Revert "New upstream version: krb5-1.14-alpha1"

This reverts commit 1138991893.
This commit is contained in:
Robbie Harwood (frozencemetery) 2015-10-01 18:33:34 +00:00
parent 5ccfdd171d
commit a89bdde4da
14 changed files with 1755 additions and 35 deletions

3
.gitignore vendored
View File

@ -121,6 +121,3 @@ krb5-1.8.3-pdf.tar.gz
/krb5-1.13.2.tar.gz.asc
/krb5-1.13.2-pdf.pax.xz
/krb5-1.13.2-pdfs.tar
/krb5-1.14-alpha1.tar.gz.asc
/krb5-1.14-alpha1.tar.gz
/krb5-1.14-alpha1-pdfs.tar

View File

@ -0,0 +1,34 @@
A hack: if we're looking at creating a ccache directory directly below
the /run/user/0 directory, and /run/user/0 doesn't exist, try to create
it, too.
--- krb5/src/lib/krb5/ccache/cc_dir.c
+++ krb5/src/lib/krb5/ccache/cc_dir.c
@@ -61,6 +61,8 @@
#include <dirent.h>
+#define ROOT_SPECIAL_DCC_PARENT "/run/user/0"
+
extern const krb5_cc_ops krb5_dcc_ops;
extern const krb5_cc_ops krb5_fcc_ops;
@@ -239,6 +241,18 @@
if (stat(dirname, &st) < 0) {
if (errno == ENOENT) {
+ if (strncmp(dirname, ROOT_SPECIAL_DCC_PARENT "/",
+ sizeof(ROOT_SPECIAL_DCC_PARENT)) == 0 &&
+ stat(ROOT_SPECIAL_DCC_PARENT, &st) < 0 &&
+ errno == ENOENT) {
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(ROOT_SPECIAL_DCC_PARENT);
+#endif
+ status = mkdir(ROOT_SPECIAL_DCC_PARENT, S_IRWXU);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
+ }
#ifdef USE_SELINUX
selabel = krb5int_push_fscreatecon_for(dirname);
#endif

27
krb5-1.12-api.patch Normal file
View File

@ -0,0 +1,27 @@
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
--- krb5/src/lib/krb5/krb/princ_comp.c
+++ krb5/src/lib/krb5/krb/princ_comp.c
@@ -41,6 +41,10 @@ realm_compare_flags(krb5_context context
const krb5_data *realm1 = &princ1->realm;
const krb5_data *realm2 = &princ2->realm;
+ if (princ1 == NULL || princ2 == NULL)
+ return FALSE;
+ if (realm1 == NULL || realm2 == NULL)
+ return FALSE;
if (realm1->length != realm2->length)
return FALSE;
if (realm1->length == 0)
@@ -92,6 +98,9 @@ krb5_principal_compare_flags(krb5_contex
krb5_principal upn2 = NULL;
krb5_boolean ret = FALSE;
+ if (princ1 == NULL || princ2 == NULL)
+ return FALSE;
+
if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) {
/* Treat UPNs as if they were real principals */
if (princ1->type == KRB5_NT_ENTERPRISE_PRINCIPAL) {

12
krb5-1.12-ksu-path.patch Normal file
View File

@ -0,0 +1,12 @@
Set the default PATH to the one set by login.
--- krb5/src/clients/ksu/Makefile.in
+++ krb5/src/clients/ksu/Makefile.in
@@ -1,6 +1,6 @@
mydir=clients$(S)ksu
BUILDTOP=$(REL)..$(S)..
-DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /local/bin"'
+DEFINES = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/usr/local/sbin /usr/local/bin /sbin /bin /usr/sbin /usr/bin"'
KSU_LIBS=@KSU_LIBS@
PAM_LIBS=@PAM_LIBS@

