Label DIR: ccache directories when we create them

- don't forget to set the SELinux label when creating the directory for
  a DIR: ccache
This commit is contained in:
Nalin Dahyabhai 2013-05-30 09:18:15 -04:00
parent 11a4bca1fa
commit 559c78a30a
2 changed files with 31 additions and 1 deletions

View File

@ -897,6 +897,32 @@ which we used earlier, is some improvement.
if (fd < 0) if (fd < 0)
goto cleanup; goto cleanup;
#ifdef HAVE_CHMOD #ifdef HAVE_CHMOD
@@ -223,10 +232,23 @@
verify_dir(krb5_context context, const char *dirname)
{
struct stat st;
+ int status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (stat(dirname, &st) < 0) {
- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
- return 0;
+ if (errno == ENOENT) {
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(dirname);
+#endif
+ status = mkdir(dirname, S_IRWXU);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
+ if (status == 0)
+ return 0;
+ }
krb5_set_error_message(context, KRB5_FCC_NOFILE,
_("Credential cache directory %s does not "
"exist"), dirname);
--- krb5/src/lib/krb5/os/trace.c --- krb5/src/lib/krb5/os/trace.c
+++ krb5/src/lib/krb5/os/trace.c +++ krb5/src/lib/krb5/os/trace.c
@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con @@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con

View File

@ -30,7 +30,7 @@
Summary: The Kerberos network authentication system Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.11.2 Version: 1.11.2
Release: 8%{?dist} Release: 9%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead? # Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar
Source0: krb5-%{version}.tar.gz Source0: krb5-%{version}.tar.gz
@ -837,6 +837,10 @@ exit 0
%{_sbindir}/uuserver %{_sbindir}/uuserver
%changelog %changelog
* Thu May 30 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-9
- don't forget to set the SELinux label when creating the directory for
a DIR: ccache
* Thu May 30 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-8 * Thu May 30 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-8
- pull in patches from master to not test GSSRPC-over-UDP and to not - pull in patches from master to not test GSSRPC-over-UDP and to not
depend on the portmapper, which are areas where our build systems depend on the portmapper, which are areas where our build systems