rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- cover more cases in labeling files on creation

Browse Source
This commit is contained in:
Nalin Dahyabhai 2007-08-25 04:31:34 +00:00
parent e0443e5457
commit 5502d6651d
2 changed files with 544 additions and 412 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

953
krb5-1.6.1-selinux-label.patch
View File

@ -35,27 +35,273 @@ the libkrb5support library depends on libselinux.
fi
echo $lib_flags
--- krb5-1.6.1/src/lib/krb4/Makefile.in 2006-10-06 17:17:56.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/Makefile.in 2007-06-22 17:06:27.000000000 -0400
@@ -25,7 +25,7 @@ SHLIB_EXPDEPS = \
$(TOPLIBD)/libdes425$(SHLIBEXT) \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
$(TOPLIBD)/libkrb5$(SHLIBEXT)
-SHLIB_EXPLIBS=-lkrb5 -lcom_err -ldes425 -lk5crypto
+SHLIB_EXPLIBS=-lkrb5 -lcom_err -ldes425 -lk5crypto -l$(SUPPORT_LIBNAME) $(SELINUX_LIBS)
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
--- krb5-1.6.1/src/aclocal.m4 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/aclocal.m4 2007-08-24 23:38:41.000000000 -0400
@@ -102,6 +102,7 @@
dnl
KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP
+KRB5_WITH_SELINUX
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1896,3 +1897,50 @@
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+
+dnl Use libselinux to set file contexts on newly-created files.
+dnl
+AC_DEFUN(KRB5_WITH_SELINUX,[
+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])],
+ withselinux="$withval",withselinux=auto)
+old_LIBS="$LIBS"
+if test "$withselinux" != no ; then
+ AC_MSG_RESULT([checking for libselinux...])
+ SELINUX_LIBS=
+ AC_CHECK_HEADERS(selinux/selinux.h)
+ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate selinux/selinux.h.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.])
+ fi
+ fi
+
+ LIBS=
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon)
+ if test "x$ac_cv_func_setfscreatecon" = xno ; then
+ AC_CHECK_LIB(selinux,setfscreatecon)
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon)
+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then
+ SELINUX_LIBS="$LIBS"
+ else
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate libselinux.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate libselinux.])
+ fi
+ fi
+ fi
+ if test "$withselinux" != no ; then
+ AC_MSG_RESULT([Using SELinux.])
+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.])
+ SELINUX_LIBS="$LIBS"
+ fi
+fi
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
--- krb5-1.6.1/src/appl/bsd/krcp.c 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/appl/bsd/krcp.c 2007-08-24 23:38:42.000000000 -0400
@@ -68,6 +68,7 @@
#include <sys/wait.h>
--- krb5-1.6.1/src/include/k5-label.h 2007-06-24 17:25:59.000000000 -0400
+++ krb5-1.6.1/src/include/k5-label.h 2007-06-24 17:25:59.000000000 -0400
@@ -0,0 +1,21 @@
#ifdef KERBEROS
+#include <k5-label.h>
#include <krb5.h>
#include <k5-util.h>
#include <com_err.h>
--- krb5-1.6.1/src/appl/bsd/v4rcp.c 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/appl/bsd/v4rcp.c 2007-08-25 02:54:40.000000000 -0400
@@ -84,6 +84,7 @@
#ifdef KERBEROS
#include <krb.h>
#include <krbports.h>
+#include <k5-label.h>
void sink(int, char **), source(int, char **),
--- krb5-1.6.1/src/appl/gssftp/ftp/cmds.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/appl/gssftp/ftp/cmds.c 2007-08-24 23:38:42.000000000 -0400
@@ -70,6 +70,7 @@
#define getwd(x) getcwd(x,MAXPATHLEN)
#endif
+#include <k5-label.h>
#include "ftp_var.h"
#include "pathnames.h"
--- krb5-1.6.1/src/appl/gssftp/ftp/ftp.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/appl/gssftp/ftp/ftp.c 2007-08-24 23:38:39.000000000 -0400
@@ -124,6 +124,7 @@
#define L_INCR 1
#endif
+#include <k5-label.h>
#ifdef KRB5_KRB4_COMPAT
#include <krb.h>
--- krb5-1.6.1/src/appl/gssftp/ftp/getpass.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/appl/gssftp/ftp/getpass.c 2007-08-24 23:38:39.000000000 -0400
@@ -102,6 +102,7 @@
static struct sgttyb ttyo, ttyb;
#endif
+#include "k5-label.h"
#include "ftp_var.h"
static FILE *fi;