351
krb5-1.12-ktany.patch Normal file
View File

@ -0,0 +1,351 @@
Adds an "ANY" keytab type which is a list of other keytab locations to search
when searching for a specific entry. When iterated through, it only presents
the contents of the first keytab.
diff -up /dev/null krb5-1.7/src/lib/krb5/keytab/kt_any.c
--- /dev/null 2009-06-04 10:34:55.169007373 -0400
+++ krb5-1.7/src/lib/krb5/keytab/kt_any.c 2009-06-04 13:54:36.000000000 -0400
@@ -0,0 +1,292 @@
+/*
+ * lib/krb5/keytab/kt_any.c
+ *
+ * Copyright 1998, 1999 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * krb5_kta_ops
+ */
+
+#include "k5-int.h"
+
+typedef struct _krb5_ktany_data {
+ char *name;
+ krb5_keytab *choices;
+ int nchoices;
+} krb5_ktany_data;
+
+typedef struct _krb5_ktany_cursor_data {
+ int which;
+ krb5_kt_cursor cursor;
+} krb5_ktany_cursor_data;
+
+static krb5_error_code krb5_ktany_resolve
+ (krb5_context,
+ const char *,
+ krb5_keytab *);
+static krb5_error_code krb5_ktany_get_name
+ (krb5_context context,
+ krb5_keytab id,
+ char *name,
+ unsigned int len);
+static krb5_error_code krb5_ktany_close
+ (krb5_context context,
+ krb5_keytab id);
+static krb5_error_code krb5_ktany_get_entry
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_const_principal principal,
+ krb5_kvno kvno,
+ krb5_enctype enctype,
+ krb5_keytab_entry *entry);
+static krb5_error_code krb5_ktany_start_seq_get
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_kt_cursor *cursorp);
+static krb5_error_code krb5_ktany_next_entry
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_keytab_entry *entry,
+ krb5_kt_cursor *cursor);
+static krb5_error_code krb5_ktany_end_seq_get
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_kt_cursor *cursor);
+static void cleanup
+ (krb5_context context,
+ krb5_ktany_data *data,
+ int nchoices);
+
+struct _krb5_kt_ops krb5_kta_ops = {
+ 0,
+ "ANY", /* Prefix -- this string should not appear anywhere else! */
+ krb5_ktany_resolve,
+ krb5_ktany_get_name,
+ krb5_ktany_close,
+ krb5_ktany_get_entry,
+ krb5_ktany_start_seq_get,
+ krb5_ktany_next_entry,
+ krb5_ktany_end_seq_get,
+ NULL,
+ NULL,
+ NULL,
+};
+
+static krb5_error_code
+krb5_ktany_resolve(context, name, id)
+ krb5_context context;
+ const char *name;
+ krb5_keytab *id;
+{
+ const char *p, *q;
+ char *copy;
+ krb5_error_code kerror;
+ krb5_ktany_data *data;
+ int i;
+
+ /* Allocate space for our data and remember a copy of the name. */
+ if ((data = (krb5_ktany_data *)malloc(sizeof(krb5_ktany_data))) == NULL)
+ return(ENOMEM);
+ if ((data->name = (char *)malloc(strlen(name) + 1)) == NULL) {
+ free(data);
+ return(ENOMEM);
+ }
+ strcpy(data->name, name);
+
+ /* Count the number of choices and allocate memory for them. */
+ data->nchoices = 1;
+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1)
+ data->nchoices++;
