Label DIR: ccache directories when we create them

- don't forget to set the SELinux label when creating the directory for
  a DIR: ccache

krb5-1.11-selinux-label.patch

@@ -897,6 +897,32 @@ which we used earlier, is some improvement.
      if (fd < 0)
          goto cleanup;
  #ifdef HAVE_CHMOD
+@@ -223,10 +232,23 @@
+ verify_dir(krb5_context context, const char *dirname)
+ {
+     struct stat st;
++    int status;
++#ifdef USE_SELINUX
++    void *selabel;
++#endif
+ 
+     if (stat(dirname, &st) < 0) {
+-        if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
+-            return 0;
++        if (errno == ENOENT) {
++#ifdef USE_SELINUX
++            selabel = krb5int_push_fscreatecon_for(dirname);
++#endif
++            status = mkdir(dirname, S_IRWXU);
++#ifdef USE_SELINUX
++            krb5int_pop_fscreatecon(selabel);
++#endif
++            if (status == 0)
++                return 0;
++        }
+         krb5_set_error_message(context, KRB5_FCC_NOFILE,
+                                _("Credential cache directory %s does not "
+                                  "exist"), dirname);
 --- krb5/src/lib/krb5/os/trace.c
 +++ krb5/src/lib/krb5/os/trace.c
 @@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con

krb5.spec

@@ -30,7 +30,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.2
-Release: 8%{?dist}
+Release: 9%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -837,6 +837,10 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Thu May 30 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-9
+- don't forget to set the SELinux label when creating the directory for
+  a DIR: ccache
+
 * Thu May 30 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.2-8
 - pull in patches from master to not test GSSRPC-over-UDP and to not
   depend on the portmapper, which are areas where our build systems