jantill@redhat.com \
--cc=redhat-lspp@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.