--- krb5-1.6.1/src/appl/gssftp/ftp/ruserpass.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/appl/gssftp/ftp/ruserpass.c 2007-08-24 23:38:39.000000000 -0400
@@ -47,6 +47,7 @@
#include <ctype.h>
#include <sys/stat.h>
#include <errno.h>
+#include <k5-label.h>
#include "ftp_var.h"
#ifdef _WIN32
--- krb5-1.6.1/src/appl/gssftp/ftpd/ftpcmd.y 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/appl/gssftp/ftpd/ftpcmd.y 2007-08-24 23:38:40.000000000 -0400
@@ -75,6 +75,7 @@
unsigned char *ucbuf;
static int kerror; /* XXX needed for all auth types */
+#include <k5-label.h>
#ifdef KRB5_KRB4_COMPAT
extern struct sockaddr_in his_addr, ctrl_addr;
#include <krb.h>
--- krb5-1.6.1/src/appl/gssftp/ftpd/ftpd.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/appl/gssftp/ftpd/ftpd.c 2007-08-24 23:38:39.000000000 -0400
@@ -70,6 +70,7 @@
#ifdef HAVE_SHADOW
#include <shadow.h>
#endif
+#include <k5-label.h>
#ifdef USE_PAM
#include "../../bsd/pam.h"
#endif
--- krb5-1.6.1/src/appl/libpty/open_ctty.c 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/appl/libpty/open_ctty.c 2007-08-25 02:52:08.000000000 -0400
@@ -22,6 +22,7 @@
#include "com_err.h"
#include "libpty.h"
#include "pty-int.h"
+#include "k5-label.h"
/*
* This function will be called twice. The first time it will acquire
--- krb5-1.6.1/src/appl/libpty/open_slave.c 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/appl/libpty/open_slave.c 2007-08-25 02:52:35.000000000 -0400
@@ -24,6 +24,7 @@
#include "com_err.h"
#include "libpty.h"
#include "pty-int.h"
+#include "k5-label.h"
long
pty_open_slave(const char *slave, int *fd)
--- krb5-1.6.1/src/appl/libpty/void_assoc.c 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/appl/libpty/void_assoc.c 2007-08-25 02:51:32.000000000 -0400
@@ -23,6 +23,7 @@
#include "com_err.h"
#include "libpty.h"
#include "pty-int.h"
+#include "k5-label.h"
/*
* This function gets called to set up the current process as a
--- krb5-1.6.1/src/appl/telnet/libtelnet/kerberos.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/appl/telnet/libtelnet/kerberos.c 2007-08-24 23:38:39.000000000 -0400
@@ -102,6 +102,7 @@
#else
#include <strings.h>
#endif
+#include <k5-label.h>
#include "encrypt.h"
#include "auth.h"
--- krb5-1.6.1/src/appl/telnet/telnet/commands.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/appl/telnet/telnet/commands.c 2007-08-24 23:38:41.000000000 -0400
@@ -70,6 +70,7 @@
#ifdef HAVE_VFORK_H
#include <vfork.h>
#endif
+#include <k5-label.h>
#include <arpa/telnet.h>
--- krb5-1.6.1/src/appl/telnet/telnet/utilities.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/appl/telnet/telnet/utilities.c 2007-08-24 23:38:39.000000000 -0400
@@ -61,6 +61,8 @@
#include <libtelnet/encrypt.h>
#endif
+#include <k5-label.h>
+
FILE *NetTrace = 0; /* Not in bss, since needs to stay */
int prettydump;
--- krb5-1.6.1/src/appl/telnet/telnetd/telnetd.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/appl/telnet/telnetd/telnetd.c 2007-08-24 23:38:39.000000000 -0400
@@ -80,6 +80,7 @@
#include "fake-addrinfo.h"
#ifdef KRB5
+#include "k5-label.h"
#include "krb5.h"
#endif
--- krb5-1.6.1/src/config/pre.in 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/config/pre.in 2007-08-24 23:38:39.000000000 -0400
@@ -181,6 +181,7 @@
CLNTLIBS = @CLNTLIBS@
CLNTDEPLIBS = @CLNTDEPLIBS@
PAM_LIBS = @PAM_LIBS@
+SELINUX_LIBS = @SELINUX_LIBS@
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -391,7 +392,7 @@
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB)
+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS)
KDB5_LIBS = $(KDB5_LIB)
GSS_LIBS = $(GSS_KRB5_LIB)
--- krb5-1.6.1/src/configure.in 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/configure.in 2007-08-24 23:38:39.000000000 -0400
@@ -425,6 +425,8 @@
fi
fi
+KRB5_WITH_SELINUX
+
dnl
dnl
dnl check for ANSI stdio, esp "b" option to fopen(). This (unfortunately)
--- krb5-1.6.1/src/include/k5-int.h 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/include/k5-int.h 2007-08-24 23:38:42.000000000 -0400
@@ -172,6 +172,9 @@
/* Get error info support. */
#include "k5-err.h"
+/* Get file labeling support. */
+#include "k5-label.h"
+
/* krb5/krb5.h includes many other .h files in the krb5 subdirectory.
