From: James Antill <jantill@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: redhat-lspp <redhat-lspp@redhat.com>, SE Linux <selinux@tycho.nsa.gov>
Subject: Re: [PATCH] cron changes needed for MLS range checking (requires at least the libselinux patches)
Date: Wed, 08 Nov 2006 16:57:01 -0500 [thread overview]
Message-ID: <1163023021.29854.15.camel@code.and.org> (raw)
In-Reply-To: <1163019227.12241.178.camel@moss-spartans.epoch.ncsc.mil>
[-- Attachment #1.1: Type: text/plain, Size: 1048 bytes --]
On Wed, 2006-11-08 at 15:53 -0500, Stephen Smalley wrote:
> The scontext is supposed to be a process context in which to run the
> cron job, not a file context. You are presently replacing the default
> scontext (extracted from u->scontext that was previously computed) with
> a strange mixture of the crontab file context and the user-specified
> range. What you want to do is to take the default scontext value,
> create a new context that is identical except for its range (from the
> environment), and apply a check between those two contexts (and the
> check is only needed when using a user-supplied range).
Ok, I've used u->scontext instead of the file context now. I've also
renamed the variables. And the check should only happen if they specify
a different level.
> BTW, you cannot
> continue to refer to the string returned by context_str() after
> performing a context_free() on the structure; you'd have to dup it
> first.
Right, stupid mistake. Fixed that too.
--
James Antill <jantill@redhat.com>
[-- Attachment #1.2: vixie-cron-4.1-_60-SELinux-contains-range.patch --]
[-- Type: text/x-patch, Size: 7514 bytes --]
Only in vixie-cron-4.1: crond.pam.pamd_crond
diff -rup vixie-cron-4.1-orig/security.c vixie-cron-4.1/security.c
--- vixie-cron-4.1-orig/security.c 2006-11-02 22:28:04.000000000 -0500
+++ vixie-cron-4.1/security.c 2006-11-08 16:54:03.000000000 -0500
@@ -23,6 +23,7 @@
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
+#include <selinux/context.h>
#include <selinux/flask.h>
#include <selinux/av_permissions.h>
#include <selinux/get_context_list.h>
@@ -30,6 +31,12 @@
static char ** build_env(char **cronenv);
+#ifdef WITH_SELINUX
+static int cron_change_selinux_range( user *u,
+ security_context_t ucontext );
+static int cron_get_job_range( user *u, security_context_t *ucontextp, char **jobenv );
+#endif
+
int cron_set_job_security_context( entry *e, user *u, char ***jobenv )
{
time_t minutely_time = 0;
@@ -58,9 +65,9 @@ int cron_set_job_security_context( entry
* we'll not be permitted to read the cron spool directory :-)
*/
- security_context_t scontext=0, file_context=0;
+ security_context_t ucontext=0;
- if ( cron_get_job_context(u, &scontext, &file_context, *jobenv) < OK )
+ if ( cron_get_job_range(u, &ucontext, *jobenv) < OK )
{
syslog(LOG_ERR, "CRON (%s) ERROR: failed to get selinux context: %s",
e->pwd->pw_name, strerror(errno)
@@ -79,16 +86,16 @@ int cron_set_job_security_context( entry
}
#if WITH_SELINUX
- if ( cron_change_selinux_context( u, scontext, file_context ) != 0 )
+ if (cron_change_selinux_range(u, ucontext) != 0)
{
syslog(LOG_INFO,"CRON (%s) ERROR: failed to change SELinux context",
e->pwd->pw_name);
- if ( file_context )
- freecon(file_context);
+ if ( ucontext )
+ freecon(ucontext);
return -1;
}
- if ( file_context )
- freecon(file_context);
+ if ( ucontext )
+ freecon(ucontext);
#endif
log_close();
@@ -201,6 +208,7 @@ cron_authorize_context
#ifdef WITH_SELINUX
struct av_decision avd;
int retval;
+ unsigned int bit = FILE__ENTRYPOINT;
/*
* Since crontab files are not directly executed,
* crond must ensure that the crontab file has
@@ -208,13 +216,37 @@ cron_authorize_context
* the user cron job. It performs an entrypoint
* permission check for this purpose.
*/
- retval = security_compute_av(scontext,
- file_context,
- SECCLASS_FILE,
- FILE__ENTRYPOINT,
- &avd);
+ retval = security_compute_av(scontext, file_context,
+ SECCLASS_FILE, bit, &avd);
+
+ if (retval || ((bit & avd.allowed) != bit))
+ return 0;
+#endif
+ return 1;
+}
+
+static int
+cron_authorize_range
+(
+ security_context_t scontext,
+ security_context_t file_context
+)
+{
+#ifdef WITH_SELINUX
+ struct av_decision avd;
+ int retval;
+ unsigned int bit = CONTEXT__CONTAINS;
+ /*
+ * Since crontab files are not directly executed,
+ * crond must ensure that the crontab range has
+ * a context that is appropriate for the context of
+ * the user cron job. It performs an entrypoint
+ * permission check for this purpose.
