[PATCH] add SElinux support

[Ansgar Burchardt]

Closes: #510466
Thanks: Marcela Maslanova <mmaslano at redhat.com>
---
 Makefile.in  |    1 +
 atd.c        |   95 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 config.h.in  |    3 ++
 configure.ac |    8 +++++
 4 files changed, 107 insertions(+), 0 deletions(-)

diff --git a/Makefile.in b/Makefile.in
index e85167b..cd6b732 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -39,6 +39,7 @@ LIBS		= @LIBS@
 LIBOBJS		= @LIBOBJS@
 INSTALL		= @INSTALL@
 PAMLIB          = @PAMLIB@
+SELINUXLIB	= @SELINUXLIB@
 
 CLONES		= atq atrm 
 ATOBJECTS	= at.o panic.o perm.o posixtm.o y.tab.o lex.yy.o
diff --git a/atd.c b/atd.c
index d4fe832..a8630c0 100644
--- a/atd.c
+++ b/atd.c
@@ -74,6 +74,14 @@
 #include <syslog.h>
 #endif
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+int selinux_enabled=0;
+#include <selinux/flask.h>
+#include <selinux/av_permissions.h>
+#endif
+
 /* Local headers */
 
 #include "privs.h"
@@ -195,6 +203,68 @@ myfork()
 #define fork myfork
 #endif
 
+#ifdef WITH_SELINUX
+static int set_selinux_context(const char *name, const char *filename) {
+	security_context_t user_context=NULL;
+	security_context_t  file_context=NULL;
+	struct av_decision avd;
+	int retval=-1;
+	char *seuser=NULL;
+	char *level=NULL;
+
+	if (getseuserbyname(name, &seuser, &level) == 0) {
+		retval=get_default_context_with_level(seuser, level, NULL, &user_context);
+		free(seuser);
+		free(level);
+		if (retval) {
+			if (security_getenforce()==1) {
+				perr("execle: couldn't get security context for user %s\n", name);
+			} else {
+				syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
+				return -1;
+			}
+		}
+	}
+
+	/*
+	* Since crontab files are not directly executed,
+	* crond must ensure that the crontab file has
+	* a context that is appropriate for the context of
+	* the user cron job.  It performs an entrypoint
+	* permission check for this purpose.
+	*/
+	if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
+		perr("fgetfilecon FAILED %s", filename);
+
+	retval = security_compute_av(user_context,
+                                    file_context,
+                                    SECCLASS_FILE,
+                                    FILE__ENTRYPOINT,
+                                    &avd);
+	freecon(file_context);
+	if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+		if (security_getenforce()==1) {
+			perr("Not allowed to set exec context to %s for user  %s\n", user_context,name);
+		} else {
+			syslog(LOG_ERR, "Not allowed to set exec context to %s for user  %s\n", user_context,name);
+			retval = -1;
+			goto err;
+		}
+	}
+	if (setexeccon(user_context) < 0) {
+		if (security_getenforce()==1) {
+			perr("Could not set exec context to %s for user  %s\n", user_context,name);
+			retval = -1;
+		} else {
+			syslog(LOG_ERR, "Could not set exec context to %s for user  %s\n", user_context,name);
+		}
+	}
+  err:
+	freecon(user_context);
+	return 0;
+}
+#endif
+
 static void
 run_file(const char *filename, uid_t uid, gid_t gid)
 {
@@ -437,6 +507,13 @@ run_file(const char *filename, uid_t uid, gid_t gid)
 
 	    chdir("/");
 
+#ifdef WITH_SELINUX
+           if (selinux_enabled > 0) {
+               if (set_selinux_context(pentry->pw_name, filename) < 0)
+                       perr("SELinux Failed to set context\n");
+           }
+#endif
+
 	    if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
 		perr("Exec failed for /bin/sh");
 
@@ -493,6 +570,13 @@ run_file(const char *filename, uid_t uid, gid_t gid)
 
 	    chdir ("/");
 
+#ifdef WITH_SELINUX
+	    if (selinux_enabled>0) {
+		if (set_selinux_context(pentry->pw_name, filename) < 0)
+		    perr("SELinux Failed to set context\n");
+	    }
+#endif
+
 #if defined(SENDMAIL)
 	    execl(SENDMAIL, "sendmail", mailname, (char *) NULL);
 #else
@@ -500,6 +584,13 @@ run_file(const char *filename, uid_t uid, gid_t gid)
 #endif
 	    perr("Exec failed for mail command");
 
+#ifdef WITH_SELINUX
+	    if (selinux_enabled>0)
+		if (setexeccon(NULL) < 0)
+		    if (security_getenforce()==1)
+			perr("Could not reset exec context for user %s\n", pentry->pw_name);
+#endif
+
 	PRIV_END
     }
     exit(EXIT_SUCCESS);
@@ -697,6 +788,10 @@ main(int argc, char *argv[])
     struct passwd *pwe;
     struct group *ge;
 
+#ifdef WITH_SELINUX
+    selinux_enabled=is_selinux_enabled();
+#endif
+
 /* We don't need root privileges all the time; running under uid and gid
  * daemon is fine.
  */
diff --git a/config.h.in b/config.h.in
index 51c26fa..6ed6e13 100644
--- a/config.h.in
+++ b/config.h.in
@@ -77,6 +77,9 @@
 /* Define to 1 for PAM support */
 #undef HAVE_PAM
 
+/* Define if you are building with_selinux  */
+#undef WITH_SELINUX
+
 /* Define to 1 if you have the `pstat_getdynamic' function. */
 #undef HAVE_PSTAT_GETDYNAMIC
 
diff --git a/configure.ac b/configure.ac
index 93af04e..d48f757 100644
--- a/configure.ac
+++ b/configure.ac
@@ -301,5 +301,13 @@ AC_ARG_WITH(daemon_groupname,
 )
 AC_SUBST(DAEMON_GROUPNAME)
 
+AC_ARG_WITH(selinux,
+[ --with-selinux       Define to run with selinux],
+AC_DEFINE(WITH_SELINUX),
+)
+AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux)
+AC_SUBST(SELINUXLIB)
+AC_SUBST(WITH_SELINUX)
+
 AC_CONFIG_FILES(Makefile atrun atd.8 atrun.8 at.1 batch)
 AC_OUTPUT
-- 
1.6.5


--=-=-=--