summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'sys-process')
-rw-r--r--sys-process/vixie-cron/ChangeLog10
-rw-r--r--sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff134
-rw-r--r--sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff.bz2bin1853 -> 0 bytes
-rw-r--r--sys-process/vixie-cron/vixie-cron-3.0.1-r4.ebuild6
-rw-r--r--sys-process/vixie-cron/vixie-cron-3.0.1-r5.ebuild6
5 files changed, 148 insertions, 8 deletions
diff --git a/sys-process/vixie-cron/ChangeLog b/sys-process/vixie-cron/ChangeLog
index 7c9627b67036..c5133c0488f0 100644
--- a/sys-process/vixie-cron/ChangeLog
+++ b/sys-process/vixie-cron/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for sys-process/vixie-cron
-# Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-process/vixie-cron/ChangeLog,v 1.22 2005/12/25 15:39:49 flameeyes Exp $
+# Copyright 2002-2006 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/sys-process/vixie-cron/ChangeLog,v 1.23 2006/01/28 18:53:32 blubb Exp $
+
+ 28 Jan 2006; Simon Stelling <blubb@gentoo.org>
+ +files/vixie-cron-3.0.1-selinux.diff,
+ -files/vixie-cron-3.0.1-selinux.diff.bz2, vixie-cron-3.0.1-r4.ebuild,
+ vixie-cron-3.0.1-r5.ebuild:
+ no need to bzip smallish patches
25 Dec 2005; Diego Pettenò <flameeyes@gentoo.org>
vixie-cron-4.1-r8.ebuild:
diff --git a/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff b/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff
new file mode 100644
index 000000000000..eb8111986bf9
--- /dev/null
+++ b/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff
@@ -0,0 +1,134 @@
+--- vixie-cron-3.0.1/Makefile.selinux 2003-05-20 14:52:06.000000000 -0400
++++ vixie-cron-3.0.1/Makefile 2003-05-20 14:52:21.000000000 -0400
+@@ -71,7 +71,8 @@ LINTFLAGS = -hbxa $(INCLUDE) $(COMPAT) $
+ #<<want to use a nonstandard CC?>>
+ #CC = vcc
+ #<<manifest defines>>
+-DEFS = -s
++DEFS = -s -DWITH_SELINUX
++LIBS += -lselinux
+ #(SGI IRIX systems need this)
+ #DEFS = -D_BSD_SIGNALS -Dconst=
+ #<<the name of the BSD-like install program>>
+--- vixie-cron-3.0.1/database.c.selinux 2003-05-20 14:52:56.000000000 -0400
++++ vixie-cron-3.0.1/database.c 2003-05-23 13:27:24.898020960 -0400
+@@ -28,6 +28,15 @@ static char rcsid[] = "$Id: database.c,v
+ #include <sys/stat.h>
+ #include <sys/file.h>
+
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#include <selinux/flask.h>
++#include <selinux/av_permissions.h>
++#define SYSUSERNAME "system_u"
++#else
++#define SYSUSERNAME "*system*"
++#endif
++
+
+ #define TMAX(a,b) ((a)>(b)?(a):(b))
+
+@@ -94,7 +103,7 @@ load_database(old_db)
+ new_db.head = new_db.tail = NULL;
+
+ if (syscron_stat.st_mtime) {
+- process_crontab("root", "*system*",
++ process_crontab("root", SYSUSERNAME,
+ SYSCRONTAB, &syscron_stat,
+ &new_db, old_db);
+ }
+@@ -136,7 +145,7 @@ load_database(old_db)
+
+ snprintf(tabname, MAXNAMLEN+1, "/etc/cron.d/%s", fname);
+
+- process_crontab("root", "*system*", tabname,
++ process_crontab("root", SYSUSERNAME, tabname,
+ &crond_stat, &new_db, old_db);
+ }
+ closedir(dir);
+@@ -253,7 +262,7 @@ process_crontab(uname, fname, tabname, s
+ int crontab_fd = OK - 1;
+ user *u;
+
+- if (strcmp(fname, "*system*") && !(pw = getpwnam(uname))) {
++ if (strcmp(fname, SYSUSERNAME) && !(pw = getpwnam(uname))) {
+ /* file doesn't have a user in passwd file.
+ */
+ log_it(fname, getpid(), "ORPHAN", "no passwd entry");
+@@ -297,6 +306,43 @@ process_crontab(uname, fname, tabname, s
+ free_user(u);
+ log_it(fname, getpid(), "RELOAD", tabname);
+ }
++#ifdef WITH_SELINUX
++ if (is_selinux_enabled()) {
++ security_context_t file_context=NULL;
++ security_context_t user_context=NULL;
++ struct av_decision avd;
++ int retval=0;
++
++ if (fgetfilecon(crontab_fd, &file_context) < OK) {
++ log_it(fname, getpid(), "getfilecon FAILED", tabname);
++ goto next_crontab;
++ }
++
++ /*
++ * Since crontab files are not directly executed,
++ * crond must ensure that the crontab file has
++ * a context that is appropriate for the context of
++ * the user cron job. It performs an entrypoint
++ * permission check for this purpose.
