import CS adcli-0.9.3.1-3.el9

2026-03-30 11:16:14 -04:00 · 2026-03-30 11:16:14 -04:00 · 8050083437
commit 8050083437
parent aa3bdaac27
4 changed files with 210 additions and 9 deletions
--- a/.adcli.metadata
+++ b/.adcli.metadata
@ -1 +1 @@
-5aba9ae88ad5a75f8ce143372cb8678b96ca5773 SOURCES/adcli-0.9.2.tar.gz
+14e715b5ef1b98230a71ab824336185b0495d4e6 SOURCES/adcli-0.9.3.1.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/adcli-0.9.2.tar.gz
+SOURCES/adcli-0.9.3.1.tar.gz
--- a/SOURCES/0001-enroll-fix-issues-if-default-keytab-is-used.patch
+++ b/SOURCES/0001-enroll-fix-issues-if-default-keytab-is-used.patch
@ -0,0 +1,117 @@
+From 9c31bb06590f2d96a2d6d8ce87dc3273c283a671 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 19 Dec 2025 14:48:13 +0100
+Subject: [PATCH] enroll: fix issues if default keytab is used
+
+librkb5 returns the default keytab with a 'FILE:' prefix which must be
+removed before calling libselinux functions to operate on the keytab
+file.
+
+Resolves: https://issues.redhat.com/browse/RHEL-78631
+---
+ library/adenroll.c | 32 ++++++++++++++++++++------------
+ library/adenroll.h |  3 +--
+ tools/computer.c   |  6 +++---
+ 3 files changed, 24 insertions(+), 17 deletions(-)
+
+diff --git a/library/adenroll.c b/library/adenroll.c
+index 20ad198..9484cbf 100644
+--- a/library/adenroll.c
+++ b/library/adenroll.c
+@@ -2116,30 +2116,38 @@ ensure_host_keytab (adcli_result res,
+ 	return ADCLI_SUCCESS;
+ }
+ 
+-adcli_result
+-ensure_host_keytab_selinux_context (adcli_result res,
+-                                    adcli_enroll *enroll)
+void
+restore_host_keytab_selinux_context (adcli_enroll *enroll)
+ {
+ #ifdef BUILD_SELINUX_POLICY
+ 	int ret;
+-
+-	if (res != ADCLI_SUCCESS)
+-		return res;
+	krb5_context k5;
+	const char *name_start;
+ 
+ 	if (enroll->keytab_name == NULL) {
+ 		_adcli_info ("No keytab name available, skipping SELinux restorecon.");
+-		return ADCLI_SUCCESS;
+		return;
+	}
+
+	name_start = enroll->keytab_name;
+	if (strncmp (name_start, "FILE:", 5) == 0) {
+		name_start = enroll->keytab_name + 5;
+ 	}
+ 
+-	ret = selinux_restorecon (adcli_enroll_get_keytab_name (enroll), 0);
+	if (enroll->keytab != NULL) {
+		k5 = adcli_conn_get_krb5_context (enroll->conn);
+		krb5_kt_close (k5, enroll->keytab);
+		enroll->keytab = NULL;
+	}
+
+	ret = selinux_restorecon (name_start, 0);
+ 	if (ret != 0) {
+-		_adcli_err ("Failed to set SELinux context for %s with error %d: %s",
+-		            enroll->keytab_name, ret, strerror (ret));
+-		return ADCLI_ERR_FAIL;
+		_adcli_err ("Failed to set SELinux context for %s with error %d: %s, ignored",
+		            name_start, ret, strerror (errno));
+ 	}
+ #endif
+ 
+-	return ADCLI_SUCCESS;
+	return;
+ }
+ 
+ 
+diff --git a/library/adenroll.h b/library/adenroll.h
+index 79eb7a8..5aba81b 100644
+--- a/library/adenroll.h
+++ b/library/adenroll.h
+@@ -192,6 +192,5 @@ void               adcli_enroll_set_samba_data_tool     (adcli_enroll *enroll,
+ 
+ const char *       adcli_enroll_get_samba_data_tool     (adcli_enroll *enroll);
+ 
+-adcli_result        ensure_host_keytab_selinux_context  (adcli_result res,
+-                                                         adcli_enroll *enroll);
+void               restore_host_keytab_selinux_context  (adcli_enroll *enroll);
+ #endif /* ADENROLL_H_ */
+diff --git a/tools/computer.c b/tools/computer.c
+index ee027dc..f056366 100644
+--- a/tools/computer.c
+++ b/tools/computer.c
+@@ -520,7 +520,7 @@ adcli_tool_computer_join (adcli_conn *conn,
+ 	else if (show_password)
+ 		dump_password (conn, enroll);
+ 
+-	ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll);
+	restore_host_keytab_selinux_context (enroll);
+ 
+ 	adcli_enroll_unref (enroll);
+ 
+@@ -655,7 +655,7 @@ adcli_tool_computer_update (adcli_conn *conn,
+ 	else if (show_password)
+ 		dump_password (conn, enroll);
+ 
+-	ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll);
+	restore_host_keytab_selinux_context (enroll);
+ 
+ 	adcli_enroll_unref (enroll);
+ 
+@@ -1275,7 +1275,7 @@ adcli_tool_computer_managed_service_account (adcli_conn *conn,
+ 	else if (show_password)
+ 		dump_password (conn, enroll);
+ 
+-	ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll);
+	restore_host_keytab_selinux_context (enroll);
+ 
+ 	adcli_enroll_unref (enroll);
+ 
+-- 
+2.52.0
+
--- a/SPECS/adcli.spec
+++ b/SPECS/adcli.spec
@ -1,10 +1,16 @@
+%global with_selinux 1
+%global selinuxtype targeted
+%global modulename adcli
+
 Name:    adcli
-Version: 0.9.2
-Release: 1%{?dist}
+Version: 0.9.3.1
+Release: 3%{?dist}
 Summary: Active Directory enrollment
-License: LGPLv2+
+License: LGPL-2.1-or-later
 URL:     https://gitlab.freedesktop.org/realmd/adcli
-Source0: https://gitlab.freedesktop.org/realmd/adcli/uploads/ea560656ac921b3fe0d455976aaae9be/adcli-%{version}.tar.gz
+Source0: https://gitlab.freedesktop.org/-/project/1196/uploads/5a1c55410c0965835b81fbd28d820d46/adcli-%{version}.tar.gz
+
+Patch1: 0001-enroll-fix-issues-if-default-keytab-is-used.patch

