[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#877934: marked as done (stretch-pu: package cron/3.0pl1-128.1)

Your message dated Sat, 10 Mar 2018 10:57:46 +0000
with message-id <1520679466.2744.57.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.4
has caused the Debian Bug report #877934,
regarding stretch-pu: package cron/3.0pl1-128.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
877934: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877934
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

The version of cron currently in stretch is not properly transitioning
the system jobs to the correct SELinux context (See: #857662).

This is breaking cron for the people using SELinux on debian.

The root cause of this is a change in the SELinux policy.

The attached patch (that has been pushed to unstable) is fixing this and
is also avoiding hardcoding identifiers and detect them at runtime
instead. This is a more complete patch than the one proposed on the
original bugreport.

All the changes are only affecting the code path when SELinux is
enabled.

Regards,

Laurent Bigonville

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -u cron-3.0pl1/debian/changelog cron-3.0pl1/debian/changelog
--- cron-3.0pl1/debian/changelog
+++ cron-3.0pl1/debian/changelog
@@ -1,3 +1,11 @@
+cron (3.0pl1-128+deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Properly transition system jobs to system_cronjob_t SELinux context and
+    stop relying on refpolicy specific identifiers (Closes: #857662)
+
+ -- Laurent Bigonville <bigon@debian.org>  Sat, 07 Oct 2017 15:38:27 +0200
+
 cron (3.0pl1-128) unstable; urgency=medium
 
   * d/cron.service: Use KillMode=process to kill only the daemon.
diff -u cron-3.0pl1/user.c cron-3.0pl1/user.c
--- cron-3.0pl1/user.c
+++ cron-3.0pl1/user.c
@@ -47,22 +47,31 @@
     char *level = NULL;
     int i;
 
+    if(getcon(&current_con)) {
+        log_it(name, getpid(), "Can't get current context", tabname);
+        return -1;
+    }
+
     if (name != NULL) {
         if (getseuserbyname(name, &seuser, &level)) {
             log_it(name, getpid(), "getseuserbyname FAILED", tabname);
+            freecon(current_con);
             return (security_getenforce() > 0);
         }
     }
     else
     {
-        seuser = strdup("system_u");
+        context_t temp_con = context_new(current_con);
+        if (temp_con == NULL) {
+            log_it(name, getpid(), "context_new FAILED", tabname);
+            freecon(current_con);
+            return (security_getenforce() > 0);
+        }
+        seuser = strdup(context_user_get(temp_con));
+        context_free(temp_con);
     }
 
     *rcontext = NULL;
-    if(getcon(&current_con)) {
-        log_it(name, getpid(), "Can't get current context", tabname);
-        return -1;
-    }
     list_count = get_ordered_context_list_with_level(seuser, level, current_con, &context_list);
     freecon(current_con);
     free(seuser);
@@ -215,7 +224,7 @@
         if (is_selinux_enabled() > 0) {
             char *sname=uname;
             if (pw==NULL) {
-                sname="system_u";
+                sname=NULL;
             }
             if (get_security_context(sname, crontab_fd, 
                                      &u->scontext, tabname) != 0 ) {

--- End Message ---
--- Begin Message --- 
Version: 9.4

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---
Reply to: