From 638efe585fce50302497877892a5411096e0c8d0 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 18 Mar 2008 15:35:39 +0000 Subject: [PATCH] - rework file labeling patch to not depend on fragile preprocessor trickery, in another attempt at fixing #428355 and friends --- krb5-1.6.1-selinux-label.patch | 880 --------------------------------- krb5-1.6.3-selinux-label.patch | 843 +++++++++++++++++++++++++++++++ krb5.spec | 8 +- 3 files changed, 849 insertions(+), 882 deletions(-) delete mode 100644 krb5-1.6.1-selinux-label.patch create mode 100644 krb5-1.6.3-selinux-label.patch diff --git a/krb5-1.6.1-selinux-label.patch b/krb5-1.6.1-selinux-label.patch deleted file mode 100644 index fd2a6c1..0000000 --- a/krb5-1.6.1-selinux-label.patch +++ /dev/null @@ -1,880 +0,0 @@ -SELinux bases access to files mainly on the domain of the requesting -process and the context applied to the file. - -In many cases, applications needn't be SELinux aware to work properly, -because SELinux can apply a default label to a file based on the label -of the directory in which it's created. - -In the case of files such as /etc/krb5.keytab, however, this isn't -sufficient, as /etc/krb5.keytab will almost always need given a label -which differs from that of /etc/issue or /etc/resolv.conf. - -To give the file the correct label, we can either force a "restorecon" -call to fix a file's label after it's created, or create the file with -the right label, as we do here. - -We now label pretty much *every* file at creation-time. When enabled, -the libkrb5support library depends on libselinux. - ---- krb5-1.6.1/src/krb5-config.in 2006-06-15 20:26:49.000000000 -0400 -+++ krb5-1.6.1/src/krb5-config.in 2007-06-22 17:06:27.000000000 -0400 -@@ -39,6 +39,7 @@ LDFLAGS='@LDFLAGS@' - RPATH_FLAG='@RPATH_FLAG@' - PTHREAD_CFLAGS='@PTHREAD_CFLAGS@' - DL_LIB='@DL_LIB@' -+SELINUX_LIBS='@SELINUX_LIBS@' - - LIBS='@LIBS@' - GEN_LIB=@GEN_LIB@ -@@ -217,7 +218,7 @@ if test -n "$do_libs"; then - fi - - if test $library = 'krb5'; then -- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB" -+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" - fi - - echo $lib_flags ---- krb5-1.6.1/src/aclocal.m4 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/aclocal.m4 2007-08-24 23:38:41.000000000 -0400 -@@ -102,6 +102,7 @@ - dnl - KRB5_AC_PRAGMA_WEAK_REF - WITH_LDAP -+KRB5_WITH_SELINUX - KRB5_LIB_PARAMS - KRB5_AC_INITFINI - KRB5_AC_ENABLE_THREADS -@@ -1896,3 +1897,50 @@ - AC_SUBST(PAM_MAN) - AC_SUBST(NON_PAM_MAN) - ])dnl -+ -+dnl Use libselinux to set file contexts on newly-created files. -+dnl -+AC_DEFUN(KRB5_WITH_SELINUX,[ -+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])], -+ withselinux="$withval",withselinux=auto) -+old_LIBS="$LIBS" -+if test "$withselinux" != no ; then -+ AC_MSG_RESULT([checking for libselinux...]) -+ SELINUX_LIBS= -+ AC_CHECK_HEADERS(selinux/selinux.h) -+ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then -+ if test "$withselinux" = auto ; then -+ AC_MSG_RESULT([Unable to locate selinux/selinux.h.]) -+ withselinux=no -+ else -+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.]) -+ fi -+ fi -+ -+ LIBS= -+ unset ac_cv_func_setfscreatecon -+ AC_CHECK_FUNCS(setfscreatecon) -+ if test "x$ac_cv_func_setfscreatecon" = xno ; then -+ AC_CHECK_LIB(selinux,setfscreatecon) -+ unset ac_cv_func_setfscreatecon -+ AC_CHECK_FUNCS(setfscreatecon) -+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then -+ SELINUX_LIBS="$LIBS" -+ else -+ if test "$withselinux" = auto ; then -+ AC_MSG_RESULT([Unable to locate libselinux.]) -+ withselinux=no -+ else -+ AC_MSG_ERROR([Unable to locate libselinux.]) -+ fi -+ fi -+ fi -+ if test "$withselinux" != no ; then -+ AC_MSG_RESULT([Using SELinux.]) -+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.]) -+ SELINUX_LIBS="$LIBS" -+ fi -+fi -+LIBS="$old_LIBS" -+AC_SUBST(SELINUX_LIBS) -+])dnl ---- krb5-1.6.1/src/appl/bsd/krcp.c 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/appl/bsd/krcp.c 2007-08-24 23:38:42.000000000 -0400 -@@ -68,6 +68,7 @@ - #include - - #ifdef KERBEROS -+#include - #include - #include - #include ---- krb5-1.6.1/src/appl/bsd/v4rcp.c 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/appl/bsd/v4rcp.c 2007-08-25 02:54:40.000000000 -0400 -@@ -84,6 +84,7 @@ - #ifdef KERBEROS - #include - #include -+#include - - - void sink(int, char **), source(int, char **), ---- krb5-1.6.1/src/appl/gssftp/ftp/cmds.c 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/appl/gssftp/ftp/cmds.c 2007-08-24 23:38:42.000000000 -0400 -@@ -70,6 +70,7 @@ - #define getwd(x) getcwd(x,MAXPATHLEN) - #endif - -+#include - #include "ftp_var.h" - #include "pathnames.h" - ---- krb5-1.6.1/src/appl/gssftp/ftp/ftp.c 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/appl/gssftp/ftp/ftp.c 2007-08-24 23:38:39.000000000 -0400 -@@ -124,6 +124,7 @@ - #define L_INCR 1 - #endif - -+#include - #ifdef KRB5_KRB4_COMPAT - #include - ---- krb5-1.6.1/src/appl/gssftp/ftp/getpass.c 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/appl/gssftp/ftp/getpass.c 2007-08-24 23:38:39.000000000 -0400 -@@ -102,6 +102,7 @@ - static struct sgttyb ttyo, ttyb; - #endif - -+#include "k5-label.h" - #include "ftp_var.h" - - static FILE *fi; ---- krb5-1.6.1/src/appl/gssftp/ftp/ruserpass.c 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/appl/gssftp/ftp/ruserpass.c 2007-08-24 23:38:39.000000000 -0400 -@@ -47,6 +47,7 @@ - #include - #include - #include -+#include - #include "ftp_var.h" - - #ifdef _WIN32 ---- krb5-1.6.1/src/appl/gssftp/ftpd/ftpcmd.y 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/appl/gssftp/ftpd/ftpcmd.y 2007-08-24 23:38:40.000000000 -0400 -@@ -75,6 +75,7 @@ - unsigned char *ucbuf; - - static int kerror; /* XXX needed for all auth types */ -+#include - #ifdef KRB5_KRB4_COMPAT - extern struct sockaddr_in his_addr, ctrl_addr; - #include ---- krb5-1.6.1/src/appl/gssftp/ftpd/ftpd.c 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/appl/gssftp/ftpd/ftpd.c 2007-08-24 23:38:39.000000000 -0400 -@@ -70,6 +70,7 @@ - #ifdef HAVE_SHADOW - #include - #endif -+#include - #ifdef USE_PAM - #include "../../bsd/pam.h" - #endif ---- krb5-1.6.1/src/appl/libpty/open_ctty.c 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/appl/libpty/open_ctty.c 2007-08-25 02:52:08.000000000 -0400 -@@ -22,6 +22,7 @@ - #include "com_err.h" - #include "libpty.h" - #include "pty-int.h" -+#include "k5-label.h" - - /* - * This function will be called twice. The first time it will acquire ---- krb5-1.6.1/src/appl/libpty/open_slave.c 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/appl/libpty/open_slave.c 2007-08-25 02:52:35.000000000 -0400 -@@ -24,6 +24,7 @@ - #include "com_err.h" - #include "libpty.h" - #include "pty-int.h" -+#include "k5-label.h" - - long - pty_open_slave(const char *slave, int *fd) ---- krb5-1.6.1/src/appl/libpty/void_assoc.c 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/appl/libpty/void_assoc.c 2007-08-25 02:51:32.000000000 -0400 -@@ -23,6 +23,7 @@ - #include "com_err.h" - #include "libpty.h" - #include "pty-int.h" -+#include "k5-label.h" - - /* - * This function gets called to set up the current process as a ---- krb5-1.6.1/src/appl/telnet/libtelnet/kerberos.c 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/appl/telnet/libtelnet/kerberos.c 2007-08-24 23:38:39.000000000 -0400 -@@ -102,6 +102,7 @@ - #else - #include - #endif -+#include - - #include "encrypt.h" - #include "auth.h" ---- krb5-1.6.1/src/appl/telnet/telnet/commands.c 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/appl/telnet/telnet/commands.c 2007-08-24 23:38:41.000000000 -0400 -@@ -70,6 +70,7 @@ - #ifdef HAVE_VFORK_H - #include - #endif -+#include - - #include - ---- krb5-1.6.1/src/appl/telnet/telnet/utilities.c 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/appl/telnet/telnet/utilities.c 2007-08-24 23:38:39.000000000 -0400 -@@ -61,6 +61,8 @@ - #include - #endif - -+#include -+ - FILE *NetTrace = 0; /* Not in bss, since needs to stay */ - int prettydump; - ---- krb5-1.6.1/src/appl/telnet/telnetd/telnetd.c 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/appl/telnet/telnetd/telnetd.c 2007-08-24 23:38:39.000000000 -0400 -@@ -80,6 +80,7 @@ - #include "fake-addrinfo.h" - - #ifdef KRB5 -+#include "k5-label.h" - #include "krb5.h" - #endif - ---- krb5-1.6.1/src/config/pre.in 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/config/pre.in 2007-08-24 23:38:39.000000000 -0400 -@@ -181,6 +181,7 @@ - CLNTLIBS = @CLNTLIBS@ - CLNTDEPLIBS = @CLNTDEPLIBS@ - PAM_LIBS = @PAM_LIBS@ -+SELINUX_LIBS = @SELINUX_LIBS@ - - INSTALL=@INSTALL@ - INSTALL_STRIP= -@@ -391,7 +392,7 @@ - # HESIOD_LIBS is -lhesiod... - HESIOD_LIBS = @HESIOD_LIBS@ - --KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) -+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) - KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS) - KDB5_LIBS = $(KDB5_LIB) - GSS_LIBS = $(GSS_KRB5_LIB) ---- krb5-1.6.1/src/configure.in 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/configure.in 2007-08-24 23:38:39.000000000 -0400 -@@ -425,6 +425,8 @@ - fi - fi - -+KRB5_WITH_SELINUX -+ - dnl - dnl - dnl check for ANSI stdio, esp "b" option to fopen(). This (unfortunately) ---- krb5-1.6.1/src/include/k5-int.h 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/include/k5-int.h 2007-08-24 23:38:42.000000000 -0400 -@@ -172,6 +172,9 @@ - /* Get error info support. */ - #include "k5-err.h" - -+/* Get file labeling support. */ -+#include "k5-label.h" -+ - /* krb5/krb5.h includes many other .h files in the krb5 subdirectory. - The ones that it doesn't include, we include below. */ - ---- krb5-1.6.1/src/include/k5-label.h 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/include/k5-label.h 2007-08-25 03:00:02.000000000 -0400 -@@ -0,0 +1,39 @@ -+#ifndef _KRB5_LABEL_H -+#define _KRB5_LABEL_H -+/* Wrapper functions which help us create files and directories with the right -+ * context labels. */ -+#ifdef USE_SELINUX -+#include -+#include -+#include -+#include -+#include -+FILE *krb5int_labeled_fopen(const char *path, const char *mode); -+int krb5int_labeled_creat(const char *path, mode_t mode); -+int krb5int_labeled_open(const char *path, int flags, ...); -+int krb5int_labeled_mkdir(const char *path, mode_t mode); -+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device); -+#ifndef USE_SELINUX_UNWRAPPED -+#ifdef fopen -+#undef fopen -+#endif -+#define fopen krb5int_labeled_fopen -+#ifdef open -+#undef open -+#endif -+#define open krb5int_labeled_open -+#ifdef creat -+#undef creat -+#endif -+#define creat krb5int_labeled_creat -+#ifdef mkdir -+#undef mkdir -+#endif -+#define mkdir krb5int_labeled_mkdir -+#ifdef mknod -+#undef mknod -+#endif -+#define mknod krb5int_labeled_mknod -+#endif -+#endif -+#endif ---- krb5-1.6.1/src/kadmin/dbutil/dump.c 2006-12-18 18:11:15.000000000 -0500 -+++ krb5-1.6.1/src/kadmin/dbutil/dump.c 2007-08-25 02:58:26.000000000 -0400 -@@ -37,6 +37,7 @@ - #if defined(HAVE_REGEX_H) && defined(HAVE_REGCOMP) - #include - #endif /* HAVE_REGEX_H */ -+#include - - /* - * Needed for master key conversion. ---- krb5-1.6.1/src/lib/kadm5/srv/server_dict.c 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/lib/kadm5/srv/server_dict.c 2007-08-25 03:05:12.000000000 -0400 -@@ -24,6 +24,7 @@ - #include "adm_proto.h" - #include - #include "server_internal.h" -+#include - - static char **word_list = NULL; /* list of word pointers */ - static char *word_block = NULL; /* actual word data */ ---- krb5-1.6.1/src/lib/krb4/dest_tkt.c 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/dest_tkt.c 2007-08-25 03:02:01.000000000 -0400 -@@ -40,6 +40,7 @@ - #include - #endif - #include -+#include "k5-label.h" - - #ifndef O_SYNC - #define O_SYNC 0 ---- krb5-1.6.1/src/lib/krb4/in_tkt.c 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/in_tkt.c 2007-08-25 03:03:01.000000000 -0400 -@@ -37,6 +37,7 @@ - #ifdef HAVE_UNISTD_H - #include - #endif -+#include "k5-label.h" - - extern int krb_debug; - ---- krb5-1.6.1/src/lib/krb4/klog.c 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/klog.c 2007-08-25 03:03:28.000000000 -0400 -@@ -36,6 +36,7 @@ - - #include "krb4int.h" - #include -+#include "k5-label.h" - - static char *log_name = KRBLOG; - static char logtxt[1000]; ---- krb5-1.6.1/src/lib/krb4/kuserok.c 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/kuserok.c 2007-08-25 03:03:16.000000000 -0400 -@@ -45,6 +45,7 @@ - /* just for F_OK for sco */ - #include - #endif -+#include "k5-label.h" - - #ifndef HAVE_SETEUID - #ifdef HAVE_SETRESUID ---- krb5-1.6.1/src/lib/krb4/log.c 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/log.c 2007-08-25 03:02:32.000000000 -0400 -@@ -43,6 +43,7 @@ - - #include "krb4int.h" - #include -+#include "k5-label.h" - - static char *log_name = KRBLOG; - #if 0 ---- krb5-1.6.1/src/lib/krb4/Makefile.in 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/Makefile.in 2007-08-24 23:38:39.000000000 -0400 -@@ -25,7 +25,7 @@ - $(TOPLIBD)/libdes425$(SHLIBEXT) \ - $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ - $(TOPLIBD)/libkrb5$(SHLIBEXT) --SHLIB_EXPLIBS=-lkrb5 -lcom_err -ldes425 -lk5crypto -+SHLIB_EXPLIBS=-lkrb5 -lcom_err -ldes425 -lk5crypto -l$(SUPPORT_LIBNAME) $(SELINUX_LIBS) - SHLIB_DIRS=-L$(TOPLIBD) - SHLIB_RDIRS=$(KRB5_LIBDIR) - ---- krb5-1.6.1/src/lib/krb4/put_svc_key.c 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/lib/krb4/put_svc_key.c 2007-08-25 03:02:47.000000000 -0400 -@@ -32,6 +32,7 @@ - #ifdef HAVE_UNISTD_H - #include - #endif -+#include "k5-label.h" - - #define KEYSZ sizeof(C_Block) - /* strict put_svc_key. ---- krb5-1.6.1/src/lib/krb4/rd_svc_key.c 2004-02-24 16:07:22.000000000 -0500 -+++ krb5-1.6.1/src/lib/krb4/rd_svc_key.c 2007-08-25 03:04:01.000000000 -0400 -@@ -9,6 +9,7 @@ - */ - - #include "mit-copyright.h" -+#include "autoconf.h" - #include "krb.h" - #include "krb4int.h" - #include ---- krb5-1.6.