- rework how labeling is handled to avoid a bootstrapping problem in
headers - don't forget to label the principal database lock file
This commit is contained in:
Nalin Dahyabhai
parent
f06f7f1e03
commit
37b6c5e715
@ -179,24 +179,11 @@ diff -ur krb5-1.6.3/src/include/autoconf.h.in krb5-1.6.3/src/include/autoconf.h.
|
|||||||
diff -ur krb5-1.6.3/src/include/k5-int.h krb5-1.6.3/src/include/k5-int.h
|
diff -ur krb5-1.6.3/src/include/k5-int.h krb5-1.6.3/src/include/k5-int.h
|
||||||
--- krb5-1.6.3/src/include/k5-int.h 2007-10-04 16:17:48.000000000 -0400
|
--- krb5-1.6.3/src/include/k5-int.h 2007-10-04 16:17:48.000000000 -0400
|
||||||
+++ krb5-1.6.3/src/include/k5-int.h 2008-03-06 18:51:29.000000000 -0500
|
+++ krb5-1.6.3/src/include/k5-int.h 2008-03-06 18:51:29.000000000 -0500
|
||||||
@@ -128,6 +128,20 @@
|
@@ -128,6 +128,7 @@
|
||||||
typedef UINT64_TYPE krb5_ui_8;
|
typedef UINT64_TYPE krb5_ui_8;
|
||||||
typedef INT64_TYPE krb5_int64;
|
typedef INT64_TYPE krb5_int64;
|
||||||
|
|
||||||
+#include "k5-platform.h"
|
|
||||||
+
|
|
||||||
+#ifdef THREEPARAMOPEN
|
|
||||||
+#undef THREEPARAMOPEN
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#ifdef USE_SELINUX
|
|
||||||
+#include "k5-label.h"
|
+#include "k5-label.h"
|
||||||
+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)
|
|
||||||
+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)
|
|
||||||
+#else
|
|
||||||
+#define WRITABLEFOPEN(x,y) fopen(x,y)
|
|
||||||
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
#define DEFAULT_PWD_STRING1 "Enter password"
|
#define DEFAULT_PWD_STRING1 "Enter password"
|
||||||
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
|
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
|
||||||
@ -388,7 +375,7 @@ diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c krb5-1.6.3/src/pl
|
|||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
+#include <k5-int.h>
|
+#include "k5-int.h"
|
||||||
#include "db-int.h"
|
#include "db-int.h"
|
||||||
#include "btree.h"
|
#include "btree.h"
|
||||||
|
|
||||||
@ -408,7 +395,7 @@ diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c krb5-1.6.3/src/plugin
|
|||||||
#include <assert.h>
|
#include <assert.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
+#include <k5-int.h>
|
+#include "k5-int.h"
|
||||||
#include "db-int.h"
|
#include "db-int.h"
|
||||||
#include "hash.h"
|
#include "hash.h"
|
||||||
#include "page.h"
|
#include "page.h"
|
||||||
@ -428,7 +415,7 @@ diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c krb5-1.6.3/src/p
|
|||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
||||||
+#include <k5-int.h>
|
+#include "k5-int.h"
|
||||||
#include "db-int.h"
|
#include "db-int.h"
|
||||||
#include "recno.h"
|
#include "recno.h"
|
||||||
|
|
||||||
@ -441,6 +428,19 @@ diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c krb5-1.6.3/src/p
|
|||||||
return (NULL);
|
return (NULL);
|
||||||
|
|
||||||
/* Create a btree in memory (backed by disk). */
|
/* Create a btree in memory (backed by disk). */
|
||||||
|
--- krb5-1.6.3/src/plugins/kdb/db2/kdb_db2.c 2008-07-11 11:10:41.000000000 -0400
|
||||||
|
+++ krb5-1.6.3/src/plugins/kdb/db2/kdb_db2.c 2008-07-11 11:10:45.000000000 -0400
|
||||||
|
@@ -326,8 +326,8 @@
|
||||||
|
* should be opened read/write so that write locking can work with
