rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- selinux labeling: use selabel_open() family of functions rather than

Browse Source 
matchpathcon(), bail on it if attempting to get the mutex lock fails
This commit is contained in:
Nalin Dahyabhai 2009-06-26 21:45:54 +00:00
parent 6e77eee565
commit 3f291ca045
2 changed files with 80 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

128
krb5-1.7-selinux-label.patch
View File

@ -6,8 +6,11 @@ because SELinux can apply a default label to a file based on the label
of the directory in which it's created. of the directory in which it's created.
In the case of files such as /etc/krb5.keytab, however, this isn't In the case of files such as /etc/krb5.keytab, however, this isn't
sufficient, as /etc/krb5.keytab will almost always need given a label sufficient, as /etc/krb5.keytab will almost always need to be given a
which differs from that of /etc/issue or /etc/resolv.conf. label which differs from that of /etc/issue or /etc/resolv.conf. The
the kdb stash file needs a different label than the database for which
it's holding a master key, even though both typically live in the same
directory.
To give the file the correct label, we can either force a "restorecon" To give the file the correct label, we can either force a "restorecon"
call to fix a file's label after it's created, or create the file with call to fix a file's label after it's created, or create the file with
@ -520,9 +523,9 @@ diff -up krb5-1.7/src/util/support/Makefile.in krb5-1.7/src/util/support/Makefil
diff -up /dev/null krb5-1.7/src/util/support/selinux.c diff -up /dev/null krb5-1.7/src/util/support/selinux.c
--- /dev/null 2009-06-04 10:34:55.169007373 -0400 --- /dev/null 2009-06-04 10:34:55.169007373 -0400
+++ krb5-1.7/src/util/support/selinux.c 2009-06-04 13:47:20.000000000 -0400 +++ krb5-1.7/src/util/support/selinux.c 2009-06-04 13:47:20.000000000 -0400
@@ -0,0 +1,275 @@ @@ -0,0 +1,300 @@
+/* +/*
+ * Copyright 2007,2008 Red Hat, Inc. All Rights Reserved. + * Copyright 2007,2008,2009 Red Hat, Inc. All Rights Reserved.
+ * + *
+ * Redistribution and use in source and binary forms, with or without + * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met: + * modification, are permitted provided that the following conditions are met:
@ -572,6 +575,7 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
+#include <string.h> +#include <string.h>
+#include <unistd.h> +#include <unistd.h>
+#include <selinux/selinux.h> +#include <selinux/selinux.h>
+#include <selinux/label.h>
+ +
+/* #define DEBUG 1 */ +/* #define DEBUG 1 */
+ +
@ -590,6 +594,7 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
+push_fscreatecon(const char *pathname, mode_t mode) +push_fscreatecon(const char *pathname, mode_t mode)
+{ +{
+ security_context_t previous, next; + security_context_t previous, next;
+ struct selabel_handle *ctx;
+ const char *fullpath; + const char *fullpath;
+ +
+ previous = NULL; + previous = NULL;
@ -630,12 +635,18 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
+ "\"%s\"(%05o).\n", fullpath, mode); + "\"%s\"(%05o).\n", fullpath, mode);
+ } + }
+#endif +#endif
+ if (matchpathcon(fullpath, mode, &next) != 0) { + ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ free(genpath); + if (ctx != NULL) {
+ if (previous != NULL) { + if (selabel_lookup(ctx, &next,
+ freecon(previous); + fullpath, mode) != 0) {
+ selabel_close(ctx);
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ } + }
+ return NULL; + selabel_close(ctx);
+ } + }
+ free(genpath); + free(genpath);
+#ifdef DEBUG +#ifdef DEBUG
@ -698,14 +709,17 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
+ } + }
+ +
+ k5_once(&labeled_once, label_mutex_init); + k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex); + if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, 0); + ctx = push_fscreatecon(path, 0);
+ fp = fopen(path, mode); + fp = fopen(path, mode);