The ones that it doesn't include, we include below. */
--- krb5-1.6.1/src/include/k5-label.h 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/include/k5-label.h 2007-08-25 03:00:02.000000000 -0400
@@ -0,0 +1,24 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
+/* Wrapper functions which help us create files and directories with the right
+ * context labels. */
+#ifdef USE_SELINUX
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+FILE *krb5int_labeled_fopen(const char *path, const char *mode);
+int krb5int_labeled_creat(const char *path, mode_t mode);
+int krb5int_labeled_open(const char *path, int flags, ...);
@ -70,39 +316,294 @@ the libkrb5support library depends on libselinux.
+#endif
+#endif
+#endif
--- krb5-1.6.1/src/include/k5-int.h 2007-02-05 18:44:34.000000000 -0500
+++ krb5-1.6.1/src/include/k5-int.h 2007-06-24 17:25:40.000000000 -0400
@@ -172,6 +172,9 @@
/* Get error info support. */
#include "k5-err.h"
--- krb5-1.6.1/src/kadmin/dbutil/dump.c 2006-12-18 18:11:15.000000000 -0500
+++ krb5-1.6.1/src/kadmin/dbutil/dump.c 2007-08-25 02:58:26.000000000 -0400
@@ -37,6 +37,7 @@
#if defined(HAVE_REGEX_H) && defined(HAVE_REGCOMP)
#include <regex.h>
#endif /* HAVE_REGEX_H */
+#include <k5-label.h>
+/* Get file labeling support. */
/*
* Needed for master key conversion.
--- krb5-1.6.1/src/lib/kadm5/srv/server_dict.c 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/lib/kadm5/srv/server_dict.c 2007-08-25 03:05:12.000000000 -0400
@@ -24,6 +24,7 @@
#include "adm_proto.h"
#include <syslog.h>
#include "server_internal.h"
+#include <k5-label.h>
static char **word_list = NULL; /* list of word pointers */
static char *word_block = NULL; /* actual word data */
--- krb5-1.6.1/src/lib/krb4/dest_tkt.c 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/dest_tkt.c 2007-08-25 03:02:01.000000000 -0400
@@ -40,6 +40,7 @@
#include <unistd.h>
#endif
#include <errno.h>
+#include "k5-label.h"
#ifndef O_SYNC
#define O_SYNC 0
--- krb5-1.6.1/src/lib/krb4/in_tkt.c 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/in_tkt.c 2007-08-25 03:03:01.000000000 -0400
@@ -37,6 +37,7 @@
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
+#include "k5-label.h"
extern int krb_debug;
--- krb5-1.6.1/src/lib/krb4/klog.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/klog.c 2007-08-25 03:03:28.000000000 -0400
@@ -36,6 +36,7 @@
#include "krb4int.h"
#include <klog.h>
+#include "k5-label.h"
static char *log_name = KRBLOG;
static char logtxt[1000];
--- krb5-1.6.1/src/lib/krb4/kuserok.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/kuserok.c 2007-08-25 03:03:16.000000000 -0400
@@ -45,6 +45,7 @@
/* just for F_OK for sco */
#include <sys/unistd.h>
#endif
+#include "k5-label.h"
#ifndef HAVE_SETEUID
#ifdef HAVE_SETRESUID
--- krb5-1.6.1/src/lib/krb4/log.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/log.c 2007-08-25 03:02:32.000000000 -0400
@@ -43,6 +43,7 @@
#include "krb4int.h"
#include <klog.h>
+#include "k5-label.h"
static char *log_name = KRBLOG;
#if 0
--- krb5-1.6.1/src/lib/krb4/Makefile.in 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/Makefile.in 2007-08-24 23:38:39.000000000 -0400
@@ -25,7 +25,7 @@
$(TOPLIBD)/libdes425$(SHLIBEXT) \
$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
$(TOPLIBD)/libkrb5$(SHLIBEXT)
-SHLIB_EXPLIBS=-lkrb5 -lcom_err -ldes425 -lk5crypto
+SHLIB_EXPLIBS=-lkrb5 -lcom_err -ldes425 -lk5crypto -l$(SUPPORT_LIBNAME) $(SELINUX_LIBS)
SHLIB_DIRS=-L$(TOPLIBD)
SHLIB_RDIRS=$(KRB5_LIBDIR)
--- krb5-1.6.1/src/lib/krb4/put_svc_key.c 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/put_svc_key.c 2007-08-25 03:02:47.000000000 -0400
@@ -32,6 +32,7 @@
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
+#include "k5-label.h"
#define KEYSZ sizeof(C_Block)
/* strict put_svc_key.