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2000-07-02 23:43:42.000000000 -0400 -+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2007-09-06 12:36:18.000000000 -0400 -@@ -60,6 +60,7 @@ - - #include "db-int.h" - #include "btree.h" -+#include "k5-label.h" - - #ifdef DEBUG - #undef MINPSIZE ---- krb5-1.6.1/src/plugins/kdb/db2/libdb2/configure.in 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/configure.in 2007-08-24 23:38:41.000000000 -0400 -@@ -89,6 +89,8 @@ - AC_DEFINE(strerror, kdb2__strerror,[Define to \`kdb2__strerror' to provide private strerror function])]) - AC_SUBST(STRERROR_OBJ) - -+LDFLAGS="$LDFLAGS $SELINUX_LIBS" -+ - KRB5_BUILD_LIBRARY - KRB5_BUILD_LIBOBJS - KRB5_BUILD_PROGRAM ---- krb5-1.6.1/src/plugins/kdb/db2/libdb2/hash/hash.c 2006-06-14 22:35:44.000000000 -0400 -+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/hash/hash.c 2007-09-06 12:37:15.000000000 -0400 -@@ -55,6 +55,7 @@ - #include "hash.h" - #include "page.h" - #include "extern.h" -+#include "k5-label.h" - - static int32_t flush_meta __P((HTAB *)); - static int32_t hash_access __P((HTAB *, ACTION, const DBT *, DBT *)); ---- krb5-1.6.1/src/plugins/kdb/db2/libdb2/include/config.h.in 2007-04-20 19:39:29.000000000 -0400 -+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/include/config.h.in 2007-08-24 23:44:21.000000000 -0400 -@@ -39,6 +39,9 @@ - /* Define to 1 if you have the `resolv' library (-lresolv). */ - #undef HAVE_LIBRESOLV - -+/* Define to 1 if you have the `selinux' library (-lselinux). */ -+#undef HAVE_LIBSELINUX -+ - /* Define to 1 if you have the `socket' library (-lsocket). */ - #undef HAVE_LIBSOCKET - -@@ -87,6 +90,12 @@ - /* Define to 1 if you have the `res_search' function */ - #undef HAVE_RES_SEARCH - -+/* Define to 1 if you have the header file. */ -+#undef HAVE_SELINUX_SELINUX_H -+ -+/* Define to 1 if you have the `setfscreatecon' function. */ -+#undef HAVE_SETFSCREATECON -+ - /* Define to 1 if you have the header file. */ - #undef HAVE_STDINT_H - -@@ -163,6 +172,10 @@ - /* Define if link-time options for library initialization will be used */ - #undef USE_LINKER_INIT_OPTION - -+/* Define if Kerberos-aware tools should set SELinux file contexts when -+ creating files. */ -+#undef USE_SELINUX -+ - /* Define to empty if `const' does not conform to ANSI C. */ - #undef const - ---- krb5-1.6.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c 1998-01-21 11:33:31.000000000 -0500 -+++ krb5-1.6.1/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2007-09-06 12:36:52.000000000 -0400 -@@ -53,6 +53,7 @@ - - #include "db-int.h" - #include "recno.h" -+#include "k5-label.h" - - DB * - __rec_open(fname, flags, mode, openinfo, dflags) ---- krb5-1.6.1/src/plugins/preauth/cksum_body/config.h.in 2007-04-20 19:39:45.000000000 -0400 -+++ krb5-1.6.1/src/plugins/preauth/cksum_body/config.h.in 2007-08-24 23:46:17.000000000 -0400 -@@ -39,6 +39,9 @@ - /* Define to 1 if you have the `resolv' library (-lresolv). */ - #undef HAVE_LIBRESOLV - -+/* Define to 1 if you have the `selinux' library (-lselinux). */ -+#undef HAVE_LIBSELINUX -+ - /* Define to 1 if you have the `socket' library (-lsocket). */ - #undef HAVE_LIBSOCKET - -@@ -84,6 +87,12 @@ - /* Define to 1 if you have the `res_search' function */ - #undef HAVE_RES_SEARCH - -+/* Define to 1 if you have the header file. */ -+#undef HAVE_SELINUX_SELINUX_H -+ -+/* Define to 1 if you have the `setfscreatecon' function. */ -+#undef HAVE_SETFSCREATECON -+ - /* Define to 1 if you have the header file. */ - #undef HAVE_STDINT_H - -@@ -154,5 +163,9 @@ - /* Define if link-time options for library initialization will be used */ - #undef USE_LINKER_INIT_OPTION - -+/* Define if Kerberos-aware tools should set SELinux file contexts when -+ creating files. */ -+#undef USE_SELINUX -+ - /* Define to empty if `const' does not conform to ANSI C. */ - #undef const ---- krb5-1.6.1/src/plugins/preauth/wpse/config.h.in 2007-04-20 19:39:37.000000000 -0400 -+++ krb5-1.6.1/src/plugins/preauth/wpse/config.h.in 2007-08-24 23:47:02.000000000 -0400 -@@ -39,6 +39,9 @@ - /* Define to 1 if you have the `resolv' library (-lresolv). */ - #undef HAVE_LIBRESOLV - -+/* Define to 1 if you have the `selinux' library (-lselinux). */ -+#undef HAVE_LIBSELINUX -+ - /* Define to 1 if you have the `socket' library (-lsocket). */ - #undef HAVE_LIBSOCKET - -@@ -84,6 +87,12 @@ - /* Define to 1 if you have the `res_search' function */ - #undef HAVE_RES_SEARCH - -+/* Define to 1 if you have the header file. */ -+#undef HAVE_SELINUX_SELINUX_H -+ -+/* Define to 1 if you have the `setfscreatecon' function. */ -+#undef HAVE_SETFSCREATECON -+ - /* Define to 1 if you have the header file. */ - #undef HAVE_STDINT_H - -@@ -154,5 +163,9 @@ - /* Define if link-time options for library initialization will be used */ - #undef USE_LINKER_INIT_OPTION - -+/* Define if Kerberos-aware tools should set SELinux file contexts when -+ creating files. */ -+#undef USE_SELINUX -+ - /* Define to empty if `const' does not conform to ANSI C. */ - #undef const ---- krb5-1.6.1/src/util/profile/prof_file.c 2007-08-25 03:19:01.000000000 -0400 -+++ krb5-1.6.1/src/util/profile/prof_file.c 2007-08-25 03:10:03.000000000 -0400 -@@ -29,6 +29,7 @@ - #endif - - #include "k5-platform.h" -+#include "k5-label.h" - - struct global_shared_profile_data { - /* This is the head of the global list of shared trees */ ---- krb5-1.6.1/src/util/support/libkrb5support.exports 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/util/support/libkrb5support.exports 2007-08-24 23:38:39.000000000 -0400 -@@ -32,3 +32,6 @@ - krb5int_clear_error - krb5int_set_error_info_callout_fn - krb5int_gmt_mktime -+krb5int_labeled_open -+krb5int_labeled_fopen -+krb5int_labeled_creat ---- krb5-1.6.1/src/util/support/Makefile.in 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/util/support/Makefile.in 2007-08-24 23:38:39.000000000 -0400 -@@ -27,6 +27,7 @@ - - STLIBOBJS= \ - threads.o \ -+ selinux.o \ - init-addrinfo.o \ - plugins.o \ - errors.o \ -@@ -55,7 +56,7 @@ - $(srcdir)/fake-addrinfo.c - SHLIB_EXPDEPS = - # Add -lm if dumping thread stats, for sqrt. --SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) -+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB) - SHLIB_DIRS= - SHLIB_RDIRS=$(KRB5_LIBDIR) - ---- krb5-1.6.1/src/util/support/selinux.c 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.1/src/util/support/selinux.c 2007-08-24 23:38:39.000000000 -0400 -@@ -0,0 +1,258 @@ -+/* -+ * Copyright 2007 Red Hat, Inc. All Rights Reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are met: -+ * -+ * Redistributions of source code must retain the above copyright notice, this -+ * list of conditions and the following disclaimer. -+ * -+ * Redistributions in binary form must reproduce the above copyright notice, -+ * this list of conditions and the following disclaimer in the documentation -+ * and/or other materials provided with the distribution. -+ * -+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be -+ * used to endorse or promote products derived from this software without -+ * specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -+ * POSSIBILITY OF SUCH DAMAGE. -+ * -+ * File-opening wrappers for creating correctly-labeled files. So far, we can -+ * assume that this is Linux-specific, so we make many simplifying assumptions. -+ */ -+ -+#include "../../include/autoconf.h" -+ -+#ifdef USE_SELINUX -+#define USE_SELINUX_UNWRAPPED -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+/* #define DEBUG 1 */ -+ -+static pthread_mutex_t labeled_lock = PTHREAD_MUTEX_INITIALIZER; -+ -+static security_context_t -+push_fscreatecon(const char *pathname, mode_t mode) -+{ -+ security_context_t previous, next; -+ const char *fullpath; -+ -+ previous = NULL; -+ if (is_selinux_enabled()) { -+ if (getfscreatecon(&previous) == 0) { -+ char *genpath; -+ genpath = NULL; -+ if (pathname[0] != '/') { -+ char *wd; -+ size_t len; -+ len = 0; -+ wd = getcwd(NULL, len); -+ if (wd == NULL) { -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ len = strlen(wd) + 1 + strlen(pathname) + 1; -+ genpath = malloc(len); -+ if (genpath == NULL) { -+ free(wd); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ sprintf(genpath, "%s/%s", wd, pathname); -+ free(wd); -+ fullpath = genpath; -+ } else { -+ fullpath = pathname; -+ } -+ next = NULL; -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Looking up context for " -+ "\"%s\"(%05o).\n", fullpath, mode); -+ } -+#endif -+ if (matchpathcon(fullpath, mode, &next) != 0) { -+ free(genpath); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ free(genpath); -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Setting file creation context " -+ "to \"%s\".\n", next); -+ } -+#endif -+ if (setfscreatecon(next) != 0) { -+ freecon(next); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+#ifdef DEBUG -+ } else { -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Unable to determine " -+ "current context.\n"); -+ } -+#endif -+ } -+ } -+ return previous; -+} -+ -+static void -+pop_fscreatecon(security_context_t previous) -+{ -+ if (is_selinux_enabled()) { -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ if (previous != NULL) { -+ fprintf(stderr, "Resetting file creation " -+ "context to \"%s\".\n", previous); -+ } else { -+ fprintf(stderr, "Resetting file creation " -+ "context to default.\n"); -+ } -+ } -+#endif -+ setfscreatecon(previous); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ } -+} -+ -+FILE * -+krb5int_labeled_fopen(const char *path, const char *mode) -+{ -+ FILE *fp; -+ int errno_save; -+ security_context_t ctx; -+ -+ pthread_mutex_lock(&labeled_lock); -+ ctx = push_fscreatecon(path, 0); -+ fp = fopen(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ pthread_mutex_unlock(&labeled_lock); -+ -+ errno = errno_save; -+ return fp; -+} -+ -+int -+krb5int_labeled_creat(const char *path, mode_t mode) -+{ -+ int fd; -+ int errno_save; -+ security_context_t ctx; -+ -+ pthread_mutex_lock(&labeled_lock); -+ ctx = push_fscreatecon(path, 0); -+ fd = creat(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ pthread_mutex_unlock(&labeled_lock); -+ -+ errno = errno_save; -+ return fd; -+} -+ -+int -+krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev) -+{ -+ int ret; -+ int errno_save; -+ security_context_t ctx; -+ -+ pthread_mutex_lock(&labeled_lock); -+ ctx = push_fscreatecon(path, mode); -+ ret = mknod(path, mode, dev); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ pthread_mutex_unlock(&labeled_lock); -+ -+ errno = errno_save; -+ return ret; -+} -+ -+int -+krb5int_labeled_mkdir(const char *path, mode_t mode) -+{ -+ int ret; -+ int errno_save; -+ security_context_t ctx; -+ -+ pthread_mutex_lock(&labeled_lock); -+ ctx = push_fscreatecon(path, S_IFDIR); -+ ret = mkdir(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ pthread_mutex_unlock(&labeled_lock); -+ -+ errno = errno_save; -+ return ret; -+} -+ -+int -+krb5int_labeled_open(const char *path, int flags, ...) -+{ -+ int fd; -+ int errno_save; -+ security_context_t ctx; -+ mode_t mode; -+ va_list ap; -+ -+ if (flags & O_CREAT) { -+ pthread_mutex_unlock(&labeled_lock); -+ } else { -+ return open(path, flags); -+ } -+ -+ pthread_mutex_lock(&labeled_lock); -+ ctx = push_fscreatecon(path, 0); -+ -+ va_start(ap, flags); -+ mode = va_arg(ap, mode_t); -+ fd = open(path, flags, mode); -+ va_end(ap); -+ -+ errno_save = errno; -+ -+ pop_fscreatecon(ctx); -+ pthread_mutex_unlock(&labeled_lock); -+ return fd; -+} -+ -+#endif diff --git a/krb5-1.6.3-selinux-label.patch b/krb5-1.6.3-selinux-label.patch new file mode 100644 index 0000000..361be8b --- /dev/null +++ b/krb5-1.6.3-selinux-label.patch @@ -0,0 +1,843 @@ +SELinux bases access to files mainly on the domain of the requesting +process and the context applied to the file. + +In many cases, applications needn't be SELinux aware to work properly, +because SELinux can apply a default label to a file based on the label +of the directory in which it's created. + +In the case of files such as /etc/krb5.keytab, however, this isn't +sufficient, as /etc/krb5.keytab