Fixed SELinux issue with Linux user being used instead of the SELinux user

diff --git a/conf.c b/conf.c
index 8db0f2b63bce857be5d3408314f75f8e41fe3463..72d1e40e8779b927d470e06d2ec2771fdb5329d2 100644 (file)
--- a/conf.c
+++ b/conf.c
@@ -454,7 +454,7 @@ read_file(const char *file_name, cf_t * cf, int is_system_startup)
     int flask_enabled = is_selinux_enabled();
     int retval;
     struct av_decision avd;
-    const char *user_name;
+    char *user_name = NULL;
 #endif
 
     /* open file */
@@ -511,30 +511,47 @@ read_file(const char *file_name, cf_t * cf, int is_system_startup)
 #ifdef WITH_SELINUX
     /*
      * Since fcrontab files are not directly executed,
-     * fcrond must ensure that the fcrontab file has
+     * fcron daemon must ensure that the fcrontab file has
      * a context that is appropriate for the context of
      * the user fcron job.  It performs an entrypoint
      * permission check for this purpose.
      */
+    if (flask_enabled) {
+        char *sename = NULL;
+        char *selevl = NULL;
+
+        /* first, get the SELinux user for that Linux user */
 #ifdef SYSFCRONTAB
-    if (!strcmp(cf->cf_user, SYSFCRONTAB))
-        user_name = "system_u";
-    else
+        if (!strcmp(cf->cf_user, SYSFCRONTAB))
+            /* system_u is the default SELinux user for running system services */
+            user_name = "system_u";
+        else
 #endif                          /* def SYSFCRONTAB */
-        user_name = cf->cf_user;
-    if (flask_enabled) {
+        {
+            if (getseuserbyname(cf->cf_user, &sename, &selevl) < 0) {
+                error_e("Cannot find SELinux user for user \"%s\"\n",
+                        cf->cf_user);
+                goto err;
+            }
+            user_name = sename;
+        }
+
         if (get_default_context(user_name, NULL, &cf->cf_user_context))
-            error_e("NO CONTEXT for user \"%s\"", cf->cf_user_context);
+            error_e("NO CONTEXT for Linux user '%s' (SELinux user '%s')",
+                    cf->cf_user, user_name);
         retval =
             security_compute_av(cf->cf_user_context, cf->cf_file_context,
                                 SECCLASS_FILE, FILE__ENTRYPOINT, &avd);
 
         if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
-            syslog(LOG_ERR, "ENTRYPOINT FAILED for user \"%s\" "
+            syslog(LOG_ERR, "ENTRYPOINT FAILED for Linux user '%s' "
                    "(CONTEXT %s) for file CONTEXT %s", cf->cf_user,
                    cf->cf_user_context, cf->cf_file_context);
             goto err;
         }
+
+        Free_safe(sename);
+        Free_safe(selevl);
     }
 #endif
 

diff --git a/doc/en/changes.sgml b/doc/en/changes.sgml
index 78b8e92077e962afc2bcfebe012f508fd57cbf18..d7a5bf7871acd201856e77683d37be36d403646f 100644 (file)
--- a/doc/en/changes.sgml
+++ b/doc/en/changes.sgml
@@ -32,6 +32,9 @@ A copy of the license is included in gfdl.sgml.
            <listitem>
               <para>fcrontab no longer crash if mailto is empty (thanks Olaf for reporting the issue)</para>
            </listitem>
+           <listitem>
+              <para>Fixed SELinux issue with Linux user being used instead of the SELinux user (thanks Sven Vermeulen for the patch)</para>
+           </listitem>
       </itemizedlist>
 
       <itemizedlist>

diff --git a/fileconf.c b/fileconf.c
index 7a6c6d4aeab2a6e20ebec35c73c9c07acd6a2aae..4ed03feda5c92a0304d9d748de99b5679ebd85ba 100644 (file)
--- a/fileconf.c
+++ b/fileconf.c
@@ -878,7 +878,7 @@ read_opt(char *ptr, cl_t * cl)
             /* assign_option_string() set the value to NULL if the length is zero.
              * However cl_mailto must not be NULL (as expected in
              * conf.c:add_line_to_file()), so we check if the length is >= 0
-             * before calling assign_option_string() */ 
+             * before calling assign_option_string() */
             /* Also please note that we check if the mailto is valid in conf.c */
             len = option_strlen(ptr);
             if (len <= 0) {