Bug#857662: marked as done (cron broken in SELinux enforced mode due to system_u login mapping removal)

[Debian Bug Tracking System]

Your message dated Fri, 06 Oct 2017 14:50:14 +0000
with message-id <e1e0tx8-000dqk...@fasolo.debian.org>
and subject line Bug#857662: fixed in cron 3.0pl1-128.1
has caused the Debian Bug report #857662,
regarding cron broken in SELinux enforced mode due to system_u login mapping 
removal
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
857662: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857662
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: cron
Version: 3.0pl1-128+b1
User: selinux-de...@lists.alioth.debian.org
Usertags: selinux

Hi,
with the removal of the SELinux login entry for system_u [1], cron
stops working.

get_security_context [2] expects a NULL name when called for a system cronjob.
But it is called with "system_u" [2].

It worked so far cause getseuserbyname [3] translated the incorrect
name value "system_u" still to the "system_u" seuser.

Best regards,
      Christian Göttsche

[1] 
https://github.com/TresysTechnology/refpolicy/commit/79f31a04739dad7c7369616cd7c666a57c365511
[2] https://sources.debian.net/src/cron/3.0pl1-128/user.c/?hl=120#L218
[3] https://sources.debian.net/src/cron/3.0pl1-128/user.c/?hl=120#L51

--- user.c      2017-03-13 21:06:52.638905763 +0100
+++ user.c.fixed        2017-03-13 21:07:48.654110814 +0100
@@ -215,7 +215,7 @@
        if (is_selinux_enabled() > 0) {
            char *sname=uname;
            if (pw==NULL) {
-                sname="system_u";
+                sname=NULL;
            }
            if (get_security_context(sname, crontab_fd,
                                     &u->scontext, tabname) != 0 ) {

--- End Message ---

--- Begin Message ---

Source: cron
Source-Version: 3.0pl1-128.1

We believe that the bug you reported is fixed in the latest version of
cron, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laurent Bigonville <bi...@debian.org> (supplier of updated cron package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 03 Oct 2017 15:38:27 +0200
Source: cron
Binary: cron
Architecture: source amd64
Version: 3.0pl1-128.1
Distribution: unstable
Urgency: medium
Maintainer: Javier Fernández-Sanguino Peña <j...@debian.org>
Changed-By: Laurent Bigonville <bi...@debian.org>
Description:
 cron       - process scheduling daemon
Closes: 857662
Changes:
 cron (3.0pl1-128.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Properly transition system jobs to system_cronjob_t SELinux context and
     stop relying on refpolicy specific identifiers (Closes: #857662)
Checksums-Sha1:
 172973a8106066c4953c19d70be0c928ef902182 1620 cron_3.0pl1-128.1.dsc
 4d24712033f0a3d5651daefd2d1d4d8cf4996310 99043 cron_3.0pl1-128.1.diff.gz
 538f2568ed0a24e4b1e67e469f33c1a950b332bf 86628 
cron-dbgsym_3.0pl1-128.1_amd64.deb
 771089b253f25d8461e6682e6d9abf453286f722 5645 cron_3.0pl1-128.1_amd64.buildinfo
 fa12be7bff5693b3300b8984fa77ed35d69d36f0 95468 cron_3.0pl1-128.1_amd64.deb
Checksums-Sha256:
 183acdb847926b07b7d294342a3a7cc4434c144c57e39a2690baa1f26b76bcfb 1620 
cron_3.0pl1-128.1.dsc
 76e2af80f3f5d80d09af45e6b0c9eac8ce336d75ea0a629963d72746e793ed1b 99043 
cron_3.0pl1-128.1.diff.gz
 848f02001fd74a9bd7fc302ca96b0648cbe96b3219c5bf8d8505ee1ae1dc80d3 86628 
cron-dbgsym_3.0pl1-128.1_amd64.deb
 9c38126326232ce82bbae069ffb316a2bee02b5e593759bec5aef8acfd582dc3 5645 
cron_3.0pl1-128.1_amd64.buildinfo
 c5531395e1704c503b3db7117b262831b01641d55b9a5b62b09c3030ac61874c 95468 
cron_3.0pl1-128.1_amd64.deb
Files:
 418f5032dfa78696103ca150a5e3d9fa 1620 admin important cron_3.0pl1-128.1.dsc
 b4656e7fc06793d8b58393146ad77045 99043 admin important 
cron_3.0pl1-128.1.diff.gz
 c230432db94f11156d85679f823e5b37 86628 debug optional 
cron-dbgsym_3.0pl1-128.1_amd64.deb
 0e3183ca38ae60defb874b7b39128e2f 5645 admin important 
cron_3.0pl1-128.1_amd64.buildinfo
 8d19ec052a245c39c4b3286af3272187 95468 admin important 
cron_3.0pl1-128.1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQFFBAEBCAAvFiEEmRrdqQAhuF2x31DwH8WJHrqwQ9UFAlnTk2QRHGJpZ29uQGRl
Ymlhbi5vcmcACgkQH8WJHrqwQ9V21Qf/ZVVMLMSrvjYPM2hIoDT54cr6Zb0HYbkq
ZJi/UgeIqJqTtXrbOsWMjH16X10eyPa1E8DJY3otsMxcMrbizyp/au8jLsvVpp7D
co1UNM8hylJjwhkvtZZZX6vOmIn7LwcIGNDfG6s46xC39nCn1dDFNSEIgNmP44HY
Ud5Wt/dfGT5YgU2CPg845yo6lo10zbcMoGccRD7fr0uUVx3OgnuMNbqfgUNoPsNq
m5+xTnxNd2qceaWlbSCj/j8shw1vL377oEPvg1Dfp/yZ/Il5OrQAs7AeuE4yJz2k
SqSwOcOeGjGTIUK0p/lnKrP+5de8wT5cGsICNRus9ow2Go+JfJNhOw==
=qpuf
-----END PGP SIGNATURE-----

--- End Message ---