+ errno_save = errno; + errno_save = errno;
+ pop_fscreatecon(ctx); + pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex); + k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ } else {
+ fp = fopen(path, mode);
+ }
+ +
+ errno = errno_save;
+ return fp; + return fp;
+} +}
+ +
@ -717,14 +731,16 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
+ security_context_t ctx; + security_context_t ctx;
+ +
+ k5_once(&labeled_once, label_mutex_init); + k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex); + if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, 0); + ctx = push_fscreatecon(path, 0);
+ fd = creat(path, mode); + fd = creat(path, mode);
+ errno_save = errno; + errno_save = errno;
+ pop_fscreatecon(ctx); + pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex); + k5_mutex_unlock(&labeled_mutex);
+ + errno = errno_save;
+ errno = errno_save; + } else {
+ fd = creat(path, mode);
+ }
+ return fd; + return fd;
+} +}
+ +
@ -736,14 +752,16 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
+ security_context_t ctx; + security_context_t ctx;
+ +
+ k5_once(&labeled_once, label_mutex_init); + k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex); + if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, mode); + ctx = push_fscreatecon(path, mode);
+ ret = mknod(path, mode, dev); + ret = mknod(path, mode, dev);
+ errno_save = errno; + errno_save = errno;
+ pop_fscreatecon(ctx); + pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex); + k5_mutex_unlock(&labeled_mutex);
+ + errno = errno_save;
+ errno = errno_save; + } else {
+ ret = mknod(path, mode, dev);
+ }
+ return ret; + return ret;
+} +}
+ +
@ -755,14 +773,16 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
+ security_context_t ctx; + security_context_t ctx;
+ +
+ k5_once(&labeled_once, label_mutex_init); + k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex); + if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, S_IFDIR); + ctx = push_fscreatecon(path, S_IFDIR);
+ ret = mkdir(path, mode); + ret = mkdir(path, mode);
+ errno_save = errno; + errno_save = errno;
+ pop_fscreatecon(ctx); + pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex); + k5_mutex_unlock(&labeled_mutex);
+ + errno = errno_save;
+ errno = errno_save; + } else {
+ ret = mkdir(path, mode);
+ }
+ return ret; + return ret;
+} +}
+ +
@ -780,18 +800,26 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
+ } + }
+ +
+ k5_once(&labeled_once, label_mutex_init); + k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex); + if (k5_mutex_lock(&labeled_mutex) == 0) {
+ ctx = push_fscreatecon(path, 0); + ctx = push_fscreatecon(path, 0);
+ +
+ va_start(ap, flags); + va_start(ap, flags);
+ mode = va_arg(ap, mode_t); + mode = va_arg(ap, mode_t);
+ fd = open(path, flags, mode); + fd = open(path, flags, mode);
+ va_end(ap); + va_end(ap);
+ +
+ errno_save = errno; + errno_save = errno;
+ + pop_fscreatecon(ctx);
+ pop_fscreatecon(ctx); + k5_mutex_unlock(&labeled_mutex);
+ k5_mutex_unlock(&labeled_mutex); + errno = errno_save;
+ } else {
+ va_start(ap, flags);
+ mode = va_arg(ap, mode_t);
+ fd = open(path, flags, mode);
+ errno_save = errno;
+ va_end(ap);
+ errno = errno_save;
+ }
+ return fd; + return fd;
+} +}
+ +

2
krb5.spec
View File

@ -210,6 +210,8 @@ certificate.
* Fri Jun 26 2009 Nalin Dahyabhai <nalin@redhat.com> * Fri Jun 26 2009 Nalin Dahyabhai <nalin@redhat.com>
- fix a type mismatch in krb5_copy_error_message() - fix a type mismatch in krb5_copy_error_message()
- ftp: fix some odd use of strlen() - ftp: fix some odd use of strlen()
- selinux labeling: use selabel_open() family of functions rather than
matchpathcon(), bail on it if attempting to get the mutex lock fails
* Tue Jun 16 2009 Nalin Dahyabhai <nalin@redhat.com> * Tue Jun 16 2009 Nalin Dahyabhai <nalin@redhat.com>
- compile with %%{?_smp_mflags} (Steve Grubb) - compile with %%{?_smp_mflags} (Steve Grubb)