[krb5] Label DIR: ccache directories when we create them

Nalin Dahyabhai nalin at fedoraproject.org
Thu May 30 19:11:55 UTC 2013 

commit 559c78a30a78cb45a5e2e261eded99cbac8c94b7
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date:   Thu May 30 09:18:15 2013 -0400

    Label DIR: ccache directories when we create them
    
    - don't forget to set the SELinux label when creating the directory for
      a DIR: ccache

 krb5-1.11-selinux-label.patch |   26 ++++++++++++++++++++++++++
 krb5.spec                     |    6 +++++-
 2 files changed, 31 insertions(+), 1 deletions(-)
---
diff --git a/krb5-1.11-selinux-label.patch b/krb5-1.11-selinux-label.patch
index 0486b82..f832728 100644
--- a/krb5-1.11-selinux-label.patch
+++ b/krb5-1.11-selinux-label.patch
@@ -897,6 +897,32 @@ which we used earlier, is some improvement.
      if (fd < 0)
          goto cleanup;
  #ifdef HAVE_CHMOD
+@@ -223,10 +232,23 @@
+ verify_dir(krb5_context context, const char *dirname)
+ {
+     struct stat st;
++    int status;
++#ifdef USE_SELINUX
++    void *selabel;
++#endif
+ 
+     if (stat(dirname, &st) < 0) {
+-        if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
+-            return 0;
++        if (errno == ENOENT) {
++#ifdef USE_SELINUX
++            selabel = krb5int_push_fscreatecon_for(dirname);
++#endif
++            status = mkdir(dirname, S_IRWXU);
++#ifdef USE_SELINUX
++            krb5int_pop_fscreatecon(selabel);
++#endif
++            if (status == 0)
++                return 0;
++        }
+         krb5_set_error_message(context, KRB5_FCC_NOFILE,
+                                _("Credential cache directory %s does not "
+                                  "exist"), dirname);
 --- krb5/src/lib/krb5/os/trace.c
 +++ krb5/src/lib/krb5/os/trace.c
 @@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con
diff --git a/krb5.spec b/krb5.spec
index 6d3d4f0..31cda69 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -30,7 +30,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.2
-Release: 8%{?dist}
+Release: 9%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -837,6 +837,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Thu May 30 2013 Nalin Dahyabhai <nalin at redhat.com> 1.11.2-9
+- don't forget to set the SELinux label when creating the directory for
+  a DIR: ccache
+
 * Thu May 30 2013 Nalin Dahyabhai <nalin at redhat.com> 1.11.2-8
 - pull in patches from master to not test GSSRPC-over-UDP and to not
   depend on the portmapper, which are areas where our build systems

More information about the scm-commits mailing list