--- krb5-1.6.1/src/lib/krb4/rd_svc_key.c 2004-02-24 16:07:22.000000000 -0500
+++ krb5-1.6.1/src/lib/krb4/rd_svc_key.c 2007-08-25 03:04:01.000000000 -0400
@@ -9,6 +9,7 @@
*/
#include "mit-copyright.h"
+#include "autoconf.h"
#include "krb.h"
#include "krb4int.h"
#include <stdio.h>
--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2007-08-24 23:38:39.000000000 -0400
@@ -58,6 +58,7 @@
#include <string.h>
#include <unistd.h>
+#include "k5-label.h"
#include "db-int.h"
#include "btree.h"
--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/configure.in 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/configure.in 2007-08-24 23:38:41.000000000 -0400
@@ -89,6 +89,8 @@
AC_DEFINE(strerror, kdb2__strerror,[Define to \`kdb2__strerror' to provide private strerror function])])
AC_SUBST(STRERROR_OBJ)
+LDFLAGS="$LDFLAGS $SELINUX_LIBS"
+
/* krb5/krb5.h includes many other .h files in the krb5 subdirectory.
The ones that it doesn't include, we include below. */
KRB5_BUILD_LIBRARY
KRB5_BUILD_LIBOBJS
KRB5_BUILD_PROGRAM
--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/hash/hash.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/hash/hash.c 2007-08-24 23:38:39.000000000 -0400
@@ -51,6 +51,7 @@
#include <assert.h>
#endif
--- krb5-1.6.1/src/config/pre.in 2007-06-22 17:03:21.000000000 -0400
+++ krb5-1.6.1/src/config/pre.in 2007-06-22 17:06:27.000000000 -0400
@@ -181,6 +181,7 @@ SRVDEPLIBS = @SRVDEPLIBS@
CLNTLIBS = @CLNTLIBS@
CLNTDEPLIBS = @CLNTDEPLIBS@
PAM_LIBS = @PAM_LIBS@
+SELINUX_LIBS = @SELINUX_LIBS@
+#include "k5-label.h"
#include "db-int.h"
#include "hash.h"
#include "page.h"
--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/include/config.h.in 2007-04-20 19:39:29.000000000 -0400
+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/include/config.h.in 2007-08-24 23:44:21.000000000 -0400
@@ -39,6 +39,9 @@
/* Define to 1 if you have the `resolv' library (-lresolv). */
#undef HAVE_LIBRESOLV
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -391,7 +392,7 @@ DES425_LIB = @DES425_LIB@
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
+/* Define to 1 if you have the `selinux' library (-lselinux). */
+#undef HAVE_LIBSELINUX
+
/* Define to 1 if you have the `socket' library (-lsocket). */
#undef HAVE_LIBSOCKET
-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB)
+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS)
KDB5_LIBS = $(KDB5_LIB)
GSS_LIBS = $(GSS_KRB5_LIB)
--- krb5-1.6.1/src/util/support/selinux.c 2007-06-22 17:06:42.000000000 -0400
+++ krb5-1.6.1/src/util/support/selinux.c 2007-06-22 17:31:53.000000000 -0400
@@ -87,6 +90,12 @@
/* Define to 1 if you have the `res_search' function */
#undef HAVE_RES_SEARCH
+/* Define to 1 if you have the <selinux/selinux.h> header file. */
+#undef HAVE_SELINUX_SELINUX_H
+
+/* Define to 1 if you have the `setfscreatecon' function. */
+#undef HAVE_SETFSCREATECON
+
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
@@ -163,6 +172,10 @@
/* Define if link-time options for library initialization will be used */
#undef USE_LINKER_INIT_OPTION
+/* Define if Kerberos-aware tools should set SELinux file contexts when
+ creating files. */
+#undef USE_SELINUX
+
/* Define to empty if `const' does not conform to ANSI C. */
#undef const
--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2007-08-24 23:38:39.000000000 -0400
@@ -51,6 +51,7 @@
#include <stdio.h>
#include <unistd.h>
+#include "k5-label.h"
#include "db-int.h"
#include "recno.h"
--- krb5-1.6.1/src/plugins/preauth/cksum_body/config.h.in 2007-04-20 19:39:45.000000000 -0400
