diff --git a/krb5-1.6.1-selinux-label.patch b/krb5-1.6.1-selinux-label.patch index aa31d88..ed54a72 100644 --- a/krb5-1.6.1-selinux-label.patch +++ b/krb5-1.6.1-selinux-label.patch @@ -35,27 +35,273 @@ the libkrb5support library depends on libselinux. fi echo $lib_flags ---- krb5-1.6.1/src/lib/krb4/Makefile.in 2006-10-06 17:17:56.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/Makefile.in 2007-06-22 17:06:27.000000000 -0400 -@@ -25,7 +25,7 @@ SHLIB_EXPDEPS = \ - $(TOPLIBD)/libdes425$(SHLIBEXT) \ - $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ - $(TOPLIBD)/libkrb5$(SHLIBEXT) --SHLIB_EXPLIBS=-lkrb5 -lcom_err -ldes425 -lk5crypto -+SHLIB_EXPLIBS=-lkrb5 -lcom_err -ldes425 -lk5crypto -l$(SUPPORT_LIBNAME) $(SELINUX_LIBS) - SHLIB_DIRS=-L$(TOPLIBD) - SHLIB_RDIRS=$(KRB5_LIBDIR) +--- krb5-1.6.1/src/aclocal.m4 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/aclocal.m4 2007-08-24 23:38:41.000000000 -0400 +@@ -102,6 +102,7 @@ + dnl + KRB5_AC_PRAGMA_WEAK_REF + WITH_LDAP ++KRB5_WITH_SELINUX + KRB5_LIB_PARAMS + KRB5_AC_INITFINI + KRB5_AC_ENABLE_THREADS +@@ -1896,3 +1897,50 @@ + AC_SUBST(PAM_MAN) + AC_SUBST(NON_PAM_MAN) + ])dnl ++ ++dnl Use libselinux to set file contexts on newly-created files. ++dnl ++AC_DEFUN(KRB5_WITH_SELINUX,[ ++AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])], ++ withselinux="$withval",withselinux=auto) ++old_LIBS="$LIBS" ++if test "$withselinux" != no ; then ++ AC_MSG_RESULT([checking for libselinux...]) ++ SELINUX_LIBS= ++ AC_CHECK_HEADERS(selinux/selinux.h) ++ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate selinux/selinux.h.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate selinux/selinux.h.]) ++ fi ++ fi ++ ++ LIBS= ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon) ++ if test "x$ac_cv_func_setfscreatecon" = xno ; then ++ AC_CHECK_LIB(selinux,setfscreatecon) ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon) ++ if test "x$ac_cv_func_setfscreatecon" = xyes ; then ++ SELINUX_LIBS="$LIBS" ++ else ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate libselinux.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate libselinux.]) ++ fi ++ fi ++ fi ++ if test "$withselinux" != no ; then ++ AC_MSG_RESULT([Using SELinux.]) ++ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.]) ++ SELINUX_LIBS="$LIBS" ++ fi ++fi ++LIBS="$old_LIBS" ++AC_SUBST(SELINUX_LIBS) ++])dnl +--- krb5-1.6.1/src/appl/bsd/krcp.c 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/appl/bsd/krcp.c 2007-08-24 23:38:42.000000000 -0400 +@@ -68,6 +68,7 @@ + #include ---- krb5-1.6.1/src/include/k5-label.h 2007-06-24 17:25:59.000000000 -0400 -+++ krb5-1.6.1/src/include/k5-label.h 2007-06-24 17:25:59.000000000 -0400 -@@ -0,0 +1,21 @@ + #ifdef KERBEROS ++#include + #include + #include + #include +--- krb5-1.6.1/src/appl/bsd/v4rcp.c 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/appl/bsd/v4rcp.c 2007-08-25 02:54:40.000000000 -0400 +@@ -84,6 +84,7 @@ + #ifdef KERBEROS + #include + #include ++#include + + + void sink(int, char **), source(int, char **), +--- krb5-1.6.1/src/appl/gssftp/ftp/cmds.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/appl/gssftp/ftp/cmds.c 2007-08-24 23:38:42.000000000 -0400 +@@ -70,6 +70,7 @@ + #define getwd(x) getcwd(x,MAXPATHLEN) + #endif + ++#include + #include "ftp_var.h" + #include "pathnames.h" + +--- krb5-1.6.1/src/appl/gssftp/ftp/ftp.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/appl/gssftp/ftp/ftp.c 2007-08-24 23:38:39.000000000 -0400 +@@ -124,6 +124,7 @@ + #define L_INCR 1 + #endif + ++#include + #ifdef KRB5_KRB4_COMPAT + #include + +--- krb5-1.6.1/src/appl/gssftp/ftp/getpass.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/appl/gssftp/ftp/getpass.c 2007-08-24 23:38:39.000000000 -0400 +@@ -102,6 +102,7 @@ + static struct sgttyb ttyo, ttyb; + #endif + ++#include "k5-label.h" + #include "ftp_var.h" + + static FILE *fi; +--- krb5-1.6.1/src/appl/gssftp/ftp/ruserpass.