modification of vixie-cron patch to get crond working in permissive mode

modification of vixie-cron patch to get crond working in permissive mode

[Arkadiusz Miskiewicz]

[-- Attachment #1: Type: text/plain, Size: 679 bytes --]

Hi,

This patch should be applied after fedora core selinux patch for vixie-cron 
(probably the same as on nsa.gov/selinux page).

It changes behaviour when running selinux in permissive mode. Until now when 
there were no known context with which jobs should be executed then error 
message was logged and crontab file was skipped. Now error message is logged 
but jobs are still run.

It's better to have working crond + bunch of log messages instead of not 
usable crond.

Please apply + rediff new selinux patch.
-- 
Arkadiusz Miśkiewicz    CS at FoE, Wroclaw University of Technology
arekm.pld-linux.org AM2-6BONE, 1024/3DB19BBD, arekm(at)ircnet, PLD/Linux

[-- Attachment #2: vixie-cron-selinux-pld.patch --]
[-- Type: application/octet-stream, Size: 3323 bytes --]

diff -urN vixie-cron-3.0.1.org/database.c vixie-cron-3.0.1/database.c
--- vixie-cron-3.0.1.org/database.c	2004-01-01 16:37:48.651341944 +0100
+++ vixie-cron-3.0.1/database.c	2004-01-01 16:58:42.478731208 +0100
@@ -350,8 +350,13 @@
 	  int retval=0;
 
 	  if (fgetfilecon(crontab_fd, &file_context) < OK) {
-	    log_it(fname, getpid(), "getfilecon FAILED", tabname);
-	    goto next_crontab;
+	    if (security_getenforce() > 0) {
+    		log_it(fname, getpid(), "getfilecon FAILED", tabname);
+    		goto next_crontab;
+	    } else {
+		log_it(fname, getpid(), "getfilecon FAILED but SELinux in permissive mode, continuing", tabname);
+		goto selinux_out;
+	    }
 	  }
 
 	  /*
@@ -362,9 +367,14 @@
 	   * permission check for this purpose.
 	   */
 	  if (get_default_context(fname, NULL, &user_context)) {
-	    log_it(fname, getpid(), "NO CONTEXT", tabname);
 	    freecon(file_context);
-	    goto next_crontab;
+	    if (security_getenforce() > 0) {
+		log_it(fname, getpid(), "NO CONTEXT", tabname);
+		goto next_crontab;
+	    } else {
+		log_it(fname, getpid(), "NO CONTEXT but SELinux in permissive mode, continuing", tabname);
+		goto selinux_out;
+	    }
 	  }
 	  retval = security_compute_av(user_context,
 				       file_context,
@@ -374,9 +384,15 @@
 	  freecon(user_context);
 	  freecon(file_context);
 	  if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
-	    log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
-	    goto next_crontab;
+	    if (security_getenforce() > 0) {
+    		log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
+    		goto next_crontab;
+	    } else {
+		log_it(fname, getpid(), "ENTRYPOINT FAILED but SELinux in permissive mode, continuing", tabname);
+		goto selinux_out;
+	    }
 	  }
+selinux_out:
 	}
 #endif
 	u = load_user(crontab_fd, pw, fname);
diff -urN vixie-cron-3.0.1.org/do_command.c vixie-cron-3.0.1/do_command.c
--- vixie-cron-3.0.1.org/do_command.c	2004-01-01 16:37:48.707333432 +0100
+++ vixie-cron-3.0.1/do_command.c	2004-01-01 16:56:33.269374016 +0100
@@ -280,14 +280,21 @@
 			if (is_selinux_enabled()) {
 			  security_context_t scontext;
 			  if (get_default_context(u->name, NULL, &scontext)) {
-			    fprintf(stderr, "execle: couldn't get security context for user %s\n", u->name); 
-			    _exit(ERROR_EXIT);
+			    if (security_getenforce() > 0) {
+    				fprintf(stderr, "execle: couldn't get security context for user %s\n", u->name); 
+    				_exit(ERROR_EXIT);
+			    } else
+				fprintf(stderr, "execle: couldn't get security context for user %s but SELinux in permissive mode, continuing\n", u->name);
+			  } else {
+    			      if (setexeccon(scontext) < 0) {
+				  if (security_getenforce() > 0) {
+				      fprintf(stderr, "Could not set exec context to %s for user  %s\n", scontext,u->name);
+    				      _exit(ERROR_EXIT);
+				  } else
+				      fprintf(stderr, "Could not set exec context to %s for user  %s but SELinux in permissive mode, continuing\n", scontext,u->name);
+    			      }
+    			      freecon(scontext);
 			  }
-			  if (setexeccon(scontext) < 0) {
-			    fprintf(stderr, "Could not set exec context to %s for user  %s\n", scontext,u->name);
-			    _exit(ERROR_EXIT);
-			  }
-			  freecon(scontext);
 			}
 #endif
 			execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);

Re: modification of vixie-cron patch to get crond working in permissive mode

[Arkadiusz Miskiewicz]

[-- Attachment #1: Type: text/plain, Size: 490 bytes --]

On Thursday 01 of January 2004 17:05, you wrote:
> This patch should be applied after fedora core selinux patch for vixie-cron
> (probably the same as on nsa.gov/selinux page).
I've modified it a little to do not display error message to stderr when in 
permissive mode (it would generate email message for each such job 
execution).