will almost always need given a label +which differs from that of /etc/issue or /etc/resolv.conf. + +To give the file the correct label, we can either force a "restorecon" +call to fix a file's label after it's created, or create the file with +the right label, as we do here. We lean on THREEPARAMOPEN and define a +similar macro named WRITABLEFOPEN with which we replace several uses of +fopen(). + +diff -ur krb5-1.6.3/src/aclocal.m4 krb5-1.6.3/src/aclocal.m4 +--- krb5-1.6.3/src/aclocal.m4 2008-03-06 19:04:59.000000000 -0500 ++++ krb5-1.6.3/src/aclocal.m4 2008-03-06 17:31:21.000000000 -0500 +@@ -102,6 +102,7 @@ + dnl + KRB5_AC_PRAGMA_WEAK_REF + WITH_LDAP ++KRB5_WITH_SELINUX + KRB5_LIB_PARAMS + KRB5_AC_INITFINI + KRB5_AC_ENABLE_THREADS +@@ -1902,3 +1903,50 @@ + AC_SUBST(PAM_MAN) + AC_SUBST(NON_PAM_MAN) + ])dnl ++dnl ++dnl Use libselinux to set file contexts on newly-created files. ++dnl ++AC_DEFUN(KRB5_WITH_SELINUX,[ ++AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])], ++ withselinux="$withval",withselinux=auto) ++old_LIBS="$LIBS" ++if test "$withselinux" != no ; then ++ AC_MSG_RESULT([checking for libselinux...]) ++ SELINUX_LIBS= ++ AC_CHECK_HEADERS(selinux/selinux.h) ++ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate selinux/selinux.h.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate selinux/selinux.h.]) ++ fi ++ fi ++ ++ LIBS= ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon) ++ if test "x$ac_cv_func_setfscreatecon" = xno ; then ++ AC_CHECK_LIB(selinux,setfscreatecon) ++ unset ac_cv_func_setfscreatecon ++ AC_CHECK_FUNCS(setfscreatecon) ++ if test "x$ac_cv_func_setfscreatecon" = xyes ; then ++ SELINUX_LIBS="$LIBS" ++ else ++ if test "$withselinux" = auto ; then ++ AC_MSG_RESULT([Unable to locate libselinux.]) ++ withselinux=no ++ else ++ AC_MSG_ERROR([Unable to locate libselinux.]) ++ fi ++ fi ++ fi ++ if test "$withselinux" != no ; then ++ AC_MSG_RESULT([Using SELinux.]) ++ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.]) ++ SELINUX_LIBS="$LIBS" ++ fi ++fi ++LIBS="$old_LIBS" ++AC_SUBST(SELINUX_LIBS) ++])dnl +diff -ur krb5-1.6.3/src/appl/bsd/configure.in krb5-1.6.3/src/appl/bsd/configure.in +--- krb5-1.6.3/src/appl/bsd/configure.in 2008-03-06 19:04:59.000000000 -0500 ++++ krb5-1.6.3/src/appl/bsd/configure.in 2008-03-06 18:05:45.000000000 -0500 +@@ -25,6 +25,7 @@ + LOGINLIBS="$LOGINLIBS -lodm -ls -lcfg" + ))) + KRB5_WITH_PAM ++KRB5_WITH_SELINUX + dnl + dnl Make our operating system-specific security checks and definitions for + dnl login. +diff -ur krb5-1.6.3/src/appl/gssftp/configure.in krb5-1.6.3/src/appl/gssftp/configure.in +--- krb5-1.6.3/src/appl/gssftp/configure.in 2008-03-06 19:04:59.000000000 -0500 ++++ krb5-1.6.3/src/appl/gssftp/configure.in 2008-03-06 18:08:03.000000000 -0500 +@@ -18,6 +18,7 @@ + AC_CHECK_FUNCS(getcwd getdtablesize getusershell seteuid setreuid setresuid strerror getenv) + AC_CHECK_LIB(crypt,crypt) dnl + KRB5_WITH_PAM ++KRB5_WITH_SELINUX + KRB5_AC_LIBUTIL + dnl + dnl copied from appl/bsd/configure.in +diff -ur krb5-1.6.3/src/appl/telnet/configure.in krb5-1.6.3/src/appl/telnet/configure.in +--- krb5-1.6.3/src/appl/telnet/configure.in 2006-03-27 23:35:02.000000000 -0500 ++++ krb5-1.6.3/src/appl/telnet/configure.in 2008-03-06 18:08:49.000000000 -0500 +@@ -163,6 +163,7 @@ + if test $krb5_cv_sys_setpgrp_two = yes; then + AC_DEFINE(SETPGRP_TWOARG,1,[Define if setpgrp takes two arguments]) + fi ++KRB5_USE_SELINUX + dnl + KRB5_NEED_PROTO([#include ],unsetenv,1) + dnl KRB5_NEED_PROTO([#include ],setenv,1) +diff -ur krb5-1.6.3/src/config/pre.in krb5-1.6.3/src/config/pre.in +--- krb5-1.6.3/src/config/pre.in 2008-03-06 19:04:59.000000000 -0500 ++++ krb5-1.6.3/src/config/pre.in 2008-03-06 17:53:07.000000000 -0500 +@@ -181,6 +181,7 @@ + CLNTLIBS = @CLNTLIBS@ + CLNTDEPLIBS = @CLNTDEPLIBS@ + PAM_LIBS = @PAM_LIBS@ ++SELINUX_LIBS=@SELINUX_LIBS@ + + INSTALL=@INSTALL@ + INSTALL_STRIP= +@@ -391,7 +392,7 @@ + # HESIOD_LIBS is -lhesiod... + HESIOD_LIBS = @HESIOD_LIBS@ + +-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) ++KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS) + KDB5_LIBS = $(KDB5_LIB) + GSS_LIBS = $(GSS_KRB5_LIB) +diff -ur krb5-1.6.3/src/configure.in krb5-1.6.3/src/configure.in +--- krb5-1.6.3/src/configure.in 2008-03-06 19:04:59.000000000 -0500 ++++ krb5-1.6.3/src/configure.in 2008-03-06 17:39:53.000000000 -0500 +@@ -945,6 +945,8 @@ + + KRB5_WITH_PAM + ++KRB5_WITH_SELINUX ++ + AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + + mansysconfdir=$sysconfdir +diff -ur krb5-1.6.3/src/include/autoconf.h.in krb5-1.6.3/src/include/autoconf.h.in +--- krb5-1.6.3/src/include/autoconf.h.in 2007-10-21 23:35:17.000000000 -0400 ++++ krb5-1.6.3/src/include/autoconf.h.in 2008-03-06 17:39:13.000000000 -0500 +@@ -358,6 +358,9 @@ + /* Define to 1 if you have the `sched_yield' function. */ + #undef HAVE_SCHED_YIELD + ++/* Define to 1 if you have the header file. */ ++#undef HAVE_SELINUX_SELINUX_H ++ + /* Define to 1 if you have the header file. */ + #undef HAVE_SEMAPHORE_H + +@@ -370,6 +373,9 @@ + /* Define to 1 if you have the `setegid' function. */ + #undef HAVE_SETEGID + ++/* Define to 1 if you have the `setfscreatecon' function. */ ++#undef HAVE_SETFSCREATECON ++ + /* Define to 1 if you have the `setenv' function. */ + #undef HAVE_SETENV + +@@ -695,6 +701,10 @@ + /* Define if the KDC should use a replay cache */ + #undef USE_RCACHE + ++/* Define if Kerberos-aware tools should set SELinux file contexts when ++ creating files. */ ++#undef USE_SELINUX ++ + /* Define if sigprocmask should be used */ + #undef USE_SIGPROCMASK + +diff -ur krb5-1.6.3/src/include/k5-int.h krb5-1.6.3/src/include/k5-int.h +--- krb5-1.6.3/src/include/k5-int.h 2007-10-04 16:17:48.000000000 -0400 ++++ krb5-1.6.3/src/include/k5-int.h 2008-03-06 18:51:29.000000000 -0500 +@@ -128,6 +128,20 @@ + typedef UINT64_TYPE krb5_ui_8; + typedef INT64_TYPE krb5_int64; + ++#include "k5-platform.h" ++ ++#ifdef THREEPARAMOPEN ++#undef THREEPARAMOPEN ++#endif ++ ++#ifdef USE_SELINUX ++#include "k5-label.h" ++#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z) ++#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y) ++#else ++#define WRITABLEFOPEN(x,y) fopen(x,y) ++#define THREEPARAMOPEN(x,y,z) open(x,y,z) ++#endif + + #define DEFAULT_PWD_STRING1 "Enter password" + #define DEFAULT_PWD_STRING2 "Re-enter password for verification" +diff -ur krb5-1.6.3/src/include/krb5/krb5.hin krb5-1.6.3/src/include/krb5/krb5.hin +--- krb5-1.6.3/src/include/krb5/krb5.hin 2007-09-17 23:36:09.000000000 -0400 ++++ krb5-1.6.3/src/include/krb5/krb5.hin 2008-03-06 18:17:29.000000000 -0500 +@@ -91,6 +91,12 @@ + #define THREEPARAMOPEN(x,y,z) open(x,y,z) + #endif + ++#if KRB5_PRIVATE ++#ifndef WRITABLEFOPEN ++#define WRITABLEFOPEN(x,y) fopen(x,y) ++#endif ++#endif ++ + #define KRB5_OLD_CRYPTO + + #include +diff -ur krb5-1.6.3/src/kadmin/dbutil/dump.c krb5-1.6.3/src/kadmin/dbutil/dump.c +--- krb5-1.6.3/src/kadmin/dbutil/dump.c 2006-12-18 18:11:15.000000000 -0500 ++++ krb5-1.6.3/src/kadmin/dbutil/dump.c 2008-03-06 18:33:44.000000000 -0500 +@@ -1148,7 +1148,7 @@ + * want to get into. + */ + unlink(ofile); +- if (!