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/appl/gssftp/ftp/ruserpass.c 2007-08-24 23:38:39.000000000 -0400 +@@ -47,6 +47,7 @@ + #include + #include + #include ++#include + #include "ftp_var.h" + + #ifdef _WIN32 +--- krb5-1.6.1/src/appl/gssftp/ftpd/ftpcmd.y 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/appl/gssftp/ftpd/ftpcmd.y 2007-08-24 23:38:40.000000000 -0400 +@@ -75,6 +75,7 @@ + unsigned char *ucbuf; + + static int kerror; /* XXX needed for all auth types */ ++#include + #ifdef KRB5_KRB4_COMPAT + extern struct sockaddr_in his_addr, ctrl_addr; + #include +--- krb5-1.6.1/src/appl/gssftp/ftpd/ftpd.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/appl/gssftp/ftpd/ftpd.c 2007-08-24 23:38:39.000000000 -0400 +@@ -70,6 +70,7 @@ + #ifdef HAVE_SHADOW + #include + #endif ++#include + #ifdef USE_PAM + #include "../../bsd/pam.h" + #endif +--- krb5-1.6.1/src/appl/libpty/open_ctty.c 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/appl/libpty/open_ctty.c 2007-08-25 02:52:08.000000000 -0400 +@@ -22,6 +22,7 @@ + #include "com_err.h" + #include "libpty.h" + #include "pty-int.h" ++#include "k5-label.h" + + /* + * This function will be called twice. The first time it will acquire +--- krb5-1.6.1/src/appl/libpty/open_slave.c 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/appl/libpty/open_slave.c 2007-08-25 02:52:35.000000000 -0400 +@@ -24,6 +24,7 @@ + #include "com_err.h" + #include "libpty.h" + #include "pty-int.h" ++#include "k5-label.h" + + long + pty_open_slave(const char *slave, int *fd) +--- krb5-1.6.1/src/appl/libpty/void_assoc.c 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/appl/libpty/void_assoc.c 2007-08-25 02:51:32.000000000 -0400 +@@ -23,6 +23,7 @@ + #include "com_err.h" + #include "libpty.h" + #include "pty-int.h" ++#include "k5-label.h" + + /* + * This function gets called to set up the current process as a +--- krb5-1.6.1/src/appl/telnet/libtelnet/kerberos.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/appl/telnet/libtelnet/kerberos.c 2007-08-24 23:38:39.000000000 -0400 +@@ -102,6 +102,7 @@ + #else + #include + #endif ++#include + + #include "encrypt.h" + #include "auth.h" +--- krb5-1.6.1/src/appl/telnet/telnet/commands.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/appl/telnet/telnet/commands.c 2007-08-24 23:38:41.000000000 -0400 +@@ -70,6 +70,7 @@ + #ifdef HAVE_VFORK_H + #include + #endif ++#include + + #include + +--- krb5-1.6.1/src/appl/telnet/telnet/utilities.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/appl/telnet/telnet/utilities.c 2007-08-24 23:38:39.000000000 -0400 +@@ -61,6 +61,8 @@ + #include + #endif + ++#include ++ + FILE *NetTrace = 0; /* Not in bss, since needs to stay */ + int prettydump; + +--- krb5-1.6.1/src/appl/telnet/telnetd/telnetd.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/appl/telnet/telnetd/telnetd.c 2007-08-24 23:38:39.000000000 -0400 +@@ -80,6 +80,7 @@ + #include "fake-addrinfo.h" + + #ifdef KRB5 ++#include "k5-label.h" + #include "krb5.h" + #endif + +--- krb5-1.6.1/src/config/pre.in 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/config/pre.in 2007-08-24 23:38:39.000000000 -0400 +@@ -181,6 +181,7 @@ + CLNTLIBS = @CLNTLIBS@ + CLNTDEPLIBS = @CLNTDEPLIBS@ + PAM_LIBS = @PAM_LIBS@ ++SELINUX_LIBS = @SELINUX_LIBS@ + + INSTALL=@INSTALL@ + INSTALL_STRIP= +@@ -391,7 +392,7 @@ + # HESIOD_LIBS is -lhesiod... + HESIOD_LIBS = @HESIOD_LIBS@ + +-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) ++KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS) + KDB5_LIBS = $(KDB5_LIB) + GSS_LIBS = $(GSS_KRB5_LIB) +--- krb5-1.6.1/src/configure.in 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/configure.in 2007-08-24 23:38:39.000000000 -0400 +@@ -425,6 +425,8 @@ + fi + fi + ++KRB5_WITH_SELINUX ++ + dnl + dnl + dnl check for ANSI stdio, esp "b" option to fopen(). This (unfortunately) +--- krb5-1.6.1/src/include/k5-int.h 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/include/k5-int.h 