 BuildRequires: gcc
 BuildRequires: intltool pkgconfig
@ -15,6 +21,13 @@ BuildRequires: openldap-devel
 BuildRequires: libxslt
 BuildRequires: xmlto
 BuildRequires: make
+BuildRequires: libnetapi-devel
+
+# Build dependencies for SELinux policy
+%if %{with selinux}
+BuildRequires:  libselinux-devel
+BuildRequires:  selinux-policy-devel
+%endif

 Requires: cyrus-sasl-gssapi
 Conflicts: adcli-doc < %{version}-%{release}
@ -23,10 +36,37 @@ Conflicts: adcli-doc < %{version}-%{release}
 # the adcli tool itself is to be used by callers
 Obsoletes: adcli-devel < 0.5

+%if %{with selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not
+# pulled into containers and other systems that do not use SELinux. The
+# policy defines types and file contexts for client and server.
+Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
 %description
 adcli is a tool for joining an Active Directory domain using
 standard LDAP and Kerberos calls.

+%if %{with selinux}
+# SELinux subpackage
+%package selinux
+Summary:             The adcli SELinux policy
+BuildArch:           noarch
+Requires:            selinux-policy-%{selinuxtype}
+Requires(post):      selinux-policy-%{selinuxtype}
+Requires: selinux-policy >= %{_selinux_policy_version}
+BuildRequires: pkgconfig(systemd)
+BuildRequires: selinux-policy
+BuildRequires: selinux-policy-devel
+Requires(post): selinux-policy-base >= %{_selinux_policy_version}
+Requires(post): libselinux-utils
+Requires(post): policycoreutils
+
+%description selinux
+Custom SELinux policy module for adcli to make sure generated Kerberos keytab
+files have the right SELinux context.
+%endif
+
 %define _hardened_build 1

 %prep
@ -39,24 +79,43 @@ autoreconf --force --install --verbose
    --with-vendor-error-message='Please check\n    https://red.ht/support_rhel_ad \nto get help for common issues.' \
 %endif
    %{nil}
-make %{?_smp_mflags}
+%make_build

 %check
 make check

 %install
-make install DESTDIR=%{buildroot}
+%make_install
 find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'

 %ldconfig_scriptlets

+%if %{with selinux}
+# SELinux contexts are saved so that only affected files can be
+# relabeled after the policy module installation
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
+%endif
+
 %files
 %{_sbindir}/adcli
 %doc AUTHORS COPYING ChangeLog NEWS README
 %doc %{_mandir}/*/*

 %package doc
-Summary: adcli documentation
+Summary: The adcli documentation package
 BuildArch: noarch
 Conflicts: adcli < %{version}-%{release}

@ -68,7 +127,32 @@ documentation.
 %files doc
 %doc %{_datadir}/doc/adcli/*

+%if %{with selinux}
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%endif
+
 %changelog
+* Tue Dec 23 2025 Sumit Bose <sbose@redhat.com> - 0.9.3.1-3
+- Fix issue with restoring SELinux file label
+  Resolves: RHEL-134944
+
+* Tue Dec 23 2025 Sumit Bose <sbose@redhat.com> - 0.9.3.1-2
+- Add explicit selinux dependencies to avoid policycoreutils-python-utils dependency
+  Resolves: RHEL-134944
+
+* Wed Dec 17 2025 Sumit Bose <sbose@redhat.com> - 0.9.3.1-1
+- Rebase to latest upstream version
+  Resolves: RHEL-134944
+  Resolves: RHEL-134945
+  Resolves: RHEL-134946
+  Resolves: RHEL-134947
+  Resolves: RHEL-134948
+  Resolves: RHEL-134950
+  Resolves: RHEL-134951
+  Resolves: RHEL-134952
+
 * Wed Oct 12 2022 Sumit Bose <sbose@redhat.com> - 0.9.2-1
 - Update to upstream release 0.9.2
  Resolves: rhbz#2124030, rhbz#2133836