++ */
++ if (get_default_context(fname, NULL, &user_context)) {
++ log_it(fname, getpid(), "NO CONTEXT", tabname);
++ freecon(file_context);
++ goto next_crontab;
++ }
++ retval = security_compute_av(user_context,
++ file_context,
++ SECCLASS_FILE,
++ FILE__ENTRYPOINT,
++ &avd);
++ freecon(user_context);
++ freecon(file_context);
++ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
++ log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
++ goto next_crontab;
++ }
++ }
++#endif
+ u = load_user(crontab_fd, pw, fname);
+ if (u != NULL) {
+ u->mtime = statbuf->st_mtime;
+--- vixie-cron-3.0.1/do_command.c.selinux 2003-05-20 14:53:12.000000000 -0400
++++ vixie-cron-3.0.1/do_command.c 2003-05-20 14:58:06.000000000 -0400
+@@ -29,6 +29,9 @@ static char rcsid[] = "$Id: do_command.c
+ # include <syslog.h>
+ #endif
+
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#endif
+
+ static void child_process __P((entry *, user *)),
+ do_univ __P((user *));
+@@ -251,6 +254,20 @@ child_process(e, u)
+ */
+ (void) signal(SIGCHLD, SIG_DFL);
+ #endif
++#ifdef WITH_SELINUX
++ if (is_selinux_enabled()) {
++ security_context_t scontext;
++ if (get_default_context(u->name, NULL, &scontext)) {
++ fprintf(stderr, "execle_secure: couldn't get security context for user %s\n", u->name);
++ _exit(ERROR_EXIT);
++ }
++ if (setexeccon(scontext) < 0) {
++ fprintf(stderr, "Could not set exec context to %s for user %s\n", scontext,u->name);
++ _exit(ERROR_EXIT);
++ }
++ freecon(scontext);
++ }
++#endif
+ execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);
+ fprintf(stderr, "execl: couldn't exec `%s'\n", shell);
+ perror("execl");
diff --git a/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff.bz2 b/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff.bz2
deleted file mode 100644
index 9fbbcf8d8cd0..000000000000
--- a/sys-process/vixie-cron/files/vixie-cron-3.0.1-selinux.diff.bz2
+++ /dev/null
Binary files differ
diff --git a/sys-process/vixie-cron/vixie-cron-3.0.1-r4.ebuild b/sys-process/vixie-cron/vixie-cron-3.0.1-r4.ebuild
index 67b1825e3147..5b50a7e974c6 100644
--- a/sys-process/vixie-cron/vixie-cron-3.0.1-r4.ebuild
+++ b/sys-process/vixie-cron/vixie-cron-3.0.1-r4.ebuild
@@ -1,12 +1,12 @@
-# Copyright 1999-2005 Gentoo Foundation
+# Copyright 1999-2006 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-process/vixie-cron/vixie-cron-3.0.1-r4.ebuild,v 1.1 2005/03/04 23:59:48 ciaranm Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-process/vixie-cron/vixie-cron-3.0.1-r4.ebuild,v 1.2 2006/01/28 18:53:32 blubb Exp $
inherit eutils
IUSE="selinux"
-SELINUX_PATCH="${P}-selinux.diff.bz2"
+SELINUX_PATCH="${P}-selinux.diff"
DESCRIPTION="The Vixie cron daemon"
HOMEPAGE="http://www.vix.com/"
diff --git a/sys-process/vixie-cron/vixie-cron-3.0.1-r5.ebuild b/sys-process/vixie-cron/vixie-cron-3.0.1-r5.ebuild
index 5a905fb2ef0e..b93e78689bb9 100644
--- a/sys-process/vixie-cron/vixie-cron-3.0.1-r5.ebuild
+++ b/sys-process/vixie-cron/vixie-cron-3.0.1-r5.ebuild
@@ -1,12 +1,12 @@
-# Copyright 1999-2005 Gentoo Foundation
+# Copyright 1999-2006 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-process/vixie-cron/vixie-cron-3.0.1-r5.ebuild,v 1.1 2005/03/04 23:59:48 ciaranm Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-process/vixie-cron/vixie-cron-3.0.1-r5.ebuild,v 1.2 2006/01/28 18:53:32 blubb Exp $
inherit eutils
IUSE="selinux pam"
-SELINUX_PATCH="${P}-selinux.diff.bz2"
+SELINUX_PATCH="${P}-selinux.diff"
DESCRIPTION="The Vixie cron daemon"
HOMEPAGE="http://www.vix.com/"