From: Arkadiusz Miskiewicz <arekm@pld-linux.org>
To: selinux@tycho.nsa.gov
Subject: modification of vixie-cron patch to get crond working in permissive mode
Date: Thu, 1 Jan 2004 17:05:12 +0100 [thread overview]
Message-ID: <200401011705.12427.arekm@pld-linux.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 679 bytes --]
Hi,
This patch should be applied after fedora core selinux patch for vixie-cron
(probably the same as on nsa.gov/selinux page).
It changes behaviour when running selinux in permissive mode. Until now when
there were no known context with which jobs should be executed then error
message was logged and crontab file was skipped. Now error message is logged
but jobs are still run.
It's better to have working crond + bunch of log messages instead of not
usable crond.
Please apply + rediff new selinux patch.
--
Arkadiusz Miśkiewicz CS at FoE, Wroclaw University of Technology
arekm.pld-linux.org AM2-6BONE, 1024/3DB19BBD, arekm(at)ircnet, PLD/Linux
[-- Attachment #2: vixie-cron-selinux-pld.patch --]
[-- Type: application/octet-stream, Size: 3323 bytes --]
diff -urN vixie-cron-3.0.1.org/database.c vixie-cron-3.0.1/database.c
--- vixie-cron-3.0.1.org/database.c 2004-01-01 16:37:48.651341944 +0100
+++ vixie-cron-3.0.1/database.c 2004-01-01 16:58:42.478731208 +0100
@@ -350,8 +350,13 @@
int retval=0;
if (fgetfilecon(crontab_fd, &file_context) < OK) {
- log_it(fname, getpid(), "getfilecon FAILED", tabname);
- goto next_crontab;
+ if (security_getenforce() > 0) {
+ log_it(fname, getpid(), "getfilecon FAILED", tabname);
+ goto next_crontab;
+ } else {
+ log_it(fname, getpid(), "getfilecon FAILED but SELinux in permissive mode, continuing", tabname);
+ goto selinux_out;
+ }
}
/*
@@ -362,9 +367,14 @@
* permission check for this purpose.
*/
if (get_default_context(fname, NULL, &user_context)) {
- log_it(fname, getpid(), "NO CONTEXT", tabname);
freecon(file_context);
- goto next_crontab;
+ if (security_getenforce() > 0) {
+ log_it(fname, getpid(), "NO CONTEXT", tabname);
+ goto next_crontab;
+ } else {
+ log_it(fname, getpid(), "NO CONTEXT but SELinux in permissive mode, continuing", tabname);
+ goto selinux_out;
+ }
}
retval = security_compute_av(user_context,
file_context,
@@ -374,9 +384,15 @@
freecon(user_context);
freecon(file_context);
if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
- log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
- goto next_crontab;
+ if (security_getenforce() > 0) {
+ log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
+ goto next_crontab;
+ } else {
+ log_it(fname, getpid(), "ENTRYPOINT FAILED but SELinux in permissive mode, continuing", tabname);
+ goto selinux_out;
+ }
}
+selinux_out:
}
#endif
u = load_user(crontab_fd, pw, fname);
diff -urN vixie-cron-3.0.1.org/do_command.c vixie-cron-3.0.1/do_command.c
--- vixie-cron-3.0.1.org/do_command.c 2004-01-01 16:37:48.707333432 +0100
+++ vixie-cron-3.0.1/do_command.c 2004-01-01 16:56:33.269374016 +0100
@@ -280,14 +280,21 @@
if (is_selinux_enabled()) {
security_context_t scontext;
if (get_default_context(u->name, NULL, &scontext)) {
- fprintf(stderr, "execle: couldn't get security context for user %s\n", u->name);
- _exit(ERROR_EXIT);
+ if (security_getenforce() > 0) {
+ fprintf(stderr, "execle: couldn't get security context for user %s\n", u->name);
+ _exit(ERROR_EXIT);
+ } else
+ fprintf(stderr, "execle: couldn't get security context for user %s but SELinux in permissive mode, continuing\n", u->name);
+ } else {
+ if (setexeccon(scontext) < 0) {
+ if (security_getenforce() > 0) {
+ fprintf(stderr, "Could not set exec context to %s for user %s\n", scontext,u->name);
+ _exit(ERROR_EXIT);
+ } else
+ fprintf(stderr, "Could not set exec context to %s for user %s but SELinux in permissive mode, continuing\n", scontext,u->name);
+ }
+ freecon(scontext);
}
- if (setexeccon(scontext) < 0) {
- fprintf(stderr, "Could not set exec context to %s for user %s\n", scontext,u->name);
- _exit(ERROR_EXIT);
- }
- freecon(scontext);
}
#endif
execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
next reply other threads:[~2004-01-01 16:05 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-01 16:05 Arkadiusz Miskiewicz [this message]
2004-01-01 16:48 ` modification of vixie-cron patch to get crond working in permissive mode Arkadiusz Miskiewicz
2004-01-06 14:54 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200401011705.12427.arekm@pld-linux.org \
--to=arekm@pld-linux.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.