+++ krb5-1.6.1/src/plugins/preauth/cksum_body/config.h.in 2007-08-24 23:46:17.000000000 -0400
@@ -39,6 +39,9 @@
/* Define to 1 if you have the `resolv' library (-lresolv). */
#undef HAVE_LIBRESOLV
+/* Define to 1 if you have the `selinux' library (-lselinux). */
+#undef HAVE_LIBSELINUX
+
/* Define to 1 if you have the `socket' library (-lsocket). */
#undef HAVE_LIBSOCKET
@@ -84,6 +87,12 @@
/* Define to 1 if you have the `res_search' function */
#undef HAVE_RES_SEARCH
+/* Define to 1 if you have the <selinux/selinux.h> header file. */
+#undef HAVE_SELINUX_SELINUX_H
+
+/* Define to 1 if you have the `setfscreatecon' function. */
+#undef HAVE_SETFSCREATECON
+
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
@@ -154,5 +163,9 @@
/* Define if link-time options for library initialization will be used */
#undef USE_LINKER_INIT_OPTION
+/* Define if Kerberos-aware tools should set SELinux file contexts when
+ creating files. */
+#undef USE_SELINUX
+
/* Define to empty if `const' does not conform to ANSI C. */
#undef const
--- krb5-1.6.1/src/plugins/preauth/wpse/config.h.in 2007-04-20 19:39:37.000000000 -0400
+++ krb5-1.6.1/src/plugins/preauth/wpse/config.h.in 2007-08-24 23:47:02.000000000 -0400
@@ -39,6 +39,9 @@
/* Define to 1 if you have the `resolv' library (-lresolv). */
#undef HAVE_LIBRESOLV
+/* Define to 1 if you have the `selinux' library (-lselinux). */
+#undef HAVE_LIBSELINUX
+
/* Define to 1 if you have the `socket' library (-lsocket). */
#undef HAVE_LIBSOCKET
@@ -84,6 +87,12 @@
/* Define to 1 if you have the `res_search' function */
#undef HAVE_RES_SEARCH
+/* Define to 1 if you have the <selinux/selinux.h> header file. */
+#undef HAVE_SELINUX_SELINUX_H
+
+/* Define to 1 if you have the `setfscreatecon' function. */
+#undef HAVE_SETFSCREATECON
+
/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H
@@ -154,5 +163,9 @@
/* Define if link-time options for library initialization will be used */
#undef USE_LINKER_INIT_OPTION
+/* Define if Kerberos-aware tools should set SELinux file contexts when
+ creating files. */
+#undef USE_SELINUX
+
/* Define to empty if `const' does not conform to ANSI C. */
#undef const
--- krb5-1.6.1/src/util/profile/prof_file.c 2007-08-25 03:19:01.000000000 -0400
+++ krb5-1.6.1/src/util/profile/prof_file.c 2007-08-25 03:10:03.000000000 -0400
@@ -29,6 +29,7 @@
#endif
#include "k5-platform.h"
+#include "k5-label.h"
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
--- krb5-1.6.1/src/util/support/libkrb5support.exports 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/util/support/libkrb5support.exports 2007-08-24 23:38:39.000000000 -0400
@@ -32,3 +32,6 @@
krb5int_clear_error
krb5int_set_error_info_callout_fn
krb5int_gmt_mktime
+krb5int_labeled_open
+krb5int_labeled_fopen
+krb5int_labeled_creat
--- krb5-1.6.1/src/util/support/Makefile.in 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/util/support/Makefile.in 2007-08-24 23:38:39.000000000 -0400
@@ -27,6 +27,7 @@
STLIBOBJS= \
threads.o \
+ selinux.o \
init-addrinfo.o \
plugins.o \
errors.o \
@@ -55,7 +56,7 @@
$(srcdir)/fake-addrinfo.c
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB)
+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
SHLIB_DIRS=
SHLIB_RDIRS=$(KRB5_LIBDIR)
--- krb5-1.6.1/src/util/support/selinux.c 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.1/src/util/support/selinux.c 2007-08-24 23:38:39.000000000 -0400
@@ -0,0 +1,258 @@
+/*
+ * Copyright 2007 Red Hat, Inc. All Rights Reserved.
@ -362,375 +863,3 @@ the libkrb5support library depends on libselinux.
