--- at-3.1.8/configure.in.selinux 2004-04-15 13:57:37.000000000 -0400 +++ at-3.1.8/configure.in 2004-04-15 13:57:37.000000000 -0400 @@ -320,4 +320,12 @@ ) AC_SUBST(DAEMON_GROUPNAME) +AC_ARG_WITH(selinux, +[ --with-selinux Define to run with selinux], +AC_DEFINE(WITH_SELINUX), +) +AC_CHECK_LIB(selinux, is_selinux_enabled, SELINUXLIB=-lselinux) +AC_SUBST(SELINUXLIB) +AC_SUBST(WITH_SELINUX) + AC_OUTPUT(Makefile atrun atd.8 atrun.8 at.1 batch) --- at-3.1.8/atd.c.selinux 2004-04-15 13:57:37.000000000 -0400 +++ at-3.1.8/atd.c 2004-05-05 13:31:31.616622776 -0400 @@ -85,6 +85,14 @@ #include #endif +#ifdef WITH_SELINUX +#include +#include +int selinux_enabled=0; +#include +#include +#endif + /* Local headers */ #include "privs.h" @@ -438,6 +446,47 @@ chdir("/"); +#ifdef WITH_SELINUX + if (selinux_enabled>0) { + security_context_t user_context=NULL; + security_context_t file_context=NULL; + int retval=0; + struct av_decision avd; + + if (get_default_context(pentry->pw_name, NULL, &user_context)) + perr("execle: couldn't get security context for user %s\n", pentry->pw_name); + /* + * Since crontab files are not directly executed, + * crond must ensure that the crontab file has + * a context that is appropriate for the context of + * the user cron job. It performs an entrypoint + * permission check for this purpose. + */ + if (fgetfilecon(STDIN_FILENO, &file_context) < 0) + perr("fgetfilecon FAILED %s", filename); + + retval = security_compute_av(user_context, + file_context, + SECCLASS_FILE, + FILE__ENTRYPOINT, + &avd); + freecon(file_context); + if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) { + if (security_getenforce()==1) + perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name); + } + + if (setexeccon(user_context) < 0) { + if (security_getenforce()==1) { + perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); + } else { + syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name); + } + } + freecon(user_context); + } +#endif + if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0) perr("Exec failed for /bin/sh"); @@ -454,6 +503,13 @@ */ waitpid(pid, (int *) NULL, 0); +#ifdef WITH_SELINUX + if (selinux_enabled>0) { + if (setexeccon(NULL) < 0) { + perr("Could not resset exec context for user %s\n", pentry->pw_name); + } + } +#endif /* Send mail. Unlink the output file after opening it, so it * doesn't hang around after the run (if we are to send mail) */ @@ -693,6 +749,9 @@ struct passwd *pwe; struct group *ge; +#ifdef WITH_SELINUX + selinux_enabled=is_selinux_enabled(); +#endif /* We don't need root privileges all the time; running under uid and gid * daemon is fine. */ --- at-3.1.8/config.h.in.selinux 1997-05-13 08:41:28.000000000 -0400 +++ at-3.1.8/config.h.in 2004-04-15 13:57:37.000000000 -0400 @@ -184,3 +184,6 @@ #undef DEFAULT_BATCH_QUEUE #undef HAVE_ATTRIBUTE_NORETURN + +/* Define if you are building with_selinux */ +#undef WITH_SELINUX --- at-3.1.8/Makefile.in.selinux 2004-04-15 13:57:37.000000000 -0400 +++ at-3.1.8/Makefile.in 2004-04-15 13:57:37.000000000 -0400 @@ -27,6 +27,7 @@ YACC = @YACC@ LEX = @LEX@ LEXLIB = @LEXLIB@ +SELINUXLIB = @SELINUXLIB@ CC = @CC@ CFLAGS = @CFLAGS@ @@ -74,7 +75,7 @@ $(LN_S) -f at atrm atd: $(RUNOBJECTS) - $(CC) $(CFLAGS) -o atd $(RUNOBJECTS) $(LIBS) + $(CC) $(CFLAGS) -o atd $(RUNOBJECTS) $(LIBS) $(SELINUXLIB) y.tab.c y.tab.h: parsetime.y $(YACC) -d parsetime.y