Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
The version of cron currently in stretch is not properly transitioning
the system jobs to the correct SELinux context (See: #857662).
This is breaking cron for the people using SELinux on debian.
The root cause of this is a change in the SELinux policy.
The attached patch (that has been pushed to unstable) is fixing this and
is also avoiding hardcoding identifiers and detect them at runtime
instead. This is a more complete patch than the one proposed on the
original bugreport.
All the changes are only affecting the code path when SELinux is
enabled.
Regards,
Laurent Bigonville
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1,
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -u cron-3.0pl1/debian/changelog cron-3.0pl1/debian/changelog
--- cron-3.0pl1/debian/changelog
+++ cron-3.0pl1/debian/changelog
@@ -1,3 +1,11 @@
+cron (3.0pl1-128+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Properly transition system jobs to system_cronjob_t SELinux context and
+ stop relying on refpolicy specific identifiers (Closes: #857662)
+
+ -- Laurent Bigonville <bi...@debian.org> Sat, 07 Oct 2017 15:38:27 +0200
+
cron (3.0pl1-128) unstable; urgency=medium
* d/cron.service: Use KillMode=process to kill only the daemon.
diff -u cron-3.0pl1/user.c cron-3.0pl1/user.c
--- cron-3.0pl1/user.c
+++ cron-3.0pl1/user.c
@@ -47,22 +47,31 @@
char *level = NULL;
int i;
+ if(getcon(¤t_con)) {
+ log_it(name, getpid(), "Can't get current context", tabname);
+ return -1;
+ }
+
if (name != NULL) {
if (getseuserbyname(name, &seuser, &level)) {
log_it(name, getpid(), "getseuserbyname FAILED", tabname);
+ freecon(current_con);
return (security_getenforce() > 0);
}
}
else
{
- seuser = strdup("system_u");
+ context_t temp_con = context_new(current_con);
+ if (temp_con == NULL) {
+ log_it(name, getpid(), "context_new FAILED", tabname);
+ freecon(current_con);
+ return (security_getenforce() > 0);
+ }
+ seuser = strdup(context_user_get(temp_con));
+ context_free(temp_con);
}
*rcontext = NULL;
- if(getcon(¤t_con)) {
- log_it(name, getpid(), "Can't get current context", tabname);
- return -1;
- }
list_count = get_ordered_context_list_with_level(seuser, level,
current_con, &context_list);
freecon(current_con);
free(seuser);
@@ -215,7 +224,7 @@
if (is_selinux_enabled() > 0) {
char *sname=uname;
if (pw==NULL) {
- sname="system_u";
+ sname=NULL;
}
if (get_security_context(sname, crontab_fd,
&u->scontext, tabname) != 0 ) {