+}
+
+#endif
--- krb5-1.6.1/src/util/support/libkrb5support.exports 2006-05-04 14:35:01.000000000 -0400
+++ krb5-1.6.1/src/util/support/libkrb5support.exports 2007-06-22 17:32:40.000000000 -0400
@@ -32,3 +32,6 @@ krb5int_free_error
krb5int_clear_error
krb5int_set_error_info_callout_fn
krb5int_gmt_mktime
+krb5int_labeled_open
+krb5int_labeled_fopen
+krb5int_labeled_creat
--- krb5-1.6.1/src/util/support/Makefile.in 2006-10-17 23:15:24.000000000 -0400
+++ krb5-1.6.1/src/util/support/Makefile.in 2007-06-22 17:06:27.000000000 -0400
@@ -27,6 +27,7 @@ LIBFINIFUNC=krb5int_thread_support_fini
STLIBOBJS= \
threads.o \
+ selinux.o \
init-addrinfo.o \
plugins.o \
errors.o \
@@ -55,7 +56,7 @@ SRCS=\
$(srcdir)/fake-addrinfo.c
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB)
+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
SHLIB_DIRS=
SHLIB_RDIRS=$(KRB5_LIBDIR)
--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/configure.in 2006-04-24 20:29:56.000000000 -0400
+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/configure.in 2007-06-22 17:06:27.000000000 -0400
@@ -87,6 +87,8 @@ AC_CHECK_FUNC(strerror, ,
AC_DEFINE(strerror, kdb2__strerror,[Define to \`kdb2__strerror' to provide private strerror function])])
AC_SUBST(STRERROR_OBJ)
+LDFLAGS="$LDFLAGS $SELINUX_LIBS"
+
KRB5_BUILD_LIBRARY
KRB5_BUILD_LIBOBJS
KRB5_BUILD_PROGRAM
--- krb5-1.6.1/src/configure.in 2007-06-22 17:03:21.000000000 -0400
+++ krb5-1.6.1/src/configure.in 2007-06-22 17:06:27.000000000 -0400
@@ -425,6 +425,8 @@ AC_CACHE_CHECK([for in6addr_any definiti
fi
fi
+KRB5_WITH_SELINUX
+
dnl
dnl
dnl check for ANSI stdio, esp "b" option to fopen(). This (unfortunately)
--- krb5-1.6.1/src/aclocal.m4 2007-06-22 17:06:27.000000000 -0400
+++ krb5-1.6.1/src/aclocal.m4 2007-06-22 17:08:51.000000000 -0400
@@ -102,6 +102,7 @@ AC_SUBST_FILE(libnover_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP
+KRB5_WITH_SELINUX
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1902,3 +1902,50 @@ fi
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+
+dnl Use libselinux to set file contexts on newly-created files.
+dnl
+AC_DEFUN(KRB5_WITH_SELINUX,[
+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])],
+ withselinux="$withval",withselinux=auto)
+old_LIBS="$LIBS"
+if test "$withselinux" != no ; then
+ AC_MSG_RESULT([checking for libselinux...])
+ SELINUX_LIBS=
+ AC_CHECK_HEADERS(selinux/selinux.h)
+ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate selinux/selinux.h.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.])
+ fi
+ fi
+
+ LIBS=
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon)
+ if test "x$ac_cv_func_setfscreatecon" = xno ; then
+ AC_CHECK_LIB(selinux,setfscreatecon)
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon)
+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then
+ SELINUX_LIBS="$LIBS"
+ else
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate libselinux.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate libselinux.])
+ fi
+ fi
+ fi
+ if test "$withselinux" != no ; then
+ AC_MSG_RESULT([Using SELinux.])
+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.])
+ SELINUX_LIBS="$LIBS"
+ fi
+fi
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
--- krb5-1.6.1/src/lib/kadm5/srv/server_dict.c 2007-06-22 18:36:07.000000000 -0400
+++ krb5-1.6.1/src/lib/kadm5/srv/server_dict.c 2007-06-22 18:36:52.000000000 -0400
@@ -14,6 +14,7 @@ static char *rcsid = "$Header: /home/fedora/jkeating/pkgs/rpms/krb5/devel/Attic/krb5-1.6.1-selinux-label.patch,v 1.1 2007/06/25 00:54:13 nalin Exp $";
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
+#include "k5-label.h"
#include <kadm5/admin.h>
#include <stdlib.h>
#include <stdio.h>
--- krb5-1.6.1/src/lib/krb4/put_svc_key.c 2007-06-22 18:38:19.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/put_svc_key.c 2007-06-22 18:38:27.000000000 -0400
@@ -22,6 +22,7 @@
* by ksrvutil.) This version supports just enough to be useful.
*/
+#include "k5-label.h"
#include "krb.h"
#include "krb4int.h"
--- krb5-1.6.1/src/lib/krb4/in_tkt.c 2007-06-22 18:38:47.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/in_tkt.c 2007-06-22 18:38:59.000000000 -0400
@@ -27,6 +27,7 @@
#include <stdio.h>
#include <string.h>
#include <errno.h>
+#include "k5-label.h"
#include "krb.h"
#include <fcntl.h>
#include <sys/stat.h>
--- krb5-1.6.1/src/lib/krb4/dest_tkt.c 2007-06-22 18:39:39.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/dest_tkt.c 2007-06-22 18:39:49.000000000 -0400
@@ -24,6 +24,7 @@
* or implied warranty.
