From 7029c6670c981a4bcfa4633bed917bb6893ce0f7 Mon Sep 17 00:00:00 2001 From: Roland Mainz Date: Wed, 3 Jun 2015 02:57:20 +0200 Subject: [PATCH] * Tue Jun 2 2015 Roland Mainz - 1.13.2-2 - Add patch to fix Redhat Bug #1227542 ("[SELinux] AVC denials may appear when kadmind starts"). The issue was caused by an unneeded |htons()| which triggered SELinux AVC denials due to the "random" port usage. --- ...ap_bug_triggering_selinux_avc_denial.patch | 32 +++++++++++++++++++ krb5.spec | 11 +++++-- 2 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch diff --git a/krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch b/krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch new file mode 100644 index 0000000..fc3101f --- /dev/null +++ b/krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch @@ -0,0 +1,32 @@ +From 0e65104d521d29664c129c1cf5e918bf54ac055e Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Tue, 19 May 2015 10:38:51 -0400 +Subject: [PATCH] Fix bindresvport_sa port byte swap bug + +The sa_setport() helper handles conversion to network byte order, so +bindresvport_sa() should not itself call htons() on the port argument. + +(This bug was introduced in commit +0d04b60d159ab83b943e43802b1449a3b074bc83 when adding +bindresvport_sa(). It was my fault, not Andreas Schneider's.) + +ticket: 8197 (new) +target_version: 1.13.3 +tags: pullup +--- + src/lib/rpc/bindresvport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib/rpc/bindresvport.c b/src/lib/rpc/bindresvport.c +index ccc4d73..a421dd8 100644 +--- a/src/lib/rpc/bindresvport.c ++++ b/src/lib/rpc/bindresvport.c +@@ -76,7 +76,7 @@ bindresvport_sa(int sd, struct sockaddr *sa) + res = -1; + errno = EADDRINUSE; + for (i = 0; i < NPORTS && res < 0 && errno == EADDRINUSE; i++) { +- sa_setport(sa, htons(port++)); ++ sa_setport(sa, port++); + if (port > ENDPORT) { + port = STARTPORT; + } diff --git a/krb5.spec b/krb5.spec index 7bf373a..91f29e9 100644 --- a/krb5.spec +++ b/krb5.spec @@ -43,7 +43,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.13.2 -Release: 1%{?dist} +Release: 2%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -95,6 +95,7 @@ Patch134: krb5-1.11-kpasswdtest.patch Patch136: krb5-socket_wrapper_eventfd_prototype_mismatch.patch Patch140: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch Patch143: krb5-tests_use_libs_from_build.patch +Patch144: krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -320,7 +321,8 @@ ln NOTICE LICENSE %patch140 -p1 -b .krb5-1.14-support-kdc_err_more_preauth_data_required %patch143 -p1 -b .krb5-tests_use_libs_from_build - +%patch144 -p1 -b .krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial + # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -1011,6 +1013,11 @@ exit 0 %changelog +* Tue Jun 2 2015 Roland Mainz - 1.13.2-2 +- Add patch to fix Redhat Bug #1227542 ("[SELinux] AVC denials may appear + when kadmind starts"). The issue was caused by an unneeded |htons()| + which triggered SELinux AVC denials due to the "random" port usage. + * Thu May 21 2015 Roland Mainz - 1.13.2-1 - Add fix for RedHat Bug #1164304 ("Upstream unit tests loads the installed shared libraries instead the ones from the build")