+ if ((data->choices = (krb5_keytab *)
+ malloc(data->nchoices * sizeof(krb5_keytab))) == NULL) {
+ free(data->name);
+ free(data);
+ return(ENOMEM);
+ }
+
+ /* Resolve each of the choices. */
+ i = 0;
+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1) {
+ /* Make a copy of the choice name so we can terminate it. */
+ if ((copy = (char *)malloc(q - p + 1)) == NULL) {
+ cleanup(context, data, i);
+ return(ENOMEM);
+ }
+ memcpy(copy, p, q - p);
+ copy[q - p] = 0;
+
+ /* Try resolving the choice name. */
+ kerror = krb5_kt_resolve(context, copy, &data->choices[i]);
+ free(copy);
+ if (kerror) {
+ cleanup(context, data, i);
+ return(kerror);
+ }
+ i++;
+ }
+ if ((kerror = krb5_kt_resolve(context, p, &data->choices[i]))) {
+ cleanup(context, data, i);
+ return(kerror);
+ }
+
+ /* Allocate and fill in an ID for the caller. */
+ if ((*id = (krb5_keytab)malloc(sizeof(**id))) == NULL) {
+ cleanup(context, data, i);
+ return(ENOMEM);
+ }
+ (*id)->ops = &krb5_kta_ops;
+ (*id)->data = (krb5_pointer)data;
+ (*id)->magic = KV5M_KEYTAB;
+
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_get_name(context, id, name, len)
+ krb5_context context;
+ krb5_keytab id;
+ char *name;
+ unsigned int len;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+
+ if (len < strlen(data->name) + 1)
+ return(KRB5_KT_NAME_TOOLONG);
+ strcpy(name, data->name);
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_close(context, id)
+ krb5_context context;
+ krb5_keytab id;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+
+ cleanup(context, data, data->nchoices);
+ id->ops = 0;
+ free(id);
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_get_entry(context, id, principal, kvno, enctype, entry)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_const_principal principal;
+ krb5_kvno kvno;
+ krb5_enctype enctype;
+ krb5_keytab_entry *entry;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_error_code kerror = KRB5_KT_NOTFOUND;
+ int i;
+
+ for (i = 0; i < data->nchoices; i++) {
+ if ((kerror = krb5_kt_get_entry(context, data->choices[i], principal,
+ kvno, enctype, entry)) != ENOENT)
+ return kerror;
+ }
+ return kerror;
+}
+
+static krb5_error_code
+krb5_ktany_start_seq_get(context, id, cursorp)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_kt_cursor *cursorp;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_ktany_cursor_data *cdata;
+ krb5_error_code kerror = ENOENT;
+ int i;
+
+ if ((cdata = (krb5_ktany_cursor_data *)
+ malloc(sizeof(krb5_ktany_cursor_data))) == NULL)
+ return(ENOMEM);
+
+ /* Find a choice which can handle the serialization request. */
+ for (i = 0; i < data->nchoices; i++) {
+ if ((kerror = krb5_kt_start_seq_get(context, data->choices[i],
+ &cdata->cursor)) == 0)
+ break;
+ else if (kerror != ENOENT) {
+ free(cdata);
+ return(kerror);
+ }
+ }
+
+ if (i == data->nchoices) {
