Bug#857662: cron broken in SELinux enforced mode due to system_u login mapping removal

cgzones Mon, 13 Mar 2017 13:21:27 -0700

Package: cron
Version: 3.0pl1-128+b1
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux


Hi,
with the removal of the SELinux login entry for system_u [1], cron
stops working.

get_security_context [2] expects a NULL name when called for a system cronjob.
But it is called with "system_u" [2].

It worked so far cause getseuserbyname [3] translated the incorrect
name value "system_u" still to the "system_u" seuser.

Best regards,
      Christian Göttsche

[1] 
https://github.com/TresysTechnology/refpolicy/commit/79f31a04739dad7c7369616cd7c666a57c365511
[2] https://sources.debian.net/src/cron/3.0pl1-128/user.c/?hl=120#L218
[3] https://sources.debian.net/src/cron/3.0pl1-128/user.c/?hl=120#L51

--- user.c      2017-03-13 21:06:52.638905763 +0100
+++ user.c.fixed        2017-03-13 21:07:48.654110814 +0100
@@ -215,7 +215,7 @@
        if (is_selinux_enabled() > 0) {
            char *sname=uname;
            if (pw==NULL) {
-                sname="system_u";
+                sname=NULL;
            }
            if (get_security_context(sname, crontab_fd,
                                     &u->scontext, tabname) != 0 ) {

Bug#857662: cron broken in SELinux enforced mode due to system_u login mapping removal

Reply via email to