[krb5] - incorporate a fix to teach the file labeling bits about when replay caches are expunged (#576093)
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Jun 14 18:45:09 UTC 2011
commit 6a7a1180582bed0835f17ee883ed74b82a8cbca2
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Tue Jun 14 14:15:55 2011 -0400
- incorporate a fix to teach the file labeling bits about when replay caches are expunged (#576093)
krb5-1.9-selinux-label.patch | 61 +++++++++++++++++++++++++++++++++++++-----
krb5.spec | 5 +++
2 files changed, 59 insertions(+), 7 deletions(-)
---
diff --git a/krb5-1.9-selinux-label.patch b/krb5-1.9-selinux-label.patch
index 5dd274f..03e58c4 100644
--- a/krb5-1.9-selinux-label.patch
+++ b/krb5-1.9-selinux-label.patch
@@ -42,7 +42,7 @@ diff -up krb5-1.8/src/aclocal.m4.selinux-label krb5-1.8/src/aclocal.m4
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
-@@ -1791,3 +1792,53 @@ AC_SUBST(manlocalstatedir)
+@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir)
AC_SUBST(manlibexecdir)
AC_CONFIG_FILES($1)
])
@@ -71,9 +71,7 @@ diff -up krb5-1.8/src/aclocal.m4.selinux-label krb5-1.8/src/aclocal.m4
+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
+ if test "x$ac_cv_func_setfscreatecon" = xno ; then
+ AC_CHECK_LIB(selinux,setfscreatecon)
-+ AC_CHECK_LIB(selinux,selabel_open)
+ unset ac_cv_func_setfscreatecon
-+ unset ac_cv_func_selabel_open
+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then
+ SELINUX_LIBS="$LIBS"
@@ -90,7 +88,7 @@ diff -up krb5-1.8/src/aclocal.m4.selinux-label krb5-1.8/src/aclocal.m4
+ AC_MSG_NOTICE([building with SELinux labeling support])
+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.])
+ SELINUX_LIBS="$LIBS"
-+ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen"
++ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon"
+ fi
+fi
+LIBS="$old_LIBS"
@@ -142,7 +140,7 @@ diff -up krb5-1.8/src/include/k5-int.h.selinux-label krb5-1.8/src/include/k5-int
diff -up krb5-1.8/src/include/k5-label.h.selinux-label krb5-1.8/src/include/k5-label.h
--- krb5-1.8/src/include/k5-label.h.selinux-label 2010-03-05 10:57:23.000000000 -0500
+++ krb5-1.8/src/include/k5-label.h 2010-03-05 10:57:23.000000000 -0500
-@@ -0,0 +1,30 @@
+@@ -0,0 +1,32 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
+
@@ -168,6 +166,8 @@ diff -up krb5-1.8/src/include/k5-label.h.selinux-label krb5-1.8/src/include/k5-l
+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device);
+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)
+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)
++void *krb5int_push_fscreatecon_for(const char *pathname);
++void krb5int_pop_fscreatecon(void *previous);
+#else
+#define WRITABLEFOPEN(x,y) fopen(x,y)
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
@@ -501,9 +501,9 @@ diff -up krb5-1.8/src/util/support/Makefile.in.selinux-label krb5-1.8/src/util/s
diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/support/selinux.c
--- krb5-1.8/src/util/support/selinux.c.selinux-label 2010-03-05 10:57:23.000000000 -0500
+++ krb5-1.8/src/util/support/selinux.c 2010-03-05 10:57:23.000000000 -0500
-@@ -0,0 +1,346 @@
+@@ -0,0 +1,362 @@
+/*
-+ * Copyright 2007,2008,2009 Red Hat, Inc. All Rights Reserved.
++ * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
@@ -721,6 +721,22 @@ diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/sup
+ }
+}
+
++void *
++krb5int_push_fscreatecon_for(const char *pathname)
++{
++ struct stat st;
++ if (stat(pathname, &st) != 0) {
++ st.st_mode = S_IRUSR | S_IWUSR;
++ }
++ return push_fscreatecon(pathname, st.st_mode);
++}
++
++void
++krb5int_pop_fscreatecon(void *con)
++{
++ pop_fscreatecon(con);
++}
++
+FILE *
+krb5int_labeled_fopen(const char *path, const char *mode)
+{
@@ -848,3 +864,34 @@ diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/sup
+}
+
+#endif
+diff -up krb5-1.8/src/lib/krb5/rcache/rc_dfl.c krb5-1.8/src/lib/krb5/rcache/rc_dfl.c
+--- krb5-1.8/src/lib/krb5/rcache/rc_dfl.c 2011-06-13 21:04:04.994208850 -0400
++++ krb5-1.8/src/lib/krb5/rcache/rc_dfl.c 2011-06-13 21:05:07.416208760 -0400
+@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
+ krb5_error_code retval = 0;
+ krb5_rcache tmp;
+ krb5_deltat lifespan = t->lifespan; /* save original lifespan */
++#ifdef USE_SELINUX
++ void *selabel;
++#endif
+
+ if (! t->recovering) {
+ name = t->name;
+@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
+ retval = krb5_rc_resolve(context, tmp, 0);
+ if (retval)
+ goto cleanup;
++#ifdef USE_SELINUX
++ if (t->d.fn != NULL)
++ selabel = krb5int_push_fscreatecon_for(t->d.fn);
++ else
++ selabel = NULL;
++#endif
+ retval = krb5_rc_initialize(context, tmp, lifespan);
++#ifdef USE_SELINUX
++ if (selabel != NULL)
++ krb5int_pop_fscreatecon(selabel);
++#endif
+ if (retval)
+ goto cleanup;
+ for (q = t->a; q; q = q->na) {
diff --git a/krb5.spec b/krb5.spec
index 0484d70..2c3ca15 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -291,6 +291,7 @@ make %{?_smp_mflags}
popd
# A sanity checker for upgrades.
+env LD_LIBRARY_PATH=`pwd`/src/lib \
%{__cc} -o kdb_check_weak \
-I src/include `./src/krb5-config --cflags kdb` \
%{SOURCE35} \
@@ -655,6 +656,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Tue Jun 14 2011 Nalin Dahyabhai <nalin at redhat.com>
+- incorporate a fix to teach the file labeling bits about when replay caches
+ are expunged (#576093)
+
* Thu May 26 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-3
- switch to the upstream patch for #707145
More information about the scm-commits
mailing list