+ */
+ retval = security_compute_av(scontext, file_context,
+ SECCLASS_CONTEXT, bit, &avd);
- if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT))
+ if (retval || ((bit & avd.allowed) != bit))
return 0;
#endif
return 1;
@@ -265,6 +297,80 @@ int cron_get_job_context( user *u, void
return 0;
}
+#if WITH_SELINUX
+/* always uses u->scontext as the default process context, then changes the
+ level, and retuns it in ucontextp (or NULL otherwise) */
+static int cron_get_job_range( user *u, security_context_t *ucontextp,
+ char **jobenv )
+{
+ char *sroletype;
+
+ if ( is_selinux_enabled() <= 0 )
+ return 0;
+ if ( ucontextp == 0L )
+ return -1;
+
+ *ucontextp = 0L;
+
+ if ( (sroletype = env_get("MLS_LEVEL",jobenv)) != 0L )
+ {
+ char crontab[MAX_FNAME];
+ context_t ccon;
+
+ if ( strcmp(u->name,"*system*") == 0 )
+ strncpy(crontab, u->tabname, MAX_FNAME);
+ else
+ snprintf(crontab, MAX_FNAME, "%s/%s", CRONDIR, u->tabname);
+
+ if (!(ccon = context_new(u->scontext)))
+ {
+ if ( security_getenforce() > 0 )
+ {
+ log_it(u->name,
+ getpid(), "context_new FAILED for SELINUX_ROLE_TYPE",
+ sroletype
+ );
+ return -1;
+ } else
+ {
+ log_it(u->name,
+ getpid(),
+ "context_new FAILED but SELinux in permissive mode, continuing "
+ "- SELINUX_ROLE_TYPE=", sroletype
+ );
+ return 0;
+ }
+ }
+
+ if (context_range_set(ccon, sroletype))
+ {
+ if ( security_getenforce() > 0 )
+ {
+ log_it(u->name,
+ getpid(), "context_range_set FAILED for SELINUX_ROLE_TYPE",
+ sroletype
+ );
+ return -1;
+ } else
+ {
+ log_it(u->name,
+ getpid(),
+ "context_range_set FAILED but SELinux in permissive mode, continuing "
+ "- SELINUX_ROLE_TYPE=", sroletype
+ );
+ return 0;
+ }
+ }
+
+ *ucontextp = strdup(context_str(ccon));
+
+ context_free(ccon);
+ }
+
+ return 0;
+}
+#endif
+
int cron_change_selinux_context( user *u, void *scontext, void *file_context )
{
#ifdef WITH_SELINUX
@@ -332,6 +438,74 @@ int cron_change_selinux_context( user *u
return 0;
}
+#ifdef WITH_SELINUX
+static int cron_change_selinux_range( user *u,
+ security_context_t ucontext )
+{
+ if ( is_selinux_enabled() <= 0 )
+ return 0;
+
+ if ( u->scontext == 0L )
+ {
+ if (security_getenforce() > 0)
+ {
+ log_it( u->name, getpid(),
+ "NULL security context for user",
+ ""
+ );
+ return -1;
+ }else
+ {
+ log_it( u->name, getpid(),
+ "NULL security context for user, "
+ "but SELinux in permissive mode, continuing",
+ ""
+ );
+ return 0;
+ }
+ }
+
+ if ( ucontext && strcmp(u->scontext, ucontext) )
+ {
+ if ( ! cron_authorize_range( u->scontext, ucontext ))
+ {
+ if ( security_getenforce() > 0 )
+ {
+ syslog(LOG_ERR,
+ "CRON (%s) ERROR:"
+ "Unauthorized exec context to SELINUX_ROLE_TYPE %s for user",
+ u->name, (char*)ucontext
+ );
+ return -1;
+ } else
+ {
+ syslog(LOG_INFO,
+ "CRON (%s) WARNING:"
+ "Unauthorized exec context to SELINUX_ROLE_TYPE %s for user,"
+ " but SELinux in permissive mode, continuing",
+ u->name, (char*)ucontext
+ );
+ }
+ }
+ }
+
+ if ( setexeccon(ucontext) < 0 )
+ {
+ if (security_getenforce() > 0)
+ {
+ syslog(LOG_ERR,
+ "CRON (%s) ERROR:"
+ "Could not set exec context to %s for user",
+ u->name, (char*)ucontext
+ );
+
+ return -1;
+ }
+ }
+ return 0;
+}
+#endif
+
int get_security_context( const char *name,
int crontab_fd,
security_context_t *rcontext,
Only in vixie-cron-4.1: security.c.security
Only in vixie-cron-4.1: security.c.selinux-contains-range
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2006-11-08 21:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-07 22:02 [PATCH] cron changes needed for MLS range checking (requires at least the libselinux patches) James Antill
2006-11-08 14:04 ` Stephen Smalley
2006-11-08 20:32 ` James Antill
2006-11-08 20:53 ` Stephen Smalley
2006-11-08 21:57 ` James Antill [this message]
2006-11-08 22:13 ` Stephen Smalley
2006-11-08 23:47 ` James Antill
2006-11-09 15:07 ` Stephen Smalley
2006-11-09 15:40 ` James Antill
2006-11-09 15:57 ` Stephen Smalley
2006-11-09 16:28 ` James Antill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1163023021.29854.15.camel@code.and.org \
--to=jantill@redhat.com \
--cc=redhat-lspp@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.