+ /* Everyone returned ENOENT, so no go. */
+ free(cdata);
+ return(kerror);
+ }
+
+ cdata->which = i;
+ *cursorp = (krb5_kt_cursor)cdata;
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_next_entry(context, id, entry, cursor)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_keytab_entry *entry;
+ krb5_kt_cursor *cursor;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor;
+ krb5_keytab choice_id;
+
+ choice_id = data->choices[cdata->which];
+ return(krb5_kt_next_entry(context, choice_id, entry, &cdata->cursor));
+}
+
+static krb5_error_code
+krb5_ktany_end_seq_get(context, id, cursor)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_kt_cursor *cursor;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor;
+ krb5_keytab choice_id;
+ krb5_error_code kerror;
+
+ choice_id = data->choices[cdata->which];
+ kerror = krb5_kt_end_seq_get(context, choice_id, &cdata->cursor);
+ free(cdata);
+ return(kerror);
+}
+
+static void
+cleanup(context, data, nchoices)
+ krb5_context context;
+ krb5_ktany_data *data;
+ int nchoices;
+{
+ int i;
+
+ free(data->name);
+ for (i = 0; i < nchoices; i++)
+ krb5_kt_close(context, data->choices[i]);
+ free(data->choices);
+ free(data);
+}
diff -up krb5-1.7/src/lib/krb5/keytab/ktbase.c krb5-1.7/src/lib/krb5/keytab/ktbase.c
--- krb5-1.7/src/lib/krb5/keytab/ktbase.c 2009-02-18 13:18:56.000000000 -0500
+++ krb5-1.7/src/lib/krb5/keytab/ktbase.c 2009-06-04 13:54:36.000000000 -0400
@@ -59,14 +59,19 @@ extern const krb5_kt_ops krb5_ktf_ops;
extern const krb5_kt_ops krb5_ktf_writable_ops;
extern const krb5_kt_ops krb5_kts_ops;
extern const krb5_kt_ops krb5_mkt_ops;
+extern const krb5_kt_ops krb5_kta_ops;
struct krb5_kt_typelist {
const krb5_kt_ops *ops;
const struct krb5_kt_typelist *next;
};
+static struct krb5_kt_typelist krb5_kt_typelist_any = {
+ &krb5_kta_ops,
+ NULL
+};
const static struct krb5_kt_typelist krb5_kt_typelist_srvtab = {
&krb5_kts_ops,
- NULL
+ &krb5_kt_typelist_any
};
const static struct krb5_kt_typelist krb5_kt_typelist_memory = {
&krb5_mkt_ops,
diff -up krb5-1.7/src/lib/krb5/keytab/Makefile.in krb5-1.7/src/lib/krb5/keytab/Makefile.in
--- krb5-1.7/src/lib/krb5/keytab/Makefile.in 2009-01-05 15:27:53.000000000 -0500
+++ krb5-1.7/src/lib/krb5/keytab/Makefile.in 2009-06-04 13:54:36.000000000 -0400
@@ -19,6 +19,7 @@ STLIBOBJS= \
ktfr_entry.o \
ktremove.o \
ktfns.o \
+ kt_any.o \
kt_file.o \
kt_memory.o \
kt_srvtab.o \
@@ -31,6 +32,7 @@ OBJS= \
$(OUTPRE)ktfr_entry.$(OBJEXT) \
$(OUTPRE)ktremove.$(OBJEXT) \
$(OUTPRE)ktfns.$(OBJEXT) \
+ $(OUTPRE)kt_any.$(OBJEXT) \
$(OUTPRE)kt_file.$(OBJEXT) \
$(OUTPRE)kt_memory.$(OBJEXT) \
$(OUTPRE)kt_srvtab.$(OBJEXT) \
@@ -43,6 +45,7 @@ SRCS= \
$(srcdir)/ktfr_entry.c \
$(srcdir)/ktremove.c \
$(srcdir)/ktfns.c \
+ $(srcdir)/kt_any.c \
$(srcdir)/kt_file.c \
$(srcdir)/kt_memory.c \
$(srcdir)/kt_srvtab.c \

