Re: [DSE-Dev] cron broken in SELinux enforced mode due to system_u login mapping removal

Tue, 03 Oct 2017 06:40:41 -0700 

tag 857662 + patch
thanks

On Mon, 13 Mar 2017 21:09:13 +0100 cgzones <cgzo...@googlemail.com> wrote:

> Hi,
> with the removal of the SELinux login entry for system_u [1], cron
> stops working.
>
> get_security_context [2] expects a NULL name when called for a system cronjob. 
> But it is called with "system_u" [2].
>
> It worked so far cause getseuserbyname [3] translated the incorrect
> name value "system_u" still to the "system_u" seuser.
>
> Best regards,
> Christian Göttsche
>
> [1] https://github.com/TresysTechnology/refpolicy/commit/79f31a04739dad7c7369616cd7c666a57c365511 
> [2] https://sources.debian.net/src/cron/3.0pl1-128/user.c/?hl=120#L218
> [3] https://sources.debian.net/src/cron/3.0pl1-128/user.c/?hl=120#L51
The attached patch is a bit more complete. That way cron stop depending of refpolicy specific identifiers.
I'm thinking about uploading my patch in unstable in the following days and then in stable 

Cheers,

Laurent Bigonville

diff -u cron-3.0pl1/user.c cron-3.0pl1/user.c
--- cron-3.0pl1/user.c
+++ cron-3.0pl1/user.c
@@ -47,22 +47,31 @@
     char *level = NULL;
     int i;
 
+    if(getcon(&current_con)) {
+        log_it(name, getpid(), "Can't get current context", tabname);
+        return -1;
+    }
+
     if (name != NULL) {
         if (getseuserbyname(name, &seuser, &level)) {
             log_it(name, getpid(), "getseuserbyname FAILED", tabname);
+            freecon(current_con);
             return (security_getenforce() > 0);
         }
     }
     else
     {
-        seuser = strdup("system_u");
+        context_t temp_con = context_new(current_con);
+        if (temp_con == NULL) {
+            log_it(name, getpid(), "context_new FAILED", tabname);
+            freecon(current_con);
+            return (security_getenforce() > 0);
+        }
+        seuser = strdup(context_user_get(temp_con));
+        context_free(temp_con);
     }
 
     *rcontext = NULL;
-    if(getcon(&current_con)) {
-        log_it(name, getpid(), "Can't get current context", tabname);
-        return -1;
-    }
     list_count = get_ordered_context_list_with_level(seuser, level, current_con, &context_list);
     freecon(current_con);
     free(seuser);
@@ -215,7 +224,7 @@
         if (is_selinux_enabled() > 0) {
             char *sname=uname;
             if (pw==NULL) {
-                sname="system_u";
+                sname=NULL;
             }
             if (get_security_context(sname, crontab_fd, 
                                      &u->scontext, tabname) != 0 ) {

_______________________________________________
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel

Reply via email to