From 9a8a3488c465c036ca721695d17237e5c5fee25c Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@bigon.be>
Date: Thu, 16 Jul 2015 01:06:06 +0200
Subject: [PATCH] Add SELinux support to run jobs in the proper domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently, jobs run by at are run in the crond_t domain and not
transitioned outside of it.
With this patch, the jobs are transitioned in the same domain as the
jobs that are run by the cron daemon:
- When cron_userdomain_transition is set to off, a process for an
unconfined user will transition to unconfined_cronjob_t. For confined
user, the job is run as cronjob_t.
- When cron_userdomain_transition is set to on, the processes are run
under the user default context.
This patch is based on Marcela Mašláňová <mmaslano@redhat.com> work
Signed-off-by: Jan Staněk <jstanek@redhat.com>
---
Makefile.in | 1 +
atd.c | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++
config.h.in | 3 ++
configure.ac | 8 +++++
daemon.c | 16 ++++++++++
daemon.h | 3 ++
6 files changed, 119 insertions(+)
diff --git a/Makefile.in b/Makefile.in
index 679bf0e..895f87f 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -39,6 +39,7 @@ LIBS = @LIBS@
LIBOBJS = @LIBOBJS@
INSTALL = @INSTALL@
PAMLIB = @PAMLIB@
+SELINUXLIB = @SELINUXLIB@
CLONES = atq atrm
ATOBJECTS = at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o
diff --git a/atd.c b/atd.c
index 63e514a..acb610f 100644
--- a/atd.c
+++ b/atd.c
@@ -86,6 +86,13 @@
#ifndef LOG_ATD
#define LOG_ATD LOG_DAEMON
#endif
+
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+int selinux_enabled = 0;
+#endif
+
/* Macros */
#define BATCH_INTERVAL_DEFAULT 60
@@ -202,6 +209,72 @@ myfork()
#define ATD_MAIL_NAME "mailx"
#endif
+#ifdef WITH_SELINUX
+static int
+set_selinux_context(const char *name, const char *filename) {
+ security_context_t user_context = NULL;
+ security_context_t file_context = NULL;
+ int retval = 0;
+ char *seuser = NULL;
+ char *level = NULL;
+
+ if (getseuserbyname(name, &seuser, &level) == 0) {
+ retval = get_default_context_with_level(seuser, level, NULL, &user_context);
+ free(seuser);
+ free(level);
+ if (retval < 0) {
+ lerr("get_default_context_with_level: couldn't get security context for user %s", name);
+ retval = -1;
+ goto err;
+ }
+ }
+
+ /*
+ * Since crontab files are not directly executed,
+ * crond must ensure that the crontab file has
+ * a context that is appropriate for the context of
+ * the user cron job. It performs an entrypoint
+ * permission check for this purpose.
+ */
+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0) {
+ lerr("fgetfilecon FAILED %s", filename);
+ retval = -1;
+ goto err;
+ }
+
+ retval = selinux_check_access(user_context, file_context, "file", "entrypoint", NULL);
+ freecon(file_context);
+ if (retval < 0) {
+ lerr("Not allowed to set exec context to %s for user %s", user_context, name);
+ retval = -1;
+ goto err;
+ }
+ if (setexeccon(user_context) < 0) {
+ lerr("Could not set exec context to %s for user %s", user_context, name);
+ retval = -1;
+ goto err;
+ }
+err:
+ if (retval < 0 && security_getenforce() != 1)
+ retval = 0;
+ if (user_context)
+ freecon(user_context);
+ return retval;
+}
+
+static int
+selinux_log_callback (int type, const char *fmt, ...)
+{
+ va_list ap;
+
+ va_start(ap, fmt);
+ vsyslog (LOG_ERR, fmt, ap);
+ va_end(ap);
+ return 0;
+}
+
+#endif
+
static void
run_file(const char *filename, uid_t uid, gid_t gid)
{
@@ -433,6 +506,13 @@ run_file(const char *filename, uid_t uid, gid_t gid)
nice((tolower((int) queue) - 'a' + 1) * 2);
+#ifdef WITH_SELINUX
+ if (selinux_enabled > 0) {
+ if (set_selinux_context(pentry->pw_name, filename) < 0)
+ perr("SELinux Failed to set context\n");
+ }
+#endif
+
if (initgroups(pentry->pw_name, pentry->pw_gid))
perr("Cannot initialize the supplementary group access list");
@@ -751,6 +831,14 @@ main(int argc, char *argv[])
struct passwd *pwe;
struct group *ge;
+#ifdef WITH_SELINUX
+ selinux_enabled=is_selinux_enabled();
+
+ if (selinux_enabled) {
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) selinux_log_callback);
+ }
+#endif
+
/* We don't need root privileges all the time; running under uid and gid
* daemon is fine.
*/
diff --git a/config.h.in b/config.h.in
index 16b2ed3..d1be135 100644
--- a/config.h.in
+++ b/config.h.in
@@ -192,6 +192,9 @@
<sys/cpustats.h>. */
#undef UMAX4_3
+/* Define if you are building with_selinux */
+#undef WITH_SELINUX
+
/* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a
`char[]'. */
#undef YYTEXT_POINTER
diff --git a/configure.ac b/configure.ac
index d5e16b3..85174d9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -245,6 +245,14 @@ AC_DEFINE(WITH_PAM),
AC_CHECK_LIB(pam, pam_start, PAMLIB='-lpam -lpam_misc')
AC_SUBST(PAMLIB)
+AC_ARG_WITH(selinux,
+[ --with-selinux Define to run with selinux],
+AC_DEFINE(WITH_SELINUX, 1, [Define if you are building with_selinux]),
+)
+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
+AC_SUBST(SELINUXLIB)
+AC_SUBST(WITH_SELINUX)
+
AC_MSG_CHECKING(groupname to run under)
AC_ARG_WITH(daemon_groupname,
[ --with-daemon_groupname=DAEMON_GROUPNAME Groupname to run under (default daemon) ],
diff --git a/daemon.c b/daemon.c
index 8be40d4..f9d25e7 100644
--- a/daemon.c
+++ b/daemon.c
@@ -82,6 +82,22 @@ perr(const char *fmt,...)
exit(EXIT_FAILURE);
}
+void
+lerr(const char *fmt,...)
+{
+ char buf[1024];
+ va_list args;
+
+ va_start(args, fmt);
+ vsnprintf(buf, sizeof(buf), fmt, args);
+ va_end(args);
+
+ if (daemon_debug) {
+ perror(buf);
+ } else
+ syslog(LOG_ERR, "%s: %m", buf);
+}
+
void
pabort(const char *fmt,...)
{
diff --git a/daemon.h b/daemon.h
index c4507ae..f44ccd1 100644
--- a/daemon.h
+++ b/daemon.h
@@ -13,5 +13,8 @@ __attribute__((noreturn))
#endif
perr (const char *fmt, ...);
+void
+lerr (const char *fmt, ...);
+
extern int daemon_debug;
extern int daemon_foreground;
--
2.35.1