|
||||||
|
* POSIX systems
|
||||||
|
*/
|
||||||
|
- if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) {
|
||||||
|
- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) {
|
||||||
|
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) {
|
||||||
|
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) {
|
||||||
|
retval = errno;
|
||||||
|
goto err_out;
|
||||||
|
}
|
||||||
diff -ur krb5-1.6.3/src/util/profile/prof_file.c krb5-1.6.3/src/util/profile/prof_file.c
|
diff -ur krb5-1.6.3/src/util/profile/prof_file.c krb5-1.6.3/src/util/profile/prof_file.c
|
||||||
--- krb5-1.6.3/src/util/profile/prof_file.c 2005-10-21 16:03:44.000000000 -0400
|
--- krb5-1.6.3/src/util/profile/prof_file.c 2005-10-21 16:03:44.000000000 -0400
|
||||||
+++ krb5-1.6.3/src/util/profile/prof_file.c 2008-03-06 19:02:44.000000000 -0500
|
+++ krb5-1.6.3/src/util/profile/prof_file.c 2008-03-06 19:02:44.000000000 -0500
|
||||||
@ -448,7 +448,7 @@ diff -ur krb5-1.6.3/src/util/profile/prof_file.c krb5-1.6.3/src/util/profile/pro
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "k5-platform.h"
|
#include "k5-platform.h"
|
||||||
+#include "k5-int.h"
|
+#include "k5-label.h"
|
||||||
|
|
||||||
struct global_shared_profile_data {
|
struct global_shared_profile_data {
|
||||||
/* This is the head of the global list of shared trees */
|
/* This is the head of the global list of shared trees */
|
||||||
@ -540,7 +540,7 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
|
|||||||
com_err(me, errno, "Error creating file %s", tmp_file);
|
com_err(me, errno, "Error creating file %s", tmp_file);
|
||||||
--- krb5-1.6.3/src/util/support/selinux.c 2007-08-25 03:19:00.000000000 -0400
|
--- krb5-1.6.3/src/util/support/selinux.c 2007-08-25 03:19:00.000000000 -0400
|
||||||
+++ krb5-1.6.3/src/util/support/selinux.c 2007-08-24 23:38:39.000000000 -0400
|
+++ krb5-1.6.3/src/util/support/selinux.c 2007-08-24 23:38:39.000000000 -0400
|
||||||
@@ -0,0 +1,256 @@
|
@@ -0,0 +1,275 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright 2007,2008 Red Hat, Inc. All Rights Reserved.
|
+ * Copyright 2007,2008 Red Hat, Inc. All Rights Reserved.
|
||||||
+ *
|
+ *
|
||||||
@ -579,6 +579,7 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
|
|||||||
+#ifdef USE_SELINUX
|
+#ifdef USE_SELINUX
|
||||||
+
|
+
|
||||||
+#include <k5-label.h>
|
+#include <k5-label.h>
|
||||||
|
+#include <k5-thread.h>
|
||||||
+#include <sys/types.h>
|
+#include <sys/types.h>
|
||||||
+#include <sys/stat.h>
|
+#include <sys/stat.h>
|
||||||
+#include <errno.h>
|
+#include <errno.h>
|
||||||
@ -594,7 +595,16 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
|
|||||||
+
|
+
|
||||||
+/* #define DEBUG 1 */
|
+/* #define DEBUG 1 */
|
||||||
+
|
+
|
||||||
+static pthread_mutex_t labeled_lock = PTHREAD_MUTEX_INITIALIZER;
|
+/* Mutex used to serialize use of the process-global file creation context. */
|
||||||
|
+k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
|
||||||
|
+
|
||||||
|
+/* Make sure we finish initializing that mutex before attempting to use it. */
|
||||||
|
+k5_once_t labeled_once = K5_ONCE_INIT;
|
||||||
|
+static void
|
||||||
|
+label_mutex_init(void)
|
||||||
|
+{
|
||||||
|
+ k5_mutex_finish_init(&labeled_mutex);
|
||||||
|
+}
|
||||||
+
|
+
|
||||||