2007-08-24 23:38:42.000000000 -0400 +@@ -172,6 +172,9 @@ + /* Get error info support. */ + #include "k5-err.h" + ++/* Get file labeling support. */ ++#include "k5-label.h" ++ + /* krb5/krb5.h includes many other .h files in the krb5 subdirectory. + The ones that it doesn't include, we include below. */ + +--- krb5-1.6.1/src/include/k5-label.h 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/include/k5-label.h 2007-08-25 03:00:02.000000000 -0400 +@@ -0,0 +1,24 @@ +#ifndef _KRB5_LABEL_H +#define _KRB5_LABEL_H +/* Wrapper functions which help us create files and directories with the right + * context labels. */ +#ifdef USE_SELINUX +#include ++#include ++#include +#include ++#include +FILE *krb5int_labeled_fopen(const char *path, const char *mode); +int krb5int_labeled_creat(const char *path, mode_t mode); +int krb5int_labeled_open(const char *path, int flags, ...); @@ -70,39 +316,294 @@ the libkrb5support library depends on libselinux. +#endif +#endif +#endif ---- krb5-1.6.1/src/include/k5-int.h 2007-02-05 18:44:34.000000000 -0500 -+++ krb5-1.6.1/src/include/k5-int.h 2007-06-24 17:25:40.000000000 -0400 -@@ -172,6 +172,9 @@ - /* Get error info support. */ - #include "k5-err.h" +--- krb5-1.6.1/src/kadmin/dbutil/dump.c 2006-12-18 18:11:15.000000000 -0500 ++++ krb5-1.6.1/src/kadmin/dbutil/dump.c 2007-08-25 02:58:26.000000000 -0400 +@@ -37,6 +37,7 @@ + #if defined(HAVE_REGEX_H) && defined(HAVE_REGCOMP) + #include + #endif /* HAVE_REGEX_H */ ++#include -+/* Get file labeling support. */ + /* + * Needed for master key conversion. +--- krb5-1.6.1/src/lib/kadm5/srv/server_dict.c 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/lib/kadm5/srv/server_dict.c 2007-08-25 03:05:12.000000000 -0400 +@@ -24,6 +24,7 @@ + #include "adm_proto.h" + #include + #include "server_internal.h" ++#include + + static char **word_list = NULL; /* list of word pointers */ + static char *word_block = NULL; /* actual word data */ +--- krb5-1.6.1/src/lib/krb4/dest_tkt.c 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/lib/krb4/dest_tkt.c 2007-08-25 03:02:01.000000000 -0400 +@@ -40,6 +40,7 @@ + #include + #endif + #include +#include "k5-label.h" + + #ifndef O_SYNC + #define O_SYNC 0 +--- krb5-1.6.1/src/lib/krb4/in_tkt.c 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/lib/krb4/in_tkt.c 2007-08-25 03:03:01.000000000 -0400 +@@ -37,6 +37,7 @@ + #ifdef HAVE_UNISTD_H + #include + #endif ++#include "k5-label.h" + + extern int krb_debug; + +--- krb5-1.6.1/src/lib/krb4/klog.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/lib/krb4/klog.c 2007-08-25 03:03:28.000000000 -0400 +@@ -36,6 +36,7 @@ + + #include "krb4int.h" + #include ++#include "k5-label.h" + + static char *log_name = KRBLOG; + static char logtxt[1000]; +--- krb5-1.6.1/src/lib/krb4/kuserok.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/lib/krb4/kuserok.c 2007-08-25 03:03:16.000000000 -0400 +@@ -45,6 +45,7 @@ + /* just for F_OK for sco */ + #include + #endif ++#include "k5-label.h" + + #ifndef HAVE_SETEUID + #ifdef HAVE_SETRESUID +--- krb5-1.6.1/src/lib/krb4/log.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/lib/krb4/log.c 2007-08-25 03:02:32.000000000 -0400 +@@ -43,6 +43,7 @@ + + #include "krb4int.h" + #include ++#include "k5-label.h" + + static char *log_name = KRBLOG; + #if 0 +--- krb5-1.6.1/src/lib/krb4/Makefile.in 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/lib/krb4/Makefile.in 2007-08-24 23:38:39.000000000 -0400 +@@ -25,7 +25,7 @@ + $(TOPLIBD)/libdes425$(SHLIBEXT) \ + $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ + $(TOPLIBD)/libkrb5$(SHLIBEXT) +-SHLIB_EXPLIBS=-lkrb5 -lcom_err -ldes425 -lk5crypto ++SHLIB_EXPLIBS=-lkrb5 -lcom_err -ldes425 -lk5crypto -l$(SUPPORT_LIBNAME) $(SELINUX_LIBS) + SHLIB_DIRS=-L$(TOPLIBD) + SHLIB_RDIRS=$(KRB5_LIBDIR) + +--- krb5-1.6.1/src/lib/krb4/put_svc_key.c 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/lib/krb4/put_svc_key.c 2007-08-25 03:02:47.000000000 -0400 +@@ -32,6 +32,7 @@ + #ifdef HAVE_UNISTD_H + #include + #endif ++#include "k5-label.h" + + #define KEYSZ sizeof(C_Block) + /* strict put_svc_key. +--- krb5-1.6.1/src/lib/krb4/rd_svc_key.c 2004-02-24 16:07:22.000000000 -0500 ++++ krb5-1.6.1/src/lib/krb4/rd_svc_key.c 2007-08-25 03:04:01.000000000 -0400 +@@ -9,6 +9,7 @@ + */ + + #include "mit-copyright.h" ++#include "autoconf.h" + #include "krb.h" + #include "krb4int.h" + #include +--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2007-08-24 23:38:39.000000000 -0400 +@@ -58,6 +58,7 @@ + #include + #include + ++#include "k5-label.h" + #include "db-int.h" + #include "btree.h" + +--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/configure.in 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/configure.in 2007-08-24 23:38:41.000000000 -0400 +@@ -89,6 +89,8 @@ + AC_DEFINE(strerror, kdb2__strerror,[Define to \`kdb2__strerror' to provide private strerror function])]) + AC_SUBST(STRERROR_OBJ) + ++LDFLAGS="$LDFLAGS $SELINUX_LIBS" + - /* krb5/krb5.h includes many other .h files in the krb5 subdirectory. - The ones that it doesn't include, we include below. */ + KRB5_BUILD_LIBRARY + KRB5_BUILD_LIBOBJS + KRB5_BUILD_PROGRAM +--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/hash/hash.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/hash/hash.c 2007-08-24 23:38:39.000000000 -0400 +@@ -51,6 +51,7 @@ + #include + #endif ---- krb5-1.6.1/src/config/pre.in 2007-06-22 17:03:21.000000000 -0400 -+++ krb5-1.6.1/src/config/pre.in 2007-06-22 17:06:27.000000000 -0400 -@@ -181,6 +181,7 @@ SRVDEPLIBS = @SRVDEPLIBS@ - CLNTLIBS = @CLNTLIBS@ - CLNTDEPLIBS = @CLNTDEPLIBS@ - PAM_LIBS = @PAM_LIBS@ -+SELINUX_LIBS = @SELINUX_LIBS@ ++#include "k5-label.h" + #include "db-int.h" + #include "hash.h" + #include "page.h" +--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/include/config.h.in 2007-04-20 19:39:29.000000000 -0400 ++++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/include/config.h.in 2007-08-24 23:44:21.000000000 -0400 +@@ -39,6 +39,9 @@ + /* Define to 1 if you have the `resolv' library (-lresolv). */ + #undef HAVE_LIBRESOLV - INSTALL=@INSTALL@ - INSTALL_STRIP= -@@ -391,7 +392,7 @@ DES425_LIB = @DES425_LIB@ - # HESIOD_LIBS is -lhesiod... - HESIOD_LIBS = @HESIOD_LIBS@ ++/* Define to 1 if you have the `selinux' library (-lselinux). */ ++#undef HAVE_LIBSELINUX ++ + /* Define to 1 if you have the `socket' library (-lsocket). */ + #undef HAVE_LIBSOCKET --KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) -+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) - KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS) - KDB5_LIBS = $(KDB5_LIB) - GSS_LIBS = $(GSS_KRB5_LIB) ---- krb5-1.6.1/src/util/support/selinux.c 2007-06-22 17:06:42.000000000 -0400 -+++ krb5-1.6.1/src/util/support/selinux.c 2007-06-22 17:31:53.000000000 -0400 +@@ -87,6 +90,12 @@ + /* Define to 1 if you have the `res_search' function */ + #undef HAVE_RES_SEARCH + ++/* Define to 1 if you have the header file. */ ++#undef HAVE_SELINUX_SELINUX_H ++ ++/* Define to 1 if you have the `setfscreatecon' function. */ ++#undef HAVE_SETFSCREATECON ++ + /* Define to 1 if you have the header file. */ + #undef HAVE_STDINT_H + +@@ -163,6 +172,10 @@ + /* Define if link-time options for library initialization will be used */ + #undef USE_LINKER_INIT_OPTION + ++/* Define if Kerberos-aware tools should set SELinux file contexts when ++ creating files. */ ++#undef USE_SELINUX ++ + /* Define to empty if `const' does not conform to ANSI C. */ + #undef const + +--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2007-08-24 23:38:39.000000000 -0400 +@@ -51,6 +51,7 @@ + #include + #include + ++#include "k5-label.h" + #include "db-int.h" + #include "recno.h" + +--- krb5-1.6.1/src/plugins/preauth/cksum_body/config.h.in 2007-04-20 19:39:45.000000000 -0400 ++++ krb5-1.6.1/src/plugins/preauth/cksum_body/config.h.in 