(f = fopen(ofile, "w"))) { ++ if (!(f = WRITABLEFOPEN(ofile, "w"))) { + fprintf(stderr, ofopen_error, + programname, ofile, error_message(errno)); + exit_status++; +diff -ur krb5-1.6.3/src/kadmin/dbutil/dumpv4.c krb5-1.6.3/src/kadmin/dbutil/dumpv4.c +--- krb5-1.6.3/src/kadmin/dbutil/dumpv4.c 2002-11-05 19:42:57.000000000 -0500 ++++ krb5-1.6.3/src/kadmin/dbutil/dumpv4.c 2008-03-06 18:33:50.000000000 -0500 +@@ -324,7 +324,7 @@ + * want to get into. + */ + unlink(outname); +- if (!(f = fopen(outname, "w"))) { ++ if (!(f = WRITABLEFOPEN(outname, "w"))) { + com_err(argv[0], errno, + "While opening file %s for writing", outname); + exit_status++; +diff -ur krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c +--- krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c 2005-10-12 16:48:36.000000000 -0400 ++++ krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c 2008-03-06 18:34:19.000000000 -0500 +@@ -520,7 +520,7 @@ + umask(0077); /*Changing umask for all of ktutil is OK + * We don't ever write out anything that should use + * default umask.*/ +- fp = fopen(name, "w"); ++ fp = WRITABLEFOPEN(name, "w"); + if (!fp) { + retval = EIO; + goto free_pruned; +diff -ur krb5-1.6.3/src/krb5-config.in krb5-1.6.3/src/krb5-config.in +--- krb5-1.6.3/src/krb5-config.in 2006-06-15 20:26:49.000000000 -0400 ++++ krb5-1.6.3/src/krb5-config.in 2008-03-06 17:29:57.000000000 -0500 +@@ -39,6 +39,7 @@ + RPATH_FLAG='@RPATH_FLAG@' + PTHREAD_CFLAGS='@PTHREAD_CFLAGS@' + DL_LIB='@DL_LIB@' ++SELINUX_LIBS='@SELINUX_LIBS@' + + LIBS='@LIBS@' + GEN_LIB=@GEN_LIB@ +@@ -217,7 +218,7 @@ + fi + + if test $library = 'krb5'; then +- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB" ++ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + fi + + echo $lib_flags +diff -ur krb5-1.6.3/src/lib/kadm5/logger.c krb5-1.6.3/src/lib/kadm5/logger.c +--- krb5-1.6.3/src/lib/kadm5/logger.c 2007-04-04 17:08:05.000000000 -0400 ++++ krb5-1.6.3/src/lib/kadm5/logger.c 2008-03-06 18:30:32.000000000 -0500 +@@ -425,7 +425,7 @@ + * Check for append/overwrite, then open the file. + */ + if (cp[4] == ':' || cp[4] == '=') { +- f = fopen(&cp[5], (cp[4] == ':') ? "a+" : "w"); ++ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a+" : "w"); + if (f) { + log_control.log_entries[i].lfu_filep = f; + log_control.log_entries[i].log_type = K_LOG_FILE; +@@ -959,7 +959,7 @@ + * In case the old logfile did not get moved out of the + * way, open for append to prevent squashing the old logs. + */ +- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+"); ++ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+"); + if (f) { + log_control.log_entries[lindex].lfu_filep = f; + } else { +diff -ur krb5-1.6.3/src/lib/kdb/kdb_default.c krb5-1.6.3/src/lib/kdb/kdb_default.c +--- krb5-1.6.3/src/lib/kdb/kdb_default.c 2006-10-11 22:39:14.000000000 -0400 ++++ krb5-1.6.3/src/lib/kdb/kdb_default.c 2008-03-06 18:31:18.000000000 -0500 +@@ -161,9 +161,9 @@ + oumask = umask(077); + #endif + #ifdef ANSI_STDIO +- if (!(kf = fopen(keyfile, "wb"))) ++ if (!(kf = WRITABLEFOPEN(keyfile, "wb"))) + #else +- if (!(kf = fopen(keyfile, "w"))) ++ if (!(kf = WRITABLEFOPEN(keyfile, "w"))) + #endif + { + int e = errno; +@@ -217,9 +217,9 @@ + defkeyfile[sizeof(defkeyfile) - 1] = '\0'; + + #ifdef ANSI_STDIO +- if (!(kf = fopen((db_args) ? db_args : defkeyfile, "rb"))) ++ if (!(kf = WRITABLEFOPEN((db_args) ? db_args : defkeyfile, "rb"))) + #else +- if (!(kf = fopen((db_args) ? db_args : defkeyfile, "r"))) ++ if (!(kf = WRITABLEFOPEN((db_args) ? db_args : defkeyfile, "r"))) + #endif + return KRB5_KDB_CANTREAD_STORED; + +diff -ur krb5-1.6.3/src/lib/krb4/klog.c krb5-1.6.3/src/lib/krb4/klog.c +--- krb5-1.6.3/src/lib/krb4/klog.c 2006-03-11 17:23:28.000000000 -0500 ++++ krb5-1.6.3/src/lib/krb4/klog.c 2008-03-06 18:48:01.000000000 -0500 +@@ -24,6 +24,7 @@ + * or implied warranty. + */ + ++#include "k5-int.h" + #include "krb.h" + #include "autoconf.h" + #ifdef HAVE_TIME_H +@@ -96,7 +97,7 @@ + if (!logtype_array[type]) + return(logtxt); + +- if ((logfile = fopen(log_name,"a")) == NULL) ++ if ((logfile = WRITABLEFOPEN(log_name,"a")) == NULL) + return(logtxt); + + (void) time(&now); +diff -ur krb5-1.6.3/src/lib/krb4/kparse.c krb5-1.6.3/src/lib/krb4/kparse.c +--- krb5-1.6.3/src/lib/krb4/kparse.c 2006-06-16 02:58:42.000000000 -0400 ++++ krb5-1.6.3/src/lib/krb4/kparse.c 2008-03-06 18:35:18.000000000 -0500 +@@ -583,7 +583,7 @@ + FILE *fp; + + if (--argc) { +- fp = fopen(*++argv,"ra"); ++ fp = WRITABLEOPEN(*++argv,"ra"); + if (fp == (FILE *)NULL) { + fprintf(stderr,"can\'t open \"%s\"\n",*argv); + } +diff -ur krb5-1.6.3/src/lib/krb4/log.c krb5-1.6.3/src/lib/krb4/log.c +--- krb5-1.6.3/src/lib/krb4/log.c 2006-03-11 17:23:28.000000000 -0500 ++++ krb5-1.6.3/src/lib/krb4/log.c 2008-03-06 18:47:49.000000000 -0500 +@@ -30,6 +30,7 @@ + krb_set_logfile, or change all the invokers. */ + #endif + ++#include "k5-int.h" + #include "krb.h" + #include "autoconf.h" + #ifdef HAVE_TIME_H +@@ -79,7 +80,7 @@ + + va_start(args, format); + +- if ((logfile = fopen(log_name,"a")) != NULL) { ++ if ((logfile = WRITABLEFOPEN(log_name,"a")) != NULL) { + (void) time(&now); + tm = localtime(&now); + +diff -ur krb5-1.6.3/src/lib/krb5/keytab/kt_file.c krb5-1.6.3/src/lib/krb5/keytab/kt_file.c +--- krb5-1.6.3/src/lib/krb5/keytab/kt_file.c 2007-08-31 17:38:41.000000000 -0400 ++++ krb5-1.6.3/src/lib/krb5/keytab/kt_file.c 2008-03-06 18:19:56.000000000 -0500 +@@ -1062,7 +1062,7 @@ + + KTCHECKLOCK(id); + errno = 0; +- KTFILEP(id) = fopen(KTFILENAME(id), ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), + (mode == KRB5_LOCKMODE_EXCLUSIVE) ? + fopen_mode_rbplus : fopen_mode_rb); + if (!KTFILEP(id)) { +@@ -1070,7 +1070,7 @@ + /* try making it first time around */ + krb5_create_secure_file(context, KTFILENAME(id)); + errno = 0; +- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus); + if (!KTFILEP(id)) + return errno ? errno : EMFILE; + writevno = 1; +diff -ur krb5-1.6.3/src/lib/krb5/keytab/kt_srvtab.c krb5-1.6.3/src/lib/krb5/keytab/kt_srvtab.c +--- krb5-1.6.3/src/lib/krb5/keytab/kt_srvtab.c 2008-03-06 19:04:59.000000000 -0500 ++++ krb5-1.6.3/src/lib/krb5/keytab/kt_srvtab.c 2008-03-06 18:20:11.000000000 -0500 +@@ -408,7 +408,7 @@ + krb5_error_code + krb5_ktsrvint_open(krb5_context context, krb5_keytab id) + { +- KTFILEP(id) = fopen(KTFILENAME(id), READ_MODE); ++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), READ_MODE); + if (!KTFILEP(id)) + return errno; + return 0; +diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c +--- krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2000-07-02 23:43:42.000000000 -0400 ++++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2008-03-06 18:27:37.000000000 -0500 +@@ -58,6 +58,7 @@ + #include + #include + ++#include + #include "db-int.h" + #include "btree.h" + +@@ -201,7 +202,7 @@ + goto einval; + } + +- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0) ++ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + goto err; + + } else { +diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c +--- krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c 2006-06-14 22:35:44.000000000 -0400 ++++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c 2008-03-06 18:29:17.000000000 -0500 +@@ -51,6 +51,7 @@ + #include + #endif + ++#include + #include "db-int.h" + #include "hash.h" + #include "page.h" +@@ -140,7 +141,7 @@ + new_table = 1; + } + if (file) { +- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1) ++ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1) + RETURN_ERROR(errno, error0); + (void)fcntl(hashp->fp, F_SETFD, 1); + } +diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c +--- krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c 1998-01-21 11:33:31.000000000 -0500 ++++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2008-03-06 18:27:01.000000000 -0500 +@@ -51,6 +51,7 @@ + #include + #include + ++#include + #include "db-int.h" + #include "recno.h" + +@@ -68,7 +69,7 @@ + int rfd, sverrno; + + /* Open the user's file -- if this fails, we're done. */ +- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) ++ if (fname != NULL && (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + return (NULL); + + /* Create a btree in memory (backed by disk). */ +diff -ur krb5-1.6.3/src/util/profile/prof_file.c krb5-1.6.3/src/util/profile/prof_file.c +--- krb5-1.6.3/src/util/profile/prof_file.c 2005-10-21 16:03:44.000000000 -0400 ++++ krb5-1.6.3/src/util/profile/prof_file.c 2008-03-06 19:02:44.000000000 -0500 +@@ -29,6 +29,7 @@ + #endif + + #include "k5-platform.h" ++#include "k5-int.h" + + struct global_shared_profile_data { + /* This is the head of the global list of shared trees */ +@@ -419,7 +420,7 @@ + + errno = 0; + +- f = fopen(new_file, "w"); ++ f = WRITABLEFOPEN(new_file, "w"); + if (!f) { + retval = errno; + if (retval == 0) +diff -ur krb5-1.6.3/src/util/support/libkrb5support.exports krb5-1.6.3/src/util/support/libkrb5support.exports +--- krb5-1.6.3/src/util/support/libkrb5support.exports 2006-05-04 14:35:01.000000000 -0400 ++++ krb5-1.6.3/src/util/support/libkrb5support.exports 2008-03-06 17:33:30.000000000 -0500 +@@ -32,3 +32,6 @@ + krb5int_clear_error + krb5int_set_error_info_callout_fn + krb5int_gmt_mktime ++krb5int_labeled_open ++krb5int_labeled_fopen ++krb5int_labeled_creat +diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Makefile.in +--- krb5-1.6.3/src/util/support/Makefile.in 2006-10-17 23:15:24.000000000 -0400 ++++ krb5-1.6.3/src/util/support/Makefile.in 2008-03-06 17:33:30.000000000 -0500 +@@ -27,6 +27,7 @@ + + STLIBOBJS= \ + threads.o \ ++ selinux.o \ + init-addrinfo.o \ + plugins.o \ + errors.o \ +@@ -55,7 +56,7 @@ + $(srcdir)/fake-addrinfo.c + SHLIB_EXPDEPS = + # Add -lm if dumping thread stats, for sqrt. +-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) ++SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB) + SHLIB_DIRS= + SHLIB_RDIRS=$(KRB5_LIBDIR) + +--- krb5-1.6.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2008-03-06 19:20:37.000000000 -0500 ++++ krb5-1.6.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2008-03-06 19:20:28.000000000 -0500 +@@ -1083,7 +1083,7 @@ + + /* Create a temporary file which contains all the entries except the + entry for the given service dn */ +- pfile = fopen(file_name, "r+"); ++ pfile = WRITABLEFOPEN(file_name, "r+"); + if (pfile == NULL) { + com_err(me, errno, "while deleting entry from file %s", file_name); + goto cleanup; +@@ -1764,7 +1764,7 @@ + + /* TODO: file lock for the service password file */ + /* set password in the file */ +- pfile = fopen(file_name, "r+"); ++ pfile = WRITABLEFOPEN(file_name, "r+"); + if (pfile == NULL) { + com_err(me, errno, "Failed to open file %s", file_name); + goto cleanup; +@@ -1806,7 +1806,7 @@ + sprintf(tmp_file,"%s.%s",file_name,"tmp"); + + omask = umask(077); +- newfile = fopen(tmp_file, "w+"); ++ newfile = WRITABLEFOPEN(tmp_file, "w+"); + umask(omask); + if (newfile == NULL) { + com_err(me, errno, "Error creating file %s", tmp_file); +@@ -2031,7 +2031,7 @@ + + /* set password in the file */ + old_mode = umask(0177); +- pfile = fopen(file_name, "a+"); ++ pfile = WRITABLEFOPEN(file_name, "a+"); + if (pfile == NULL) { + com_err(me, errno, "Failed to open file %s: %s", file_name, + strerror (errno)); +@@ -2082,7 +2082,7 @@ + sprintf(tmp_file,"%s.%s",file_name,"tmp"); + + omask = umask(077); +- newfile = fopen(tmp_file, "w"); ++ newfile = WRITABLEFOPEN(tmp_file, "w"); + umask (omask); + if (newfile == NULL) { + com_err(me, errno, "Error creating file %s", tmp_file); +--- krb5-1.6.3/src/util/support/selinux.c 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.3/src/util/support/selinux.c 2007-08-24 23:38:39.000000000 -0400 +@@ -0,0 +1,256 @@ ++/* ++ * Copyright 2007,2008 Red Hat, Inc. All Rights Reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * ++ * Redistributions of source code must retain the above copyright notice, this ++ * list of conditions and the following disclaimer. ++ * ++ * Redistributions in binary form must reproduce the above copyright notice, ++ * this list of conditions and the following disclaimer in the documentation ++ * and/or other materials provided with the distribution. ++ * ++ * Neither the name of Red Hat, Inc. nor the names of its contributors may be ++ * used to endorse or promote products derived from