[krb5/f16] - selinux: reset the creation context properly after expunging replay caches if they were previously

Tue Nov 15 16:15:50 UTC 2011

commit 57dcd4d36a4ddfb794b728fe8a23d11428897a71
Author: Nalin Dahyabhai <nalin at redhat.com>
Date:   Tue Nov 15 11:15:37 2011 -0500

    - selinux: reset the creation context properly after expunging replay caches if they were previously set to the default value (#754001)

 krb5-1.9-selinux-label.patch |   22 +++++++++++++++++-----
 krb5.spec                    |    6 +++++-
 2 files changed, 22 insertions(+), 6 deletions(-)
---

diff --git a/krb5-1.9-selinux-label.patch b/krb5-1.9-selinux-label.patch
index 03e58c4..950254b 100644
--- a/krb5-1.9-selinux-label.patch
+++ b/krb5-1.9-selinux-label.patch
@@ -501,7 +501,7 @@ diff -up krb5-1.8/src/util/support/Makefile.in.selinux-label krb5-1.8/src/util/s
 diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/support/selinux.c
 --- krb5-1.8/src/util/support/selinux.c.selinux-label	2010-03-05 10:57:23.000000000 -0500
 +++ krb5-1.8/src/util/support/selinux.c	2010-03-05 10:57:23.000000000 -0500
-@@ -0,0 +1,362 @@
+@@ -0,0 +1,374 @@
 +/*
 + * Copyright 2007,2008,2009,2011 Red Hat, Inc.  All Rights Reserved.
 + *
@@ -725,16 +725,28 @@ diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/sup
 +krb5int_push_fscreatecon_for(const char *pathname)
 +{
 +	struct stat st;
-+	if (stat(pathname, &st) != 0) {
-+		st.st_mode = S_IRUSR | S_IWUSR;
++	void *retval;
++	k5_once(&labeled_once, label_mutex_init);
++	if (k5_mutex_lock(&labeled_mutex) == 0) {
++		if (stat(pathname, &st) != 0) {
++			st.st_mode = S_IRUSR | S_IWUSR;
++		}
++		retval = push_fscreatecon(pathname, st.st_mode);
++		return retval ? retval : (void *) -1;
++	} else {
++		return NULL;
 +	}
-+	return push_fscreatecon(pathname, st.st_mode);
 +}
 +
 +void
 +krb5int_pop_fscreatecon(void *con)
 +{
-+	pop_fscreatecon(con);
++	if (con != NULL) {
++		if (con != (void *) -1) {
++			pop_fscreatecon(con);
++		}
++		k5_mutex_unlock(&labeled_mutex);
++	}
 +}
 +
 +FILE *
diff --git a/krb5.spec b/krb5.spec
index 92ed299..d670cb1 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -6,7 +6,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.9.1
-Release: 18%{?dist}
+Release: 19%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.9/krb5-1.9.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -703,6 +703,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Wed Nov 15 2011 Nalin Dahyabhai <nalin at redhat.com> 1.9.1-19
+- selinux: reset the creation context properly after expunging replay caches
+  if they were previously set to the default value (#754001)
+
 * Wed Oct 26 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.9.1-18
 - Rebuilt for glibc bug#747377
 