2007-08-24 23:46:17.000000000 -0400 +@@ -39,6 +39,9 @@ + /* Define to 1 if you have the `resolv' library (-lresolv). */ + #undef HAVE_LIBRESOLV + ++/* Define to 1 if you have the `selinux' library (-lselinux). */ ++#undef HAVE_LIBSELINUX ++ + /* Define to 1 if you have the `socket' library (-lsocket). */ + #undef HAVE_LIBSOCKET + +@@ -84,6 +87,12 @@ + /* Define to 1 if you have the `res_search' function */ + #undef HAVE_RES_SEARCH + ++/* Define to 1 if you have the header file. */ ++#undef HAVE_SELINUX_SELINUX_H ++ ++/* Define to 1 if you have the `setfscreatecon' function. */ ++#undef HAVE_SETFSCREATECON ++ + /* Define to 1 if you have the header file. */ + #undef HAVE_STDINT_H + +@@ -154,5 +163,9 @@ + /* Define if link-time options for library initialization will be used */ + #undef USE_LINKER_INIT_OPTION + ++/* Define if Kerberos-aware tools should set SELinux file contexts when ++ creating files. */ ++#undef USE_SELINUX ++ + /* Define to empty if `const' does not conform to ANSI C. */ + #undef const +--- krb5-1.6.1/src/plugins/preauth/wpse/config.h.in 2007-04-20 19:39:37.000000000 -0400 ++++ krb5-1.6.1/src/plugins/preauth/wpse/config.h.in 2007-08-24 23:47:02.000000000 -0400 +@@ -39,6 +39,9 @@ + /* Define to 1 if you have the `resolv' library (-lresolv). */ + #undef HAVE_LIBRESOLV + ++/* Define to 1 if you have the `selinux' library (-lselinux). */ ++#undef HAVE_LIBSELINUX ++ + /* Define to 1 if you have the `socket' library (-lsocket). */ + #undef HAVE_LIBSOCKET + +@@ -84,6 +87,12 @@ + /* Define to 1 if you have the `res_search' function */ + #undef HAVE_RES_SEARCH + ++/* Define to 1 if you have the header file. */ ++#undef HAVE_SELINUX_SELINUX_H ++ ++/* Define to 1 if you have the `setfscreatecon' function. */ ++#undef HAVE_SETFSCREATECON ++ + /* Define to 1 if you have the header file. */ + #undef HAVE_STDINT_H + +@@ -154,5 +163,9 @@ + /* Define if link-time options for library initialization will be used */ + #undef USE_LINKER_INIT_OPTION + ++/* Define if Kerberos-aware tools should set SELinux file contexts when ++ creating files. */ ++#undef USE_SELINUX ++ + /* Define to empty if `const' does not conform to ANSI C. */ + #undef const +--- krb5-1.6.1/src/util/profile/prof_file.c 2007-08-25 03:19:01.000000000 -0400 ++++ krb5-1.6.1/src/util/profile/prof_file.c 2007-08-25 03:10:03.000000000 -0400 +@@ -29,6 +29,7 @@ + #endif + + #include "k5-platform.h" ++#include "k5-label.h" + + struct global_shared_profile_data { + /* This is the head of the global list of shared trees */ +--- krb5-1.6.1/src/util/support/libkrb5support.exports 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/util/support/libkrb5support.exports 2007-08-24 23:38:39.000000000 -0400 +@@ -32,3 +32,6 @@ + krb5int_clear_error + krb5int_set_error_info_callout_fn + krb5int_gmt_mktime ++krb5int_labeled_open ++krb5int_labeled_fopen ++krb5int_labeled_creat +--- krb5-1.6.1/src/util/support/Makefile.in 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/util/support/Makefile.in 2007-08-24 23:38:39.000000000 -0400 +@@ -27,6 +27,7 @@ + + STLIBOBJS= \ + threads.o \ ++ selinux.o \ + init-addrinfo.o \ + plugins.o \ + errors.o \ +@@ -55,7 +56,7 @@ + $(srcdir)/fake-addrinfo.c + SHLIB_EXPDEPS = + # Add -lm if dumping thread stats, for sqrt. +-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) ++SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + SHLIB_DIRS= + SHLIB_RDIRS=$(KRB5_LIBDIR) + +--- krb5-1.6.1/src/util/support/selinux.c 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.1/src/util/support/selinux.c 2007-08-24 23:38:39.000000000 -0400 @@ -0,0 +1,258 @@ +/* + * Copyright 2007 Red Hat, Inc. All Rights Reserved. @@ -362,375 +863,3 @@ the libkrb5support library depends on libselinux. +} + +#endif ---- krb5-1.6.1/src/util/support/libkrb5support.exports 2006-05-04 14:35:01.000000000 -0400 -+++ krb5-1.6.1/src/util/support/libkrb5support.exports 2007-06-22 17:32:40.000000000 -0400 -@@ -32,3 +32,6 @@ krb5int_free_error - krb5int_clear_error - krb5int_set_error_info_callout_fn - krb5int_gmt_mktime -+krb5int_labeled_open -+krb5int_labeled_fopen -+krb5int_labeled_creat ---- krb5-1.6.1/src/util/support/Makefile.in 2006-10-17 23:15:24.000000000 -0400 -+++ krb5-1.6.1/src/util/support/Makefile.in 2007-06-22 17:06:27.000000000 -0400 -@@ -27,6 +27,7 @@ LIBFINIFUNC=krb5int_thread_support_fini - - STLIBOBJS= \ - threads.o \ -+ selinux.o \ - init-addrinfo.o \ - plugins.o \ - errors.o \ -@@ -55,7 +56,7 @@ SRCS=\ - $(srcdir)/fake-addrinfo.c - SHLIB_EXPDEPS = - # Add -lm if dumping thread stats, for sqrt. --SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) -+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB) - SHLIB_DIRS= - SHLIB_RDIRS=$(KRB5_LIBDIR) - ---- krb5-1.6.1/src/plugins/kdb/db2/libdb2/configure.in 2006-04-24 20:29:56.000000000 -0400 -+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/configure.in 2007-06-22 17:06:27.000000000 -0400 -@@ -87,6 +87,8 @@ AC_CHECK_FUNC(strerror, , - AC_DEFINE(strerror, kdb2__strerror,[Define to \`kdb2__strerror' to provide private strerror function])]) - AC_SUBST(STRERROR_OBJ) - -+LDFLAGS="$LDFLAGS $SELINUX_LIBS" -+ - KRB5_BUILD_LIBRARY - KRB5_BUILD_LIBOBJS - KRB5_BUILD_PROGRAM ---- krb5-1.6.1/src/configure.in 2007-06-22 17:03:21.000000000 -0400 -+++ krb5-1.6.1/src/configure.in 2007-06-22 17:06:27.000000000 -0400 -@@ -425,6 +425,8 @@ AC_CACHE_CHECK([for in6addr_any definiti - fi - fi - -+KRB5_WITH_SELINUX -+ - dnl - dnl - dnl check for ANSI stdio, esp "b" option to fopen(). This (unfortunately) ---- krb5-1.6.1/src/aclocal.m4 2007-06-22 17:06:27.000000000 -0400 -+++ krb5-1.6.1/src/aclocal.m4 2007-06-22 17:08:51.000000000 -0400 -@@ -102,6 +102,7 @@ AC_SUBST_FILE(libnover_frag) - dnl - KRB5_AC_PRAGMA_WEAK_REF - WITH_LDAP -+KRB5_WITH_SELINUX - KRB5_LIB_PARAMS - KRB5_AC_INITFINI - KRB5_AC_ENABLE_THREADS -@@ -1902,3 +1902,50 @@ fi - AC_SUBST(PAM_MAN) - AC_SUBST(NON_PAM_MAN) - ])dnl -+ -+dnl Use libselinux to set file contexts on newly-created files. -+dnl -+AC_DEFUN(KRB5_WITH_SELINUX,[ -+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])], -+ withselinux="$withval",withselinux=auto) -+old_LIBS="$LIBS" -+if test "$withselinux" != no ; then -+ AC_MSG_RESULT([checking for libselinux...]) -+ SELINUX_LIBS= -+ AC_CHECK_HEADERS(selinux/selinux.h) -+ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then -+ if test "$withselinux" = auto ; then -+ AC_MSG_RESULT([Unable to locate selinux/selinux.h.]) -+ withselinux=no -+ else -+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.]) -+ fi -+ fi -+ -+ LIBS= -+ unset ac_cv_func_setfscreatecon -+ AC_CHECK_FUNCS(setfscreatecon) -+ if test "x$ac_cv_func_setfscreatecon" = xno ; then -+ AC_CHECK_LIB(selinux,setfscreatecon) -+ unset ac_cv_func_setfscreatecon -+ AC_CHECK_FUNCS(setfscreatecon) -+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then -+ SELINUX_LIBS="$LIBS" -+ else -+ if test "$withselinux" = auto ; then -+ AC_MSG_RESULT([Unable to locate libselinux.]) -+ withselinux=no -+ else -+ AC_MSG_ERROR([Unable to locate libselinux.]) -+ fi -+ fi -+ fi -+ if test "$withselinux" != no ; then -+ AC_MSG_RESULT([Using SELinux.]) -+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.]) -+ SELINUX_LIBS="$LIBS" -+ fi -+fi -+LIBS="$old_LIBS" -+AC_SUBST(SELINUX_LIBS) -+])dnl ---- krb5-1.6.1/src/lib/kadm5/srv/server_dict.c 2007-06-22 18:36:07.000000000 -0400 -+++ krb5-1.6.1/src/lib/kadm5/srv/server_dict.c 2007-06-22 18:36:52.000000000 -0400 -@@ -14,6 +14,7 @@ static char *rcsid = "$Header: /home/fedora/jkeating/pkgs/rpms/krb5/devel/Attic/krb5-1.6.1-selinux-label.patch,v 1.1 2007/06/25 00:54:13 nalin Exp $"; - #include - #include - #include -+#include "k5-label.h" - #include - #include - #include ---- krb5-1.6.1/src/lib/krb4/put_svc_key.c 2007-06-22 18:38:19.