*/
+#include "k5-label.h"
#include "krb.h"
#include <stdio.h>
#include <string.h>
--- krb5-1.6.1/src/appl/libpty/void_assoc.c 2007-06-22 18:51:34.000000000 -0400
+++ krb5-1.6.1/src/appl/libpty/void_assoc.c 2007-06-22 18:52:21.000000000 -0400
@@ -22,6 +22,7 @@
#include "com_err.h"
#include "libpty.h"
+#include "k5-label.h"
#include "pty-int.h"
/*
--- krb5-1.6.1/src/appl/libpty/open_ctty.c 2007-06-22 18:51:55.000000000 -0400
+++ krb5-1.6.1/src/appl/libpty/open_ctty.c 2007-06-22 18:52:15.000000000 -0400
@@ -21,6 +21,7 @@
#include "com_err.h"
#include "libpty.h"
+#include "k5-label.h"
#include "pty-int.h"
/*
--- krb5-1.6.1/src/appl/libpty/open_slave.c 2007-06-22 18:51:44.000000000 -0400
+++ krb5-1.6.1/src/appl/libpty/open_slave.c 2007-06-22 18:52:18.000000000 -0400
@@ -23,6 +23,7 @@
#include "com_err.h"
#include "libpty.h"
+#include "k5-label.h"
#include "pty-int.h"
long
--- krb5-1.6.1/src/appl/bsd/krcp.c 2007-06-22 18:53:09.000000000 -0400
+++ krb5-1.6.1/src/appl/bsd/krcp.c 2007-06-22 18:53:32.000000000 -0400
@@ -68,6 +68,7 @@ char copyright[] =
#include <sys/wait.h>
#ifdef KERBEROS
+#include <k5-label.h>
#include <krb5.h>
#include <k5-util.h>
#include <com_err.h>
--- krb5-1.6.1/src/appl/bsd/v4rcp.c 2007-06-22 18:54:02.000000000 -0400
+++ krb5-1.6.1/src/appl/bsd/v4rcp.c 2007-06-22 18:54:14.000000000 -0400
@@ -36,6 +36,7 @@ static char sccsid[] = "@(#)rcp.c 5.10 (
* rcp
*/
#ifdef KERBEROS
+#include <k5-label.h>
#include <krb5.h>
#include <com_err.h>
#include <k5-util.h>
--- krb5-1.6.1/src/appl/telnet/telnetd/telnetd.c 2007-06-22 18:54:42.000000000 -0400
+++ krb5-1.6.1/src/appl/telnet/telnetd/telnetd.c 2007-06-22 18:54:52.000000000 -0400
@@ -80,6 +80,7 @@ struct socket_security ss;
#include "fake-addrinfo.h"
#ifdef KRB5
+#include "k5-label.h"
#include "krb5.h"
#endif
--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2007-06-22 18:40:19.000000000 -0400
+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2007-06-22 18:40:35.000000000 -0400
@@ -58,6 +58,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
#include <string.h>
#include <unistd.h>
+#include "k5-label.h"
#include "db-int.h"
#include "btree.h"
--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/hash/hash.c 2007-06-22 18:41:03.000000000 -0400
+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/hash/hash.c 2007-06-22 18:41:11.000000000 -0400
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
#include <assert.h>
#endif
+#include "k5-label.h"
#include "db-int.h"
#include "hash.h"
#include "page.h"
--- krb5-1.6.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2007-06-22 18:41:25.000000000 -0400
+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2007-06-22 18:41:35.000000000 -0400
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8
#include <stdio.h>
#include <unistd.h>
+#include "k5-label.h"
#include "db-int.h"
#include "recno.h"
--- krb5-1.6.1/src/lib/krb4/log.c 2007-06-22 19:10:22.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/log.c 2007-06-22 19:10:30.000000000 -0400
@@ -30,6 +30,7 @@
krb_set_logfile, or change all the invokers. */
#endif
+#include "k5-label.h"
#include "krb.h"
#include "autoconf.h"
#ifdef HAVE_TIME_H
--- krb5-1.6.1/src/lib/krb4/kuserok.c 2007-06-22 19:10:45.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/kuserok.c 2007-06-22 19:10:58.000000000 -0400
@@ -27,6 +27,7 @@
* access to a local account
*/
+#include "k5-label.h"
#include "krb.h"
#if !defined(_WIN32)
--- krb5-1.6.1/src/lib/krb4/klog.c 2007-06-22 19:10:10.000000000 -0400
+++ krb5-1.6.1/src/lib/krb4/klog.c 2007-06-22 19:10:18.000000000 -0400
@@ -24,6 +24,7 @@
* or implied warranty.
*/
+#include "k5-label.h"
#include "krb.h"
#include "autoconf.h"
#ifdef HAVE_TIME_H
--- krb5-1.6.1/src/util/profile/prof_file.c 2007-06-22 19:15:23.000000000 -0400
+++ krb5-1.6.1/src/util/profile/prof_file.c 2007-06-22 19:15:25.000000000 -0400
@@ -2,6 +2,7 @@
* prof_file.c ---- routines that manipulate an individual profile file.
