From: Guido Trentalancia <guido@trentalancia.com>
Date: Thu, 5 Nov 2009 15:47:56 +0000 (+0100)
Subject: This function will be probably removed from libselinux, so it is added into source... 
X-Git-Tag: cronie1.4.4~11
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8e6d768d6f5cf825f92c6e3c39ead28e1ae8e186;p=cronie

This function will be probably removed from libselinux, so it is added into source code here.

Signed-off-by: Marcela Mašláňová <mmaslano@redhat.com>
---

diff --git a/src/security.c b/src/security.c
index 956db2d..c41c06b 100644
--- a/src/security.c
+++ b/src/security.c
@@ -486,9 +486,37 @@ void free_security_context(security_context_t * scontext) {
 
 int crontab_security_access(void) {
 #ifdef WITH_SELINUX
-	if (is_selinux_enabled() > 0)
-		if (selinux_check_passwd_access(PASSWD__CRONTAB) != 0)
-			return -1;
+	int selinux_check_passwd_access = -1;
+	if (is_selinux_enabled() > 0) {
+		security_context_t user_context;
+		if (getprevcon_raw(&user_context) == 0) {
+			security_class_t passwd_class;
+			struct av_decision avd;
+			int retval;
+
+			passwd_class = string_to_security_class("passwd");
+			if (passwd_class == 0) {
+				selinux_check_passwd_access = -1;
+				fprintf(stderr, "Security class \"passwd\" is not defined in the SELinux policy.\n");
+			}
+
+			retval = security_compute_av_raw(user_context,
+							user_context,
+							passwd_class,
+							PASSWD__CRONTAB,
+							&avd);
+
+			if ((retval == 0) && ((PASSWD__CRONTAB & avd.allowed) == PASSWD__CRONTAB)) {
+				selinux_check_passwd_access = 0;
+			}
+			freecon(user_context);
+		}
+
+		if (selinux_check_passwd_access != 0 && security_getenforce() == 0)
+			selinux_check_passwd_access = 0;
+
+		return selinux_check_passwd_access;
+	}
 #endif
 	return 0;
 }