* Tue Jun 2 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-2
- Add patch to fix Redhat Bug #1227542 ("[SELinux] AVC denials may appear when kadmind starts"). The issue was caused by an unneeded |htons()| which triggered SELinux AVC denials due to the "random" port usage.
This commit is contained in:
parent
8c2cea93bb
commit
7029c6670c
@ -0,0 +1,32 @@
|
|||||||
|
From 0e65104d521d29664c129c1cf5e918bf54ac055e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Greg Hudson <ghudson@mit.edu>
|
||||||
|
Date: Tue, 19 May 2015 10:38:51 -0400
|
||||||
|
Subject: [PATCH] Fix bindresvport_sa port byte swap bug
|
||||||
|
|
||||||
|
The sa_setport() helper handles conversion to network byte order, so
|
||||||
|
bindresvport_sa() should not itself call htons() on the port argument.
|
||||||
|
|
||||||
|
(This bug was introduced in commit
|
||||||
|
0d04b60d159ab83b943e43802b1449a3b074bc83 when adding
|
||||||
|
bindresvport_sa(). It was my fault, not Andreas Schneider's.)
|
||||||
|
|
||||||
|
ticket: 8197 (new)
|
||||||
|
target_version: 1.13.3
|
||||||
|
tags: pullup
|
||||||
|
---
|
||||||
|
src/lib/rpc/bindresvport.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/rpc/bindresvport.c b/src/lib/rpc/bindresvport.c
|
||||||
|
index ccc4d73..a421dd8 100644
|
||||||
|
--- a/src/lib/rpc/bindresvport.c
|
||||||
|
+++ b/src/lib/rpc/bindresvport.c
|
||||||
|
@@ -76,7 +76,7 @@ bindresvport_sa(int sd, struct sockaddr *sa)
|
||||||
|
res = -1;
|
||||||
|
errno = EADDRINUSE;
|
||||||
|
for (i = 0; i < NPORTS && res < 0 && errno == EADDRINUSE; i++) {
|
||||||
|
- sa_setport(sa, htons(port++));
|
||||||
|
+ sa_setport(sa, port++);
|
||||||
|
if (port > ENDPORT) {
|
||||||
|
port = STARTPORT;
|
||||||
|
}
|
11
krb5.spec
11
krb5.spec
@ -43,7 +43,7 @@
|
|||||||
Summary: The Kerberos network authentication system
|
Summary: The Kerberos network authentication system
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.13.2
|
Version: 1.13.2
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
# - Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||||
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
|
||||||
# - The sources below are stored in a lookaside cache. Upload with
|
# - The sources below are stored in a lookaside cache. Upload with
|
||||||
@ -95,6 +95,7 @@ Patch134: krb5-1.11-kpasswdtest.patch
|
|||||||
Patch136: krb5-socket_wrapper_eventfd_prototype_mismatch.patch
|
Patch136: krb5-socket_wrapper_eventfd_prototype_mismatch.patch
|
||||||
Patch140: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
|
Patch140: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
|
||||||
Patch143: krb5-tests_use_libs_from_build.patch
|
Patch143: krb5-tests_use_libs_from_build.patch
|
||||||
|
Patch144: krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: http://web.mit.edu/kerberos/www/
|
URL: http://web.mit.edu/kerberos/www/
|
||||||
@ -320,7 +321,8 @@ ln NOTICE LICENSE
|
|||||||
|
|
||||||
%patch140 -p1 -b .krb5-1.14-support-kdc_err_more_preauth_data_required
|
%patch140 -p1 -b .krb5-1.14-support-kdc_err_more_preauth_data_required
|
||||||
%patch143 -p1 -b .krb5-tests_use_libs_from_build
|
%patch143 -p1 -b .krb5-tests_use_libs_from_build
|
||||||
|
%patch144 -p1 -b .krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial
|
||||||
|
|
||||||
# Take the execute bit off of documentation.
|
# Take the execute bit off of documentation.
|
||||||
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
||||||
|
|
||||||
@ -1011,6 +1013,11 @@ exit 0
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 2 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-2
|
||||||
|
- Add patch to fix Redhat Bug #1227542 ("[SELinux] AVC denials may appear
|
||||||
|
when kadmind starts"). The issue was caused by an unneeded |htons()|
|
||||||
|
which triggered SELinux AVC denials due to the "random" port usage.
|
||||||
|
|
||||||
* Thu May 21 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-1
|
* Thu May 21 2015 Roland Mainz <rmainz@redhat.com> - 1.13.2-1
|
||||||
- Add fix for RedHat Bug #1164304 ("Upstream unit tests loads
|
- Add fix for RedHat Bug #1164304 ("Upstream unit tests loads
|
||||||
the installed shared libraries instead the ones from the build")
|
the installed shared libraries instead the ones from the build")
|
||||||
|
Loading…
Reference in New Issue
Block a user