-- 
Arkadiusz Miśkiewicz    CS at FoE, Wroclaw University of Technology
arekm.pld-linux.org AM2-6BONE, 1024/3DB19BBD, arekm(at)ircnet, PLD/Linux

[-- Attachment #2: vixie-cron-selinux-pld.patch --]
[-- Type: application/octet-stream, Size: 3044 bytes --]

diff -urN vixie-cron-3.0.1.org/database.c vixie-cron-3.0.1/database.c
--- vixie-cron-3.0.1.org/database.c	2004-01-01 16:37:48.000000000 +0100
+++ vixie-cron-3.0.1/database.c	2004-01-01 16:58:42.000000000 +0100
@@ -350,8 +350,13 @@
 	  int retval=0;
 
 	  if (fgetfilecon(crontab_fd, &file_context) < OK) {
-	    log_it(fname, getpid(), "getfilecon FAILED", tabname);
-	    goto next_crontab;
+	    if (security_getenforce() > 0) {
+    		log_it(fname, getpid(), "getfilecon FAILED", tabname);
+    		goto next_crontab;
+	    } else {
+		log_it(fname, getpid(), "getfilecon FAILED but SELinux in permissive mode, continuing", tabname);
+		goto selinux_out;
+	    }
 	  }
 
 	  /*
@@ -362,9 +367,14 @@
 	   * permission check for this purpose.
 	   */
 	  if (get_default_context(fname, NULL, &user_context)) {
-	    log_it(fname, getpid(), "NO CONTEXT", tabname);
 	    freecon(file_context);
-	    goto next_crontab;
+	    if (security_getenforce() > 0) {
+		log_it(fname, getpid(), "NO CONTEXT", tabname);
+		goto next_crontab;
+	    } else {
+		log_it(fname, getpid(), "NO CONTEXT but SELinux in permissive mode, continuing", tabname);
+		goto selinux_out;
+	    }
 	  }
 	  retval = security_compute_av(user_context,
 				       file_context,
@@ -374,9 +384,15 @@
 	  freecon(user_context);
 	  freecon(file_context);
 	  if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
-	    log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
-	    goto next_crontab;
+	    if (security_getenforce() > 0) {
+    		log_it(fname, getpid(), "ENTRYPOINT FAILED", tabname);
+    		goto next_crontab;
+	    } else {
+		log_it(fname, getpid(), "ENTRYPOINT FAILED but SELinux in permissive mode, continuing", tabname);
+		goto selinux_out;
+	    }
 	  }
+selinux_out:
 	}
 #endif
 	u = load_user(crontab_fd, pw, fname);
diff -urN vixie-cron-3.0.1.org/do_command.c vixie-cron-3.0.1/do_command.c
--- vixie-cron-3.0.1.org/do_command.c	2004-01-01 16:37:48.000000000 +0100
+++ vixie-cron-3.0.1/do_command.c	2004-01-01 17:15:05.377307912 +0100
@@ -280,14 +280,19 @@
 			if (is_selinux_enabled()) {
 			  security_context_t scontext;
 			  if (get_default_context(u->name, NULL, &scontext)) {
-			    fprintf(stderr, "execle: couldn't get security context for user %s\n", u->name); 
-			    _exit(ERROR_EXIT);
+			    if (security_getenforce() > 0) {
+    				fprintf(stderr, "execle: couldn't get security context for user %s\n", u->name); 
+    				_exit(ERROR_EXIT);
+			    }
+			  } else {
+    			      if (setexeccon(scontext) < 0) {
+				  if (security_getenforce() > 0) {
+				      fprintf(stderr, "Could not set exec context to %s for user  %s\n", scontext,u->name);
+    				      _exit(ERROR_EXIT);
+				  }
+    			      }
+    			      freecon(scontext);
 			  }
-			  if (setexeccon(scontext) < 0) {
-			    fprintf(stderr, "Could not set exec context to %s for user  %s\n", scontext,u->name);
-			    _exit(ERROR_EXIT);
-			  }
-			  freecon(scontext);
 			}
 #endif
 			execle(shell, shell, "-c", e->cmd, (char *)0, e->envp);

Re: modification of vixie-cron patch to get crond working in permissive mode

[Stephen Smalley]

On Thu, 2004-01-01 at 11:05, Arkadiusz Miskiewicz wrote:
> This patch should be applied after fedora core selinux patch for vixie-cron 
> (probably the same as on nsa.gov/selinux page).
> 
> It changes behaviour when running selinux in permissive mode. Until now when 
> there were no known context with which jobs should be executed then error 
> message was logged and crontab file was skipped. Now error message is logged 
> but jobs are still run.
> 
> It's better to have working crond + bunch of log messages instead of not 
> usable crond.
> 
> Please apply + rediff new selinux patch.

I doubt that we want to fork the error handling on each operation into
separate cases for enforcing vs. permissive.  The only case where this
might be reasonable is the entrypoint permission check, since this is
essentially emulating a kernel check in userspace to deal with the fact
that crontab files are not directly executed.  In the future, I would
expect this to be encapsulated in the userspace AVC, so that the
application code can just call avc_has_perm, and the AVC will internally
check the enforcing flag and handle it, as in the kernel.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.