this software without ++ * specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" ++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE ++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ++ * POSSIBILITY OF SUCH DAMAGE. ++ * ++ * File-opening wrappers for creating correctly-labeled files. So far, we can ++ * assume that this is Linux-specific, so we make many simplifying assumptions. ++ */ ++ ++#include "../../include/autoconf.h" ++ ++#ifdef USE_SELINUX ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* #define DEBUG 1 */ ++ ++static pthread_mutex_t labeled_lock = PTHREAD_MUTEX_INITIALIZER; ++ ++static security_context_t ++push_fscreatecon(const char *pathname, mode_t mode) ++{ ++ security_context_t previous, next; ++ const char *fullpath; ++ ++ previous = NULL; ++ if (is_selinux_enabled()) { ++ if (getfscreatecon(&previous) == 0) { ++ char *genpath; ++ genpath = NULL; ++ if (pathname[0] != '/') { ++ char *wd; ++ size_t len; ++ len = 0; ++ wd = getcwd(NULL, len); ++ if (wd == NULL) { ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ len = strlen(wd) + 1 + strlen(pathname) + 1; ++ genpath = malloc(len); ++ if (genpath == NULL) { ++ free(wd); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ sprintf(genpath, "%s/%s", wd, pathname); ++ free(wd); ++ fullpath = genpath; ++ } else { ++ fullpath = pathname; ++ } ++ next = NULL; ++#ifdef DEBUG ++ if (isatty(fileno(stderr))) { ++ fprintf(stderr, "Looking up context for " ++ "\"%s\"(%05o).\n", fullpath, mode); ++ } ++#endif ++ if (matchpathcon(fullpath, mode, &next) != 0) { ++ free(genpath); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ free(genpath); ++#ifdef DEBUG ++ if (isatty(fileno(stderr))) { ++ fprintf(stderr, "Setting file creation context " ++ "to \"%s\".\n", next); ++ } ++#endif ++ if (setfscreatecon(next) != 0) { ++ freecon(next); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ return NULL; ++ } ++ freecon(next); ++#ifdef DEBUG ++ } else { ++ if (isatty(fileno(stderr))) { ++ fprintf(stderr, "Unable to determine " ++ "current context.\n"); ++ } ++#endif ++ } ++ } ++ return previous; ++} ++ ++static void ++pop_fscreatecon(security_context_t previous) ++{ ++ if (is_selinux_enabled()) { ++#ifdef DEBUG ++ if (isatty(fileno(stderr))) { ++ if (previous != NULL) { ++ fprintf(stderr, "Resetting file creation " ++ "context to \"%s\".\n", previous); ++ } else { ++ fprintf(stderr, "Resetting file creation " ++ "context to default.\n"); ++ } ++ } ++#endif ++ setfscreatecon(previous); ++ if (previous != NULL) { ++ freecon(previous); ++ } ++ } ++} ++ ++FILE * ++krb5int_labeled_fopen(const char *path, const char *mode) ++{ ++ FILE *fp; ++ int errno_save; ++ security_context_t ctx; ++ ++ pthread_mutex_lock(&labeled_lock); ++ ctx = push_fscreatecon(path, 0); ++ fp = fopen(path, mode); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ pthread_mutex_unlock(&labeled_lock); ++ ++ errno = errno_save; ++ return fp; ++} ++ ++int ++krb5int_labeled_creat(const char *path, mode_t mode) ++{ ++ int fd; ++ int errno_save; ++ security_context_t ctx; ++ ++ pthread_mutex_lock(&labeled_lock); ++ ctx = push_fscreatecon(path, 0); ++ fd = creat(path, mode); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ pthread_mutex_unlock(&labeled_lock); ++ ++ errno = errno_save; ++ return fd; ++} ++ ++int ++krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev) ++{ ++ int ret; ++ int errno_save; ++ security_context_t ctx; ++ ++ pthread_mutex_lock(&labeled_lock); ++ ctx = push_fscreatecon(path, mode); ++ ret = mknod(path, mode, dev); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ pthread_mutex_unlock(&labeled_lock); ++ ++ errno = errno_save; ++ return ret; ++} ++ ++int ++krb5int_labeled_mkdir(const char *path, mode_t mode) ++{ ++ int ret; ++ int errno_save; ++ security_context_t ctx; ++ ++ pthread_mutex_lock(&labeled_lock); ++ ctx = push_fscreatecon(path, S_IFDIR); ++ ret = mkdir(path, mode); ++ errno_save = errno; ++ pop_fscreatecon(ctx); ++ pthread_mutex_unlock(&labeled_lock); ++ ++ errno = errno_save; ++ return ret; ++} ++ ++int ++krb5int_labeled_open(const char *path, int flags, ...) ++{ ++ int fd; ++ int errno_save; ++ security_context_t ctx; ++ mode_t mode; ++ va_list ap; ++ ++ if ((flags & O_CREAT) == 0) { ++ return open(path, flags); ++ } ++ ++ pthread_mutex_lock(&labeled_lock); ++ ctx = push_fscreatecon(path, 0); ++ ++ va_start(ap, flags); ++ mode = va_arg(ap, mode_t); ++ fd = open(path, flags, mode); ++ va_end(ap); ++ ++ errno_save = errno; ++ ++ pop_fscreatecon(ctx); ++ pthread_mutex_unlock(&labeled_lock); ++ return fd; ++} ++ ++#endif +--- krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:19:00.000000000 -0400 ++++ krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:00:02.000000000 -0400 +@@ -0,0 +1,17 @@ ++#ifndef _KRB5_LABEL_H ++#define _KRB5_LABEL_H ++/* Wrapper functions which help us create files and directories with the right ++ * context labels. */ ++#ifdef USE_SELINUX ++#include ++#include ++#include ++#include ++#include ++FILE *krb5int_labeled_fopen(const char *path, const char *mode); ++int krb5int_labeled_creat(const char *path, mode_t mode); ++int krb5int_labeled_open(const char *path, int flags, ...); ++int krb5int_labeled_mkdir(const char *path, mode_t mode); ++int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device); ++#endif ++#endif diff --git a/krb5.spec b/krb5.spec index 37ccff1..43dfe89 100644 --- a/krb5.spec +++ b/krb5.spec @@ -16,7 +16,7 @@ Summary: The Kerberos network authentication system. Name: krb5 Version: 1.6.3 -Release: 8%{?dist} +Release: 9%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.2-signed.tar Source0: krb5-%{version}.tar.gz @@ -88,7 +88,7 @@ Patch59: krb5-trunk-kpasswd_tcp.patch Patch60: krb5-1.6.1-pam.patch Patch61: krb5-trunk-manpaths.patch Patch62: krb5-any-fixup-patch.txt -Patch63: krb5-1.6.1-selinux-label.patch +Patch63: krb5-1.6.3-selinux-label.patch Patch64: krb5-ok-as-delegate.patch Patch68: krb5-trunk-spnego_delegation.patch Patch69: krb5-trunk-seqnum.patch @@ -226,6 +226,10 @@ to obtain initial credentials from a KDC using a private key and a certificate. %changelog +* Tue Mar 18 2008 Nalin Dahyabhai 1.6.3-9 +- rework file labeling patch to not depend on fragile preprocessor trickery, + in another attempt at fixing #428355 and friends + * Tue Feb 26 2008 Nalin Dahyabhai 1.6.3-8 - ftp: add patch to fix "runique on" case when globbing fixes applied - stop adding a redundant but harmless call to initialize the gssapi internals