Re: modification of vixie-cron patch to get crond working in permissive mode

[Arkadiusz Miskiewicz <arekm@pld-linux.org>]

[-- Attachment #1: Type: text/plain, Size: 490 bytes --]

On Thursday 01 of January 2004 17:05, you wrote:
> This patch should be applied after fedora core selinux patch for vixie-cron
> (probably the same as on nsa.gov/selinux page).
I've modified it a little to do not display error message to stderr when in 
permissive mode (it would generate email message for each such job 
execution).

-- 
Arkadiusz Miśkiewicz    CS at FoE, Wroclaw University of Technology
arekm.pld-linux.org AM2-6BONE, 1024/3DB19BBD, arekm(at)ircnet, PLD/Linux

[-- Attachment #2: vixie-cron-selinux-pld.patch --]
[-- Type: application/octet-stream, Size: 3044 bytes --]

diff -urN vixie-cron-3.0.1.org/database.c vixie-cron-3.0.1/database.c
--- vixie-cron-3.0.1.org/database.c	2004-01-01 16:37:48.000000000 +0100
+++ vixie-cron-3.0.1/database.c	2004-01-01 16:58:42.000000000 +0100
@@ -350,8 +350,13 @@
 	  int retval=0;
 
 	  if (fgetfilecon(crontab_fd, &file_context) < OK) {
-	    log_it(fname, getpid(), "getfilecon FAILED", tabname);
-	    goto next_crontab;
+	    if (security_getenforce() > 0) {
+    		log_it(fname, getpid(), "getfilecon FAILED", tabname);
+    		goto next_crontab;
+	    } else {
+		log_it(fname, getpid(), "getfilecon FAILED but SELinux in permissive mode, continuing", tabname);
+		goto selinux_out;
+	    }
 	  }
 
 	  /*
@@ -362,9 +367,14 @@
 	   * permission check for this purpose.
 	   */
 	  if (get_default_context(fname, NULL, &user_context)) {
-	    log_it(fname, getpid(), "NO CONTEXT", tabname);
 	    freecon(file_context);
-	    goto next_crontab;
+	    if (security_getenforce() > 0) {
+		log_it(fname, getpid(), "NO CONTEXT", tabname);
+		goto next_crontab;
+	    } else {
+		log_it(fname, getpid(), "NO CONTEXT but SELinux in permissive mode, continuing", tabname);
+		goto selinux_out;
+	    }
 	  }
 	  retval = security_compute_av(user_context,
 				       file_context,
@@ -374,9 +384,15 @@
 	  freecon(user_context);
 	  freecon(file_context);
 	  if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
-	    log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
-	    goto next_crontab;
+	    if (security_getenforce() > 0) {
+    		log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
+    		goto next_crontab;
+	    } else {
+		log_it(fname, getpid(), "ENTRYPOINT FAILED but SELinux in permissive mode, continuing", tabname);
+		goto selinux_out;
+	    }
 	  }
+selinux_out:
 	}
 #endif
 	u = load_user(crontab_fd, pw, fname);
diff -urN vixie-cron-3.0.1.org/do_command.c vixie-cron-3.0.1/do_command.c
--- vixie-cron-3.0.1.org/do_command.c	2004-01-01 16:37:48.000000000 +0100
+++ vixie-cron-3.0.1/do_command.c	2004-01-01 17:15:05.377307912 +0100
@@ -280,14 +280,19 @@
 			if (is_selinux_enabled()) {
 			  security_context_t scontext;
 			  if (get_default_context(u->name, NULL, &scontext)) {
-			    fprintf(stderr, "execle: couldn't get security context for user %s\n", u->name); 
-			    _exit(ERROR_EXIT);
+			    if (security_getenforce() > 0) {
+    				fprintf(stderr, "execle: couldn't get security context for user %s\n", u->name); 
+    				_exit(ERROR_EXIT);
+			    }
+			  } else {
+    			      if (setexeccon(scontext) < 0) {
+				  if (security_getenforce() > 0) {
+				      fprintf(stderr, "Could not set exec context to %s for user  %s\n", scontext,u->name);
+    				      _exit(ERROR_EXIT);
+				  }
+    			      }
+    			      freecon(scontext);
 			  }
-			  if (setexeccon(scontext) < 0) {
-			    fprintf(stderr, "Could not set exec context to %s for user  %s\n", scontext,u->name);
-			    _exit(ERROR_EXIT);
-			  }
-			  freecon(scontext);
 			}
 #endif
 			execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);