* `LICENSE' that comes with the fcron source distribution.
*/
- /* $Id: conf.c,v 1.66 2003-12-25 22:43:57 thib Exp $ */
+ /* $Id: conf.c,v 1.67 2004-01-29 10:33:19 thib Exp $ */
#include "fcron.h"
struct passwd *pass = NULL;
short int type = 0, size = 0;
int rc;
-#ifdef CONFIG_FLASK
- int flask_enabled = is_flask_enabled();
- struct security_query qry;
- struct security_response rsp;
+#ifdef WITH_SELINUX
+ int flask_enabled = is_selinux_enabled();
int retval;
+ struct av_decision avd;
const char *user_name;
#endif
/* check if this file is owned by root : otherwise, all runas fields
* of this field should be set to the owner */
-#ifdef CONFIG_FLASK
- if(flask_enabled)
- rc = fstat_secure(fileno(ff), &file_stat, &cf->cf_file_sid);
- else
-#endif
rc = fstat(fileno(ff), &file_stat);
if ( rc != 0 ) {
error_e("Could not stat %s", file_name);
goto err;
}
+#ifdef WITH_SELINUX
+ if(flask_enabled && fgetfilecon(fileno(ff), &cf->cf_file_context) < 0 )
+ {
+ error_e("Could not get context of %s", file_name);
+ goto err;
+ }
+#endif
if ( strncmp(file_name,"new.", 4) == 0 ) {
if ( file_stat.st_uid == ROOTUID ) {
}
}
-#ifdef CONFIG_FLASK
+#ifdef WITH_SELINUX
/*
* Since crontab files are not directly executed,
* crond must ensure that the crontab file has
user_name = "system_u";
else
user_name = cf->cf_user;
- if(get_default_sid(user_name, 0, &cf->cf_user_sid))
- error_e("NO SID for user \"%s\"", cf->cf_user_sid);
- qry.ssid = cf->cf_user_sid;
- qry.tsid = cf->cf_file_sid;
- qry.tclass = SECCLASS_FILE;
- qry.requested = FILE__ENTRYPOINT;
- retval = security_compute_av(&qry, &rsp);
- if(retval || ((qry.requested & rsp.allowed) != qry.requested)) {
- syslog(LOG_ERR, "ENTRYPOINT FAILED for \"%s\" (SID %u) for file SID %u"
- , cf->cf_user, cf->cf_user_sid, cf->cf_file_sid);
- goto err;
+ if(flask_enabled)
+ {
+ if(get_default_context(user_name, NULL, &cf->cf_user_context))
+ error_e("NO CONTEXT for user \"%s\"", cf->cf_user_context);
+ retval = security_compute_av(cf->cf_user_context, cf->cf_file_context
+ , SECCLASS_FILE, FILE__ENTRYPOINT, &avd);
+
+ if(retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT))
+ {
+ syslog(LOG_ERR, "ENTRYPOINT FAILED for user \"%s\" "
+ "(CONTEXT %s) for file CONTEXT %s"
+ , cf->cf_user, cf->cf_user_context, cf->cf_file_context);
+ goto err;
+ }
}
#endif
bzero(buf, sizeof(buf));
/* get version of fcrontab file: it permits to daemon not to load
- * a file which he won't understand the syntax, for exemple
+ * a file which he won't understand the syntax, for example
* a file using a depreciated format generated by an old fcrontab,
* if the syntax has changed */
if ( read_type(fileno(ff), &type, &size) != OK || type != S_HEADER_T ||
* `LICENSE' that comes with the fcron source distribution.
*/
- /* $Id: config.h.in,v 1.51 2003-12-29 17:06:16 thib Exp $ */
+ /* $Id: config.h.in,v 1.52 2004-01-29 10:34:46 thib Exp $ */
/* *********************************************************** */
#undef HAVE_LIBSHADOW
/* Have SE Linux support */
-#undef CONFIG_FLASK
+#undef WITH_SELINUX
/* Define if you have the xnet library (-lxnet). */
#undef HAVE_LIBXNET
AC_CONFIG_HEADER(config.h)
AC_PREREQ(2.57)
-vers="2.9.4"
+vers="2.9.5"
vers_quoted="\"$vers\""
AC_DEFINE_UNQUOTED(VERSION, $vers)
AC_DEFINE_UNQUOTED(VERSION_QUOTED, $vers_quoted)
AC_CHECK_HEADERS(sys/types.h sys/socket.h sys/un.h)
AC_CHECK_HEADERS(security/pam_appl.h pam/pam_appl.h crypt.h shadow.h)
AC_CHECK_HEADERS(sys/resource.h)
-AC_CHECK_HEADERS(flask_util.h)
dnl Checks for typedefs, structures, and compiler characteristics.
