rpms / cronie

Clone
Source Code
GIT

Blame SOURCES/cronie-1.5.2-context-role.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   9c8d95d4561372bff43862082686c887805b7cc0
  2.   SOURCES
  3.   cronie-1.5.2-context-role.patch
Blob History Raw
131c9a 
From 1f866530f5b3c49012c61b299f3c4e1dceff2a71 Mon Sep 17 00:00:00 2001
131c9a 
From: Tomas Mraz <tmraz@fedoraproject.org>
131c9a 
Date: Thu, 18 Oct 2018 14:25:58 +0200
131c9a 
Subject: [PATCH] Use the role from the crond context for system job contexts.
131c9a
131c9a 
New SELinux policy added multiple roles for the system_u user on crond_t.
131c9a 
The default context returned from get_default_context_with_level() is now
131c9a 
unconfined_t instead of system_cronjob_t which is incorrect for system cron
131c9a 
jobs.
131c9a 
We use the role to limit the default context to system_cronjob_t.
131c9a 
---
131c9a 
 src/security.c | 6 ++++--
131c9a 
 1 file changed, 4 insertions(+), 2 deletions(-)
131c9a
131c9a 
diff --git a/src/security.c b/src/security.c
131c9a 
index d1bdc7f..5213cf3 100644
131c9a 
--- a/src/security.c
131c9a 
+++ b/src/security.c
131c9a 
@@ -505,6 +505,7 @@ get_security_context(const char *name, int crontab_fd,
131c9a 
 		retval = get_default_context_with_level(seuser, level, NULL, &scontext);
131c9a 
 	}
131c9a 
 	else {
131c9a 
+		const char *current_user, *current_role;
131c9a 
 		if (getcon(&current_context_str) < 0) {
131c9a 
 			log_it(name, getpid(), "getcon FAILED", "", 0);
131c9a 
 			return (security_getenforce() > 0);
131c9a 
@@ -517,8 +518,9 @@ get_security_context(const char *name, int crontab_fd,
131c9a 
 			return (security_getenforce() > 0);
131c9a 
 		}
131c9a
131c9a 
-		const char *current_user = context_user_get(current_context);
131c9a 
-		retval = get_default_context_with_level(current_user, level, NULL, &scontext);
131c9a 
+		current_user = context_user_get(current_context);
131c9a 
+		current_role = context_role_get(current_context);
131c9a 
+		retval = get_default_context_with_rolelevel(current_user, current_role, level, NULL, &scontext);
131c9a
131c9a 
 		freecon(current_context_str);
131c9a 
 		context_free(current_context);
131c9a 
--
131c9a 
2.14.5
131c9a

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation