rpms/at/F-9 selinux_mail.patch,NONE,1.1 at.spec,1.65,1.66
Marcela Mašláňová
mmaslano at fedoraproject.org
Wed Sep 17 08:59:08 UTC 2008
Author: mmaslano
Update of /cvs/pkgs/rpms/at/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5152
Modified Files:
at.spec
Added Files:
selinux_mail.patch
Log Message:
* Tue Sep 16 2008 Marcela Maslanova <mmaslano at redhat.com> - 3.1.10-24
- thanks dwalsh for selinux patch, which fix #460873
- adding || into scriptlets fix removing old package after upgrade
selinux_mail.patch:
--- NEW FILE selinux_mail.patch ---
diff -up at-3.1.10/atd.c.dan at-3.1.10/atd.c
--- at-3.1.10/atd.c.dan 2008-09-16 10:21:14.623354000 -0400
+++ at-3.1.10/atd.c 2008-09-16 11:02:26.744827000 -0400
@@ -224,6 +224,69 @@ myfork()
#define ATD_MAIL_NAME "mailx"
#endif
+#ifdef WITH_SELINUX
+static int set_selinux_context(const char *name, const char *filename) {
+ security_context_t user_context=NULL;
+ security_context_t file_context=NULL;
+ struct av_decision avd;
+ int retval=-1;
+ char *seuser=NULL;
+ char *level=NULL;
+
+ if (getseuserbyname(name, &seuser, &level) == 0) {
+ retval=get_default_context_with_level(seuser, level, NULL, &user_context);
+ free(seuser);
+ free(level);
+ if (retval) {
+ if (security_getenforce()==1) {
+ perr("execle: couldn't get security context for user %s\n", name);
+ } else {
+ syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", name);
+ return -1;
+ }
+ }
+ }
+
+ /*
+ * Since crontab files are not directly executed,
+ * crond must ensure that the crontab file has
+ * a context that is appropriate for the context of
+ * the user cron job. It performs an entrypoint
+ * permission check for this purpose.
+ */
+ if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
+ perr("fgetfilecon FAILED %s", filename);
+
+ retval = security_compute_av(user_context,
+ file_context,
+ SECCLASS_FILE,
+ FILE__ENTRYPOINT,
+ &avd);
+ freecon(file_context);
+ if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
+ if (security_getenforce()==1) {
+ perr("Not allowed to set exec context to %s for user %s\n", user_context,name);
+ } else {
+ syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,name);
+ retval = -1;
+ goto err;
+ }
+ }
+ if (setexeccon(user_context) < 0) {
+ if (security_getenforce()==1) {
+ perr("Could not set exec context to %s for user %s\n", user_context,name);
+ retval = -1;
+ } else {
+ syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,name);
+ }
+ }
+ err:
+ freecon(user_context);
+ return 0;
+}
+#endif
+
+
static void
run_file(const char *filename, uid_t uid, gid_t gid)
{
@@ -486,62 +549,9 @@ run_file(const char *filename, uid_t uid
#ifdef WITH_SELINUX
if (selinux_enabled>0) {
- security_context_t user_context=NULL;
- security_context_t file_context=NULL;
- int retval=0;
- struct av_decision avd;
- char *seuser=NULL;
- char *level=NULL;
-
- if (getseuserbyname(pentry->pw_name, &seuser, &level) == 0) {
- retval=get_default_context_with_level(seuser, level, NULL, &user_context);
- free(seuser);
- free(level);
- if (retval) {
- if (security_getenforce()==1) {
- perr("execle: couldn't get security context for user %s\n", pentry->pw_name);
- } else {
- syslog(LOG_ERR, "execle: couldn't get security context for user %s\n", pentry->pw_name);
- goto out;
- }
- }
- }
-
- /*
- * Since crontab files are not directly executed,
- * crond must ensure that the crontab file has
- * a context that is appropriate for the context of
- * the user cron job. It performs an entrypoint
- * permission check for this purpose.