+static security_context_t
|
+static security_context_t
|
||||||
+push_fscreatecon(const char *pathname, mode_t mode)
|
+push_fscreatecon(const char *pathname, mode_t mode)
|
||||||
@ -703,12 +713,17 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
|
|||||||
+ int errno_save;
|
+ int errno_save;
|
||||||
+ security_context_t ctx;
|
+ security_context_t ctx;
|
||||||
+
|
+
|
||||||
+ pthread_mutex_lock(&labeled_lock);
|
+ if (strcmp(mode, "r") == 0) {
|
||||||
|
+ return fopen(path, mode);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ k5_once(&labeled_once, label_mutex_init);
|
||||||
|
+ k5_mutex_lock(&labeled_mutex);
|
||||||
+ ctx = push_fscreatecon(path, 0);
|
+ ctx = push_fscreatecon(path, 0);
|
||||||
+ fp = fopen(path, mode);
|
+ fp = fopen(path, mode);
|
||||||
+ errno_save = errno;
|
+ errno_save = errno;
|
||||||
+ pop_fscreatecon(ctx);
|
+ pop_fscreatecon(ctx);
|
||||||
+ pthread_mutex_unlock(&labeled_lock);
|
+ k5_mutex_unlock(&labeled_mutex);
|
||||||
+
|
+
|
||||||
+ errno = errno_save;
|
+ errno = errno_save;
|
||||||
+ return fp;
|
+ return fp;
|
||||||
@ -721,12 +736,13 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
|
|||||||
+ int errno_save;
|
+ int errno_save;
|
||||||
+ security_context_t ctx;
|
+ security_context_t ctx;
|
||||||
+
|
+
|
||||||
+ pthread_mutex_lock(&labeled_lock);
|
+ k5_once(&labeled_once, label_mutex_init);
|
||||||
|
+ k5_mutex_lock(&labeled_mutex);
|
||||||
+ ctx = push_fscreatecon(path, 0);
|
+ ctx = push_fscreatecon(path, 0);
|
||||||
+ fd = creat(path, mode);
|
+ fd = creat(path, mode);
|
||||||
+ errno_save = errno;
|
+ errno_save = errno;
|
||||||
+ pop_fscreatecon(ctx);
|
+ pop_fscreatecon(ctx);
|
||||||
+ pthread_mutex_unlock(&labeled_lock);
|
+ k5_mutex_unlock(&labeled_mutex);
|
||||||
+
|
+
|
||||||
+ errno = errno_save;
|
+ errno = errno_save;
|
||||||
+ return fd;
|
+ return fd;
|
||||||
@ -739,12 +755,13 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
|
|||||||
+ int errno_save;
|
+ int errno_save;
|
||||||
+ security_context_t ctx;
|
+ security_context_t ctx;
|
||||||
+
|
+
|
||||||
+ pthread_mutex_lock(&labeled_lock);
|
+ k5_once(&labeled_once, label_mutex_init);
|
||||||
|
+ k5_mutex_lock(&labeled_mutex);
|
||||||
+ ctx = push_fscreatecon(path, mode);
|
+ ctx = push_fscreatecon(path, mode);
|
||||||
+ ret = mknod(path, mode, dev);
|
+ ret = mknod(path, mode, dev);
|
||||||
+ errno_save = errno;
|
+ errno_save = errno;
|
||||||
+ pop_fscreatecon(ctx);
|
+ pop_fscreatecon(ctx);
|
||||||
+ pthread_mutex_unlock(&labeled_lock);
|
+ k5_mutex_unlock(&labeled_mutex);
|
||||||
+
|
+
|
||||||
+ errno = errno_save;
|
+ errno = errno_save;
|
||||||
+ return ret;
|
+ return ret;
|
||||||
@ -757,12 +774,13 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
|
|||||||
+ int errno_save;
|
+ int errno_save;
|
||||||
+ security_context_t ctx;
|
+ security_context_t ctx;
|
||||||
+
|
+
|
||||||
+ pthread_mutex_lock(&labeled_lock);
|
+ k5_once(&labeled_once, label_mutex_init);
|
||||||
|
+ k5_mutex_lock(&labeled_mutex);
|
||||||
+ ctx = push_fscreatecon(path, S_IFDIR);
|
+ ctx = push_fscreatecon(path, S_IFDIR);
|
||||||
+ ret = mkdir(path, mode);
|
+ ret = mkdir(path, mode);
|
||||||
+ errno_save = errno;
|
+ errno_save = errno;
|
||||||
+ pop_fscreatecon(ctx);
|
+ pop_fscreatecon(ctx);
|
||||||
+ pthread_mutex_unlock(&labeled_lock);
|
+ k5_mutex_unlock(&labeled_mutex);
|
||||||
+
|
+
|
||||||
+ errno = errno_save;
|
+ errno = errno_save;
|
||||||
+ return ret;
|
+ return ret;
|
||||||
@ -781,7 +799,8 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
|
|||||||
+ return open(path, flags);
|
+ return open(path, flags);
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ pthread_mutex_lock(&labeled_lock);
|
+ k5_once(&labeled_once, label_mutex_init);
|
||||||
|
+ k5_mutex_lock(&labeled_mutex);
|
||||||
+ ctx = push_fscreatecon(path, 0);
|
+ ctx = push_fscreatecon(path, 0);
|
||||||
+
|
+
|
||||||
+ va_start(ap, flags);
|
+ va_start(ap, flags);
|
||||||
@ -792,16 +811,21 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
|
|||||||
+ errno_save = errno;
|
+ errno_save = errno;
|
||||||
+
|
+
|
||||||
+ pop_fscreatecon(ctx);
|
+ pop_fscreatecon(ctx);
|
||||||
+ pthread_mutex_unlock(&labeled_lock);
|
+ k5_mutex_unlock(&labeled_mutex);
|
||||||
+ return fd;
|
+ return fd;
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+#endif
|
+#endif
|
||||||
--- krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:19:00.000000000 -0400
|
--- krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:19:00.000000000 -0400
|
||||||
+++ krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:00:02.000000000 -0400
|
+++ krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:00:02.000000000 -0400
|
||||||
@@ -0,0 +1,17 @@
|
@@ -0,0 +1,27 @@
|
||||||
+#ifndef _KRB5_LABEL_H
|
+#ifndef _KRB5_LABEL_H
|
||||||
+#define _KRB5_LABEL_H
|
+#define _KRB5_LABEL_H
|
||||||
|
+
|
||||||
|
+#ifdef THREEPARAMOPEN
|
||||||
|
+#undef THREEPARAMOPEN
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
+/* Wrapper functions which help us create files and directories with the right
|
+/* Wrapper functions which help us create files and directories with the right
|
||||||
+ * context labels. */
|
+ * context labels. */
|
||||||
+#ifdef USE_SELINUX
|
+#ifdef USE_SELINUX
|
||||||
@ -815,5 +839,10 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
|
|||||||
+int krb5int_labeled_open(const char *path, int flags, ...);
|
+int krb5int_labeled_open(const char *path, int flags, ...);
|
||||||
+int krb5int_labeled_mkdir(const char *path, mode_t mode);
|
+int krb5int_labeled_mkdir(const char *path, mode_t mode);
|
||||||
+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device);
|
+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device);
|
||||||
|
+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)
|
||||||
|
+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)
|
||||||
|
+#else
|
||||||
|
+#define WRITABLEFOPEN(x,y) fopen(x,y)
|
||||||
|
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
|
||||||
+#endif
|
+#endif
|
||||||
+#endif
|
+#endif
|
||||||
|
|||||||
@ -1466,10 +1466,6 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
|
|||||||
--with-pam \
|
--with-pam \
|
||||||
--with-pam-login-service=%{login_pam_service} \
|
--with-pam-login-service=%{login_pam_service} \
|
||||||
--with-selinux
|
--with-selinux
|
||||||
# Generate krb5/krb5.h
|
|
||||||
pushd include
|
|
||||||
make krb5/krb5.h
|
|
||||||
popd
|
|
||||||
# Now build it.
|
# Now build it.
|
||||||
make
|
make
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user