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/put_svc_key.c 2007-06-22 18:38:27.000000000 -0400 -@@ -22,6 +22,7 @@ - * by ksrvutil.) This version supports just enough to be useful. - */ - -+#include "k5-label.h" - #include "krb.h" - #include "krb4int.h" - ---- krb5-1.6.1/src/lib/krb4/in_tkt.c 2007-06-22 18:38:47.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/in_tkt.c 2007-06-22 18:38:59.000000000 -0400 -@@ -27,6 +27,7 @@ - #include - #include - #include -+#include "k5-label.h" - #include "krb.h" - #include - #include ---- krb5-1.6.1/src/lib/krb4/dest_tkt.c 2007-06-22 18:39:39.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/dest_tkt.c 2007-06-22 18:39:49.000000000 -0400 -@@ -24,6 +24,7 @@ - * or implied warranty. - */ - -+#include "k5-label.h" - #include "krb.h" - #include - #include ---- krb5-1.6.1/src/appl/libpty/void_assoc.c 2007-06-22 18:51:34.000000000 -0400 -+++ krb5-1.6.1/src/appl/libpty/void_assoc.c 2007-06-22 18:52:21.000000000 -0400 -@@ -22,6 +22,7 @@ - - #include "com_err.h" - #include "libpty.h" -+#include "k5-label.h" - #include "pty-int.h" - - /* ---- krb5-1.6.1/src/appl/libpty/open_ctty.c 2007-06-22 18:51:55.000000000 -0400 -+++ krb5-1.6.1/src/appl/libpty/open_ctty.c 2007-06-22 18:52:15.000000000 -0400 -@@ -21,6 +21,7 @@ - - #include "com_err.h" - #include "libpty.h" -+#include "k5-label.h" - #include "pty-int.h" - - /* ---- krb5-1.6.1/src/appl/libpty/open_slave.c 2007-06-22 18:51:44.000000000 -0400 -+++ krb5-1.6.1/src/appl/libpty/open_slave.c 2007-06-22 18:52:18.000000000 -0400 -@@ -23,6 +23,7 @@ - - #include "com_err.h" - #include "libpty.h" -+#include "k5-label.h" - #include "pty-int.h" - - long ---- krb5-1.6.1/src/appl/bsd/krcp.c 2007-06-22 18:53:09.000000000 -0400 -+++ krb5-1.6.1/src/appl/bsd/krcp.c 2007-06-22 18:53:32.000000000 -0400 -@@ -68,6 +68,7 @@ char copyright[] = - #include - - #ifdef KERBEROS -+#include - #include - #include - #include ---- krb5-1.6.1/src/appl/bsd/v4rcp.c 2007-06-22 18:54:02.000000000 -0400 -+++ krb5-1.6.1/src/appl/bsd/v4rcp.c 2007-06-22 18:54:14.000000000 -0400 -@@ -36,6 +36,7 @@ static char sccsid[] = "@(#)rcp.c 5.10 ( - * rcp - */ - #ifdef KERBEROS -+#include - #include - #include - #include ---- krb5-1.6.1/src/appl/telnet/telnetd/telnetd.c 2007-06-22 18:54:42.000000000 -0400 -+++ krb5-1.6.1/src/appl/telnet/telnetd/telnetd.c 2007-06-22 18:54:52.000000000 -0400 -@@ -80,6 +80,7 @@ struct socket_security ss; - #include "fake-addrinfo.h" - - #ifdef KRB5 -+#include "k5-label.h" - #include "krb5.h" - #endif - ---- krb5-1.6.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2007-06-22 18:40:19.000000000 -0400 -+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2007-06-22 18:40:35.000000000 -0400 -@@ -58,6 +58,7 @@ static char sccsid[] = "@(#)bt_open.c 8. - #include - #include - -+#include "k5-label.h" - #include "db-int.h" - #include "btree.h" - ---- krb5-1.6.1/src/plugins/kdb/db2/libdb2/hash/hash.c 2007-06-22 18:41:03.000000000 -0400 -+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/hash/hash.c 2007-06-22 18:41:11.000000000 -0400 -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 - #include - #endif - -+#include "k5-label.h" - #include "db-int.h" - #include "hash.h" - #include "page.h" ---- krb5-1.6.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2007-06-22 18:41:25.000000000 -0400 -+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2007-06-22 18:41:35.000000000 -0400 -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8 - #include - #include - -+#include "k5-label.h" - #include "db-int.h" - #include "recno.h" - ---- krb5-1.6.1/src/lib/krb4/log.c 2007-06-22 19:10:22.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/log.c 2007-06-22 19:10:30.000000000 -0400 -@@ -30,6 +30,7 @@ - krb_set_logfile, or change all the invokers. */ - #endif - -+#include "k5-label.h" - #include "krb.h" - #include "autoconf.h" - #ifdef HAVE_TIME_H ---- krb5-1.6.1/src/lib/krb4/kuserok.c 2007-06-22 19:10:45.