*/
+#include "k5-label.h"
#include "prof_int.h"
#include <stdio.h>
--- krb5-1.6.1/src/appl/gssftp/ftpd/ftpd.c 2007-06-22 19:28:07.000000000 -0400
+++ krb5-1.6.1/src/appl/gssftp/ftpd/ftpd.c 2007-06-22 19:28:56.000000000 -0400
@@ -70,6 +70,7 @@ static char sccsid[] = "@(#)ftpd.c 5.40
#ifdef HAVE_SHADOW
#include <shadow.h>
#endif
+#include <k5-label.h>
#ifdef USE_PAM
#include "../../bsd/pam.h"
#endif
--- krb5-1.6.1/src/appl/gssftp/ftpd/ftpcmd.y 2007-06-24 17:29:48.000000000 -0400
+++ krb5-1.6.1/src/appl/gssftp/ftpd/ftpcmd.y 2007-06-24 17:29:56.000000000 -0400
@@ -75,6 +75,7 @@
unsigned char *ucbuf;
static int kerror; /* XXX needed for all auth types */
+#include <k5-label.h>
#ifdef KRB5_KRB4_COMPAT
extern struct sockaddr_in his_addr, ctrl_addr;
#include <krb.h>
--- krb5-1.6.1/src/appl/gssftp/ftp/cmds.c 2007-06-24 17:33:05.000000000 -0400
+++ krb5-1.6.1/src/appl/gssftp/ftp/cmds.c 2007-06-24 17:33:26.000000000 -0400
@@ -70,6 +70,7 @@ static char sccsid[] = "@(#)cmds.c 5.26
#define getwd(x) getcwd(x,MAXPATHLEN)
#endif
+#include <k5-label.h>
#include "ftp_var.h"
#include "pathnames.h"
--- krb5-1.6.1/src/appl/gssftp/ftp/ruserpass.c 2007-06-24 17:32:03.000000000 -0400
+++ krb5-1.6.1/src/appl/gssftp/ftp/ruserpass.c 2007-06-24 17:32:27.000000000 -0400
@@ -47,6 +47,7 @@ static char sccsid[] = "@(#)ruserpass.c
#include <ctype.h>
#include <sys/stat.h>
#include <errno.h>
+#include <k5-label.h>
#include "ftp_var.h"
#ifdef _WIN32
--- krb5-1.6.1/src/appl/gssftp/ftp/ftp.c 2007-06-24 17:33:32.000000000 -0400
+++ krb5-1.6.1/src/appl/gssftp/ftp/ftp.c 2007-06-24 17:33:46.000000000 -0400
@@ -124,6 +124,7 @@ int gettimeofday(struct timeval *tv, voi
#define L_INCR 1
#endif
+#include <k5-label.h>
#ifdef KRB5_KRB4_COMPAT
#include <krb.h>
--- krb5-1.6.1/src/appl/gssftp/ftp/getpass.c 2007-06-24 17:32:38.000000000 -0400
+++ krb5-1.6.1/src/appl/gssftp/ftp/getpass.c 2007-06-24 17:32:58.000000000 -0400
@@ -102,6 +102,7 @@ static struct termios ttyo, ttyb;
static struct sgttyb ttyo, ttyb;
#endif
+#include "k5-label.h"
#include "ftp_var.h"
static FILE *fi;
--- krb5-1.6.1/src/appl/telnet/telnet/utilities.c 2007-06-24 17:37:10.000000000 -0400
+++ krb5-1.6.1/src/appl/telnet/telnet/utilities.c 2007-06-24 17:38:08.000000000 -0400
@@ -61,6 +61,8 @@
#include <libtelnet/encrypt.h>
#endif
+#include <k5-label.h>
+
FILE *NetTrace = 0; /* Not in bss, since needs to stay */
int prettydump;
--- krb5-1.6.1/src/appl/telnet/telnet/commands.c 2007-06-24 17:37:16.000000000 -0400
+++ krb5-1.6.1/src/appl/telnet/telnet/commands.c 2007-06-24 17:37:55.000000000 -0400
@@ -70,6 +70,7 @@
#ifdef HAVE_VFORK_H
#include <vfork.h>
#endif
+#include <k5-label.h>
#include <arpa/telnet.h>
--- krb5-1.6.1/src/appl/telnet/libtelnet/kerberos.c 2007-06-24 17:40:03.000000000 -0400
+++ krb5-1.6.1/src/appl/telnet/libtelnet/kerberos.c 2007-06-24 17:41:03.000000000 -0400
@@ -102,6 +102,7 @@
#else
#include <strings.h>
#endif
+#include <k5-label.h>
#include "encrypt.h"
#include "auth.h"

3
krb5.spec
View File

@ -206,6 +206,9 @@ installed on systems which are meant provide these services.
%endif
%changelog
* Sat Aug 25 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-4
- cover more cases in labeling files on creation
* Thu Aug 23 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-3
- rebuild