- */
- if (fgetfilecon(STDIN_FILENO, &file_context) < 0) {
- if (security_getenforce() > 0) {
- perr("fgetfilecon FAILED %s", filename);
- } else {
- syslog(LOG_ERR, "fgetfilecon FAILED %s", filename);
- goto out;
- }
- }
- retval = security_compute_av(user_context,
- file_context,
- SECCLASS_FILE,
- FILE__ENTRYPOINT,
- &avd);
- freecon(file_context);
- if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
- if (security_getenforce()==1)
- perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name);
- }
-
- if (setexeccon(user_context) < 0) {
- if (security_getenforce()==1) {
- perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
- } else {
- syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
- }
- }
- freecon(user_context);
- }
+ if (set_selinux_context(pentry->pw_name, filename) < 0)
+ perr("SELinux Failed to set context\n");
+ }
#endif
if (execle("/bin/sh", "sh", (char *) NULL, nenvp) != 0)
@@ -652,48 +662,9 @@ run_file(const char *filename, uid_t uid
#ifdef WITH_SELINUX
if (selinux_enabled>0) {
- security_context_t user_context=NULL;
- security_context_t file_context=NULL;
- int retval=0;
- struct av_decision avd;
-
- if (get_default_context(pentry->pw_name, NULL, &user_context))
- perr("execle: couldn't get security context for user %s\n", pentry->pw_name);
- /*
- * Since crontab files are not directly executed,
- * crond must ensure that the crontab file has
- * a context that is appropriate for the context of
- * the user cron job. It performs an entrypoint
- * permission check for this purpose.
- */
- if (fgetfilecon(STDIN_FILENO, &file_context) < 0)
- perr("fgetfilecon FAILED %s", filename);
-
- retval = security_compute_av(user_context,
- file_context,
- SECCLASS_FILE,
- FILE__ENTRYPOINT,
- &avd);
- freecon(file_context);
- if (retval || ((FILE__ENTRYPOINT & avd.allowed) != FILE__ENTRYPOINT)) {
- if (security_getenforce()==1) {
- perr("Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name);
- } else {
- syslog(LOG_ERR, "Not allowed to set exec context to %s for user %s\n", user_context,pentry->pw_name);
- goto out;
- }
- }
-
- if (setexeccon(user_context) < 0) {
- if (security_getenforce()==1) {
- perr("Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
- } else {
- syslog(LOG_ERR, "Could not set exec context to %s for user %s\n", user_context,pentry->pw_name);
- }
- }
- out:
- freecon(user_context);
- }
+ if (set_selinux_context(pentry->pw_name, filename) < 0)
+ perr("SELinux Failed to set context\n");
+ }
#endif
execl(ATD_MAIL_PROGRAM, ATD_MAIL_NAME, mailname, (char *) NULL);
perr("Exec faile for mail command");
Index: at.spec
===================================================================
RCS file: /cvs/pkgs/rpms/at/F-9/at.spec,v
retrieving revision 1.65
retrieving revision 1.66
diff -u -r1.65 -r1.66
--- at.spec 25 Mar 2008 14:00:46 -0000 1.65
+++ at.spec 17 Sep 2008 08:58:38 -0000 1.66
@@ -6,7 +6,7 @@
Summary: Job spooling tools
Name: at
Version: 3.1.10
-Release: 23%{?dist}
+Release: 24%{?dist}
License: GPLv2+
Group: System Environment/Daemons
URL: http://ftp.debian.org/debian/pool/main/a/at
@@ -33,6 +33,7 @@
Patch16: at-3.1.10-pamfix.patch
Patch17: at-3.1.10-setuids.patch
Patch18: nonposix.patch
+Patch19: selinux_mail.patch
BuildRequires: fileutils chkconfig /etc/init.d
BuildRequires: flex bison autoconf
@@ -85,6 +86,7 @@
%patch16 -p1 -b .pamfix
%patch17 -p1 -b .setuids
%patch18 -p1 -b .nonposix
+%patch19 -p1 -b .mailselinux
%build
# patch10 touches configure.in
@@ -159,13 +161,13 @@
%preun
if [ "$1" = 0 ] ; then
- /sbin/service atd stop >/dev/null 2>&1
+ /sbin/service atd stop >/dev/null 2>&1 ||:
/sbin/chkconfig --del atd
fi
%postun
if [ "$1" -ge "1" ]; then
- /sbin/service atd condrestart >/dev/null 2>&1
+ /sbin/service atd condrestart >/dev/null 2>&1 ||:
fi
%files
@@ -187,6 +189,10 @@
%attr(4755,root,root) %{_bindir}/at
%changelog
+* Tue Sep 16 2008 Marcela Maslanova <mmaslano at redhat.com> - 3.1.10-24
+- thanks dwalsh for selinux patch, which fix #460873
+- adding || into scriptlets fix removing old package after upgrade
+
* Tue Mar 25 2008 Marcela Maslanova <mmaslano at redhat.com> - 3.1.10-23
- 436952 use local instead of posix output date/time format.
More information about the fedora-extras-commits
mailing list