[Pkg-cron-devel] [pkg-cron] 01/03: NMU: Properly transition system jobs to system_cronjob_t SELinux context and stop relying on refpolicy specific identifiers (Closes: #857662)

[Javier Fernandez-Sanguino Peña]

This is an automated email from the git hooks/post-receive script.

jfs pushed a commit to branch updates/stretch
in repository pkg-cron.

commit 206dc605e969a503220acdc722e8fe6757284065
Author: Javier Fernandez-Sanguino <jfs at debian.org>
Date:   Sun Mar 11 22:27:58 2018 +0100

    NMU: Properly transition system jobs to system_cronjob_t SELinux context and
    stop relying on refpolicy specific identifiers (Closes: #857662)
---
 debian/changelog |  8 ++++++++
 user.c           | 21 +++++++++++++++------
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index b671a26..a2c477b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+cron (3.0pl1-128+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Properly transition system jobs to system_cronjob_t SELinux context and
+    stop relying on refpolicy specific identifiers (Closes: #857662)
+
+ -- Laurent Bigonville <bigon at debian.org>  Sat, 07 Oct 2017 15:38:27 +0200
+
 cron (3.0pl1-128) unstable; urgency=medium
 
   * d/cron.service: Use KillMode=process to kill only the daemon.
diff --git a/user.c b/user.c
index f7d090b..0299083 100644
--- a/user.c
+++ b/user.c
@@ -47,22 +47,31 @@ static int get_security_context(char *name, int crontab_fd, security_context_t
     char *level = NULL;
     int i;
 
+    if(getcon(&current_con)) {
+        log_it(name, getpid(), "Can't get current context", tabname);
+        return -1;
+    }
+
     if (name != NULL) {
         if (getseuserbyname(name, &seuser, &level)) {
             log_it(name, getpid(), "getseuserbyname FAILED", tabname);
+            freecon(current_con);
             return (security_getenforce() > 0);
         }
     }
     else
     {
-        seuser = strdup("system_u");
+        context_t temp_con = context_new(current_con);
+        if (temp_con == NULL) {
+            log_it(name, getpid(), "context_new FAILED", tabname);
+            freecon(current_con);
+            return (security_getenforce() > 0);
+        }
+        seuser = strdup(context_user_get(temp_con));
+        context_free(temp_con);
     }
 
     *rcontext = NULL;
-    if(getcon(&current_con)) {
-        log_it(name, getpid(), "Can't get current context", tabname);
-        return -1;
-    }
     list_count = get_ordered_context_list_with_level(seuser, level, current_con, &context_list);
     freecon(current_con);
     free(seuser);
@@ -215,7 +224,7 @@ load_user(crontab_fd, pw, uname, fname, tabname)
         if (is_selinux_enabled() > 0) {
             char *sname=uname;
             if (pw==NULL) {
-                sname="system_u";
+                sname=NULL;
             }
             if (get_security_context(sname, crontab_fd, 
                                      &u->scontext, tabname) != 0 ) {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-cron/pkg-cron.git