AC_C_CONST
AC_FUNC_STRFTIME
AC_FUNC_WAIT3
AC_CHECK_LIB(xnet, shutdown)
-AC_CHECK_LIB(secure, getsecsid, [flaskavail=1], [flaskavail=0])
+AC_CHECK_LIB(selinux, getcon, [selinuxavail=1], [selinuxavail=0])
AC_CHECK_FUNC(getloadavg, [getloadavg=1], [getloadavg=0])
AC_CHECK_LIB(kstat, kstat_open, [kstat=1], [kstat=0])
if test $getloadavg -eq 1; then
AC_MSG_RESULT(no)
;;
yes)
- if test "$flaskavail" -eq 1; then
+ if test "$selinuxavail" -eq 1; then
useselinux=1
AC_MSG_RESULT(yes)
else
AC_MSG_ERROR(Must be set to either "yes" or "no".)
;;
esac ],
- if test "$useselinux" != "0" && test "$flaskavail" -eq 1; then
+ if test "$useselinux" != "0" && test "$selinuxavail" -eq 1; then
useselinux=1
AC_MSG_RESULT(yes)
else
fi
)
if test "$useselinux" -eq 1; then
- LIBS="$LIBS -lsecure"
- AC_DEFINE(CONFIG_FLASK)
+ LIBS="$LIBS -lselinux"
+ AC_DEFINE(WITH_SELINUX)
+ CFLAGS="$CFLAGS -I/usr/include/selinux"
fi
echo "fcron's user (resp. group) name : $username (resp. $groupname)"
-echo -n "systab : "
+echo -n "sysfcrontab : "
if test "$use_sysfcrontab" -eq 1; then
- echo "yes"
+ echo "yes ($sysfcrontab)"
else
echo "no"
fi
echo
echo "You can now run 'make' to compile"
echo "and then (as root) 'make install' to install fcron."
-echo
\ No newline at end of file
+echo
* `LICENSE' that comes with the fcron source distribution.
*/
- /* $Id: global.h,v 1.41 2003-12-25 22:43:53 thib Exp $ */
+ /* $Id: global.h,v 1.42 2004-01-29 10:30:12 thib Exp $ */
/*
#include <errno.h>
#endif
-#ifdef CONFIG_FLASK
-#include <flask_util.h>
-#include <fs_secure.h>
-#include <ss.h>
-#include <linux/flask/av_permissions.h>
-#include <get_sid_list.h>
+#ifdef WITH_SELINUX
+#include <selinux.h>
+#include <get_context_list.h>
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
#endif
#ifdef HAVE_GETOPT_H
struct env_t *cf_env_base; /* list of all env variables to set */
int cf_running; /* number of jobs running */
signed char cf_tzdiff; /* time diff between system and local hour */
-#ifdef CONFIG_FLASK
- security_id_t cf_user_sid;
- security_id_t cf_file_sid;
+#ifdef WITH_SELINUX
+ security_context_t cf_user_context;
+ security_context_t cf_file_context;
#endif
} cf_t;
* `LICENSE' that comes with the fcron source distribution.
*/
- /* $Id: save.c,v 1.7 2003-12-25 22:52:03 thib Exp $ */
+ /* $Id: save.c,v 1.8 2004-01-29 10:34:55 thib Exp $ */
#include "global.h"
#include "save.h"
int fd;
/* open file */
-#ifdef CONFIG_FLASK
- if ( is_flask_enabled() )
- fd = open_secure(filename, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, S_IRUSR | S_IWUSR, file->cf_file_sid);
- else
+#ifdef WITH_SELINUX
+ if ( is_selinux_enabled() && setfscreatecon(file->cf_file_context) )
+ {
+ error_e("Could not set create context for file %s", filename);
+ return ERR;
+ }
#endif
fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC | O_SYNC, S_IRUSR|S_IWUSR);
+#ifdef WITH_SELINUX
+ if ( is_selinux_enabled() )
+ setfscreatecon(NULL);
+#endif
if ( fd == -1 ) {
error_e("Could not open %s", filename);
return ERR;
projects / fcron / commitdiff