cache the selabel context between uses (dwalsh)

- selinux: hang on to the list of selinux contexts, freeing and reloading
  it only when the file we read it from is modified, freeing it when the
  shared library is being unloaded (#845125)

krb5-1.10.2-selinux-label.patch

@@ -465,7 +465,7 @@ which we used earlier, is some improvement.
  
 --- krb5/src/util/support/selinux.c
 +++ krb5/src/util/support/selinux.c
-@@ -0,0 +1,373 @@
+@@ -0,0 +1,402 @@
 +/*
 + * Copyright 2007,2008,2009,2011,2012 Red Hat, Inc.  All Rights Reserved.
 + *
@@ -504,7 +504,7 @@ which we used earlier, is some improvement.
 +#ifdef USE_SELINUX
 +
 +#include <k5-label.h>
-+#include <k5-thread.h>
++#include <k5-platform.h>
 +#include <sys/types.h>
 +#include <sys/stat.h>
 +#include <errno.h>
@@ -535,15 +535,28 @@ which we used earlier, is some improvement.
 +	k5_mutex_finish_init(&labeled_mutex);
 +}
 +
++#ifdef HAVE_SELINUX_LABEL_H
++static struct selabel_handle *selabel_ctx;
++static time_t selabel_last_changed;
++
++MAKE_FINI_FUNCTION(cleanup_fscreatecon);
++
++static void
++cleanup_fscreatecon(void)
++{
++	if (selabel_ctx != NULL) {
++		selabel_close(selabel_ctx);
++		selabel_ctx = NULL;
++	}
++}
++#endif
++
 +static security_context_t
 +push_fscreatecon(const char *pathname, mode_t mode)
 +{
 +	security_context_t previous, configuredsc, currentsc, derivedsc;
 +	context_t current, derived;
 +	const char *fullpath, *currentuser;
-+#ifdef HAVE_SELINUX_LABEL_H
-+	struct selabel_handle *ctx;
-+#endif
 +
 +	previous = NULL;
 +	if (is_selinux_enabled()) {
@@ -584,18 +597,34 @@ which we used earlier, is some improvement.
 +#endif
 +			configuredsc = NULL;
 +#ifdef HAVE_SELINUX_LABEL_H
-+			ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
++			if (selabel_ctx != NULL) {
-+			if (ctx != NULL) {
++				const char *cpath;
-+				if (selabel_lookup(ctx, &configuredsc,
++				struct stat st;
++				int i = -1;
++				cpath = selinux_file_context_path();
++				if ((cpath == NULL) ||
++				    ((i = stat(cpath, &st)) != 0) ||
++				    (st.st_mtime != selabel_last_changed)) {
++					selabel_close(selabel_ctx);
++					selabel_ctx = NULL;
++					selabel_last_changed = i ?
++							       time(NULL) :
++							       st.st_mtime;
++				}
++			}
++			if (selabel_ctx == NULL) {
++				selabel_ctx = selabel_open(SELABEL_CTX_FILE,
++							   NULL, 0);
++			}
++			if (selabel_ctx != NULL) {
++				if (selabel_lookup(selabel_ctx, &configuredsc,
 +						   fullpath, mode) != 0) {
-+					selabel_close(ctx);
 +					free(genpath);
 +					if (previous != NULL) {
 +						freecon(previous);
 +					}
 +					return NULL;
 +				}
-+				selabel_close(ctx);
 +			}
 +#else
 +			if (matchpathcon(fullpath, mode, &configuredsc) != 0) {

krb5.spec

@@ -20,7 +20,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.10.2
-Release: 6%{?dist}
+Release: 7%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -768,7 +768,12 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
-* Tue Jul 31 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-6
+* Thu Aug  2 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-7
+- selinux: hang on to the list of selinux contexts, freeing and reloading
+  it only when the file we read it from is modified, freeing it when the
+  shared library is being unloaded (#845125)
+
+* Thu Aug  2 2012 Nalin Dahyabhai <nalin@redhat.com> 1.10.2-6
 - go back to not messing with library file paths on Fedora 17: it breaks
   file path dependencies in other packages, and since Fedora 17 is already
   released, breaking that is our fault