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/kuserok.c 2007-06-22 19:10:58.000000000 -0400 -@@ -27,6 +27,7 @@ - * access to a local account - */ - -+#include "k5-label.h" - #include "krb.h" - - #if !defined(_WIN32) ---- krb5-1.6.1/src/lib/krb4/klog.c 2007-06-22 19:10:10.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/klog.c 2007-06-22 19:10:18.000000000 -0400 -@@ -24,6 +24,7 @@ - * or implied warranty. - */ - -+#include "k5-label.h" - #include "krb.h" - #include "autoconf.h" - #ifdef HAVE_TIME_H ---- krb5-1.6.1/src/util/profile/prof_file.c 2007-06-22 19:15:23.000000000 -0400 -+++ krb5-1.6.1/src/util/profile/prof_file.c 2007-06-22 19:15:25.000000000 -0400 -@@ -2,6 +2,7 @@ - * prof_file.c ---- routines that manipulate an individual profile file. - */ - -+#include "k5-label.h" - #include "prof_int.h" - - #include ---- krb5-1.6.1/src/appl/gssftp/ftpd/ftpd.c 2007-06-22 19:28:07.000000000 -0400 -+++ krb5-1.6.1/src/appl/gssftp/ftpd/ftpd.c 2007-06-22 19:28:56.000000000 -0400 -@@ -70,6 +70,7 @@ static char sccsid[] = "@(#)ftpd.c 5.40 - #ifdef HAVE_SHADOW - #include - #endif -+#include - #ifdef USE_PAM - #include "../../bsd/pam.h" - #endif ---- krb5-1.6.1/src/appl/gssftp/ftpd/ftpcmd.y 2007-06-24 17:29:48.000000000 -0400 -+++ krb5-1.6.1/src/appl/gssftp/ftpd/ftpcmd.y 2007-06-24 17:29:56.000000000 -0400 -@@ -75,6 +75,7 @@ - unsigned char *ucbuf; - - static int kerror; /* XXX needed for all auth types */ -+#include - #ifdef KRB5_KRB4_COMPAT - extern struct sockaddr_in his_addr, ctrl_addr; - #include ---- krb5-1.6.1/src/appl/gssftp/ftp/cmds.c 2007-06-24 17:33:05.000000000 -0400 -+++ krb5-1.6.1/src/appl/gssftp/ftp/cmds.c 2007-06-24 17:33:26.000000000 -0400 -@@ -70,6 +70,7 @@ static char sccsid[] = "@(#)cmds.c 5.26 - #define getwd(x) getcwd(x,MAXPATHLEN) - #endif - -+#include - #include "ftp_var.h" - #include "pathnames.h" - ---- krb5-1.6.1/src/appl/gssftp/ftp/ruserpass.c 2007-06-24 17:32:03.000000000 -0400 -+++ krb5-1.6.1/src/appl/gssftp/ftp/ruserpass.c 2007-06-24 17:32:27.000000000 -0400 -@@ -47,6 +47,7 @@ static char sccsid[] = "@(#)ruserpass.c - #include - #include - #include -+#include - #include "ftp_var.h" - - #ifdef _WIN32 ---- krb5-1.6.1/src/appl/gssftp/ftp/ftp.c 2007-06-24 17:33:32.000000000 -0400 -+++ krb5-1.6.1/src/appl/gssftp/ftp/ftp.c 2007-06-24 17:33:46.000000000 -0400 -@@ -124,6 +124,7 @@ int gettimeofday(struct timeval *tv, voi - #define L_INCR 1 - #endif - -+#include - #ifdef KRB5_KRB4_COMPAT - #include - ---- krb5-1.6.1/src/appl/gssftp/ftp/getpass.c 2007-06-24 17:32:38.000000000 -0400 -+++ krb5-1.6.1/src/appl/gssftp/ftp/getpass.c 2007-06-24 17:32:58.000000000 -0400 -@@ -102,6 +102,7 @@ static struct termios ttyo, ttyb; - static struct sgttyb ttyo, ttyb; - #endif - -+#include "k5-label.h" - #include "ftp_var.h" - - static FILE *fi; ---- krb5-1.6.1/src/appl/telnet/telnet/utilities.c 2007-06-24 17:37:10.000000000 -0400 -+++ krb5-1.6.1/src/appl/telnet/telnet/utilities.c 2007-06-24 17:38:08.000000000 -0400 -@@ -61,6 +61,8 @@ - #include - #endif - -+#include -+ - FILE *NetTrace = 0; /* Not in bss, since needs to stay */ - int prettydump; - ---- krb5-1.6.1/src/appl/telnet/telnet/commands.c 2007-06-24 17:37:16.000000000 -0400 -+++ krb5-1.6.1/src/appl/telnet/telnet/commands.c 2007-06-24 17:37:55.000000000 -0400 -@@ -70,6 +70,7 @@ - #ifdef HAVE_VFORK_H - #include - #endif -+#include - - #include - ---- krb5-1.6.1/src/appl/telnet/libtelnet/kerberos.c 2007-06-24 17:40:03.000000000 -0400 -+++ krb5-1.6.1/src/appl/telnet/libtelnet/kerberos.c 2007-06-24 17:41:03.000000000 -0400 -@@ -102,6 +102,7 @@ - #else - #include - #endif -+#include - - #include "encrypt.h" - #include "auth.h" diff --git a/krb5.spec b/krb5.spec index 7bf0973..8072ceb 100644 --- a/krb5.spec +++ b/krb5.spec @@ -206,6 +206,9 @@ installed on systems which are meant provide these services. %endif %changelog +* Sat Aug 25 2007 Nalin Dahyabhai 1.6.2-4 +- cover more cases in labeling files on creation + * Thu Aug 23 2007 Nalin Dahyabhai 1.6.2-3 - rebuild