View File

@ -0,0 +1,63 @@
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. Updated from
original version filed as RT#5891.
diff -up krb5-1.8/src/aclocal.m4.dirsrv-accountlock krb5-1.8/src/aclocal.m4
--- krb5-1.8/src/aclocal.m4.dirsrv-accountlock 2010-03-05 11:03:09.000000000 -0500
+++ krb5-1.8/src/aclocal.m4 2010-03-05 11:03:10.000000000 -0500
@@ -1656,6 +1656,15 @@ if test $with_ldap = yes; then
AC_MSG_NOTICE(enabling OpenLDAP database backend module support)
OPENLDAP_PLUGIN=yes
fi
+AC_ARG_WITH([dirsrv-account-locking],
+[ --with-dirsrv-account-locking compile 389/Red Hat/Fedora/Netscape Directory Server database backend module],
+[case "$withval" in
+ yes | no) ;;
+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv-account-locking="$withval") ;;
+esac], with_dirsrv_account_locking=no)
+if test $with_dirsrv_account_locking = yes; then
+ AC_DEFINE(HAVE_DIRSRV_ACCOUNT_LOCKING,1,[Define if LDAP KDB interface should heed 389 DS's nsAccountLock attribute.])
+fi
])dnl
dnl
dnl If libkeyutils exists (on Linux) include it and use keyring ccache
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2010-03-05 11:03:10.000000000 -0500
@@ -1546,6 +1546,23 @@ populate_krb5_db_entry(krb5_context cont
ret = krb5_dbe_update_tl_data(context, entry, &userinfo_tl_data);
if (ret)
goto cleanup;
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
+ {
+ krb5_timestamp expiretime=0;
+ char *is_login_disabled=NULL;
+
+ /* LOGIN DISABLED */
+ ret = krb5_ldap_get_string(ld, ent, "nsAccountLock", &is_login_disabled,
+ &attr_present);
+ if (ret)
+ goto cleanup;
+ if (attr_present == TRUE) {
+ if (strcasecmp(is_login_disabled, "TRUE")== 0)
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ free (is_login_disabled);
+ }
+ }
+#endif
ret = krb5_read_tkt_policy(context, ldap_context, entry, tktpolname);
if (ret)
goto cleanup;
diff -up krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
--- krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c.dirsrv-accountlock 2009-11-24 18:52:25.000000000 -0500
+++ krb5-1.8/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2010-03-05 11:03:10.000000000 -0500
@@ -59,6 +59,9 @@ char *principal_attributes[] = { "kr
"krbLastFailedAuth",
"krbLoginFailedCount",
"krbLastSuccessfulAuth",
+#ifdef HAVE_DIRSRV_ACCOUNT_LOCKING
+ "nsAccountLock",
+#endif
"krbLastPwdChange",
"krbLastAdminUnlock",
"krbExtraData",

View File

@ -0,0 +1,979 @@
SELinux bases access to files on the domain of the requesting process,
the operation being performed, and the context applied to the file.
In many cases, applications needn't be SELinux aware to work properly,
because SELinux can apply a default label to a file based on the label
of the directory in which it's created.
In the case of files such as /etc/krb5.keytab, however, this isn't
sufficient, as /etc/krb5.keytab will almost always need to be given a
label which differs from that of /etc/issue or /etc/resolv.conf. The
the kdb stash file needs a different label than the database for which
it's holding a master key, even though both typically live in the same
directory.
To give the file the correct label, we can either force a "restorecon"
call to fix a file's label after it's created, or create the file with
the right label, as we attempt to do here. We lean on THREEPARAMOPEN
and define a similar macro named WRITABLEFOPEN with which we replace
several uses of fopen().
The file creation context that we're manipulating here is a process-wide
attribute. While for the most part, applications which need to label
files when they're created have tended to be single-threaded, there's
not much we can do to avoid interfering with an application that
manipulates the creation context directly. Right now we're mediating
access using a library-local mutex, but that can only work for consumers
that are part of this package -- an unsuspecting application will still
stomp all over us.
The selabel APIs for looking up the context should be thread-safe (per
Red Hat #273081), so switching to using them instead of matchpathcon(),
which we used earlier, is some improvement.
--- krb5/src/aclocal.m4
+++ krb5/src/aclocal.m4
@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP
+KRB5_WITH_SELINUX
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+dnl
+dnl Use libselinux to set file contexts on newly-created files.
+dnl
+AC_DEFUN(KRB5_WITH_SELINUX,[
+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])],
+ withselinux="$withval",withselinux=auto)
+old_LIBS="$LIBS"
+if test "$withselinux" != no ; then
+ AC_MSG_RESULT([checking for libselinux...])
+ SELINUX_LIBS=
+ AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h)
+ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate selinux/selinux.h.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.])
+ fi
+ fi
+
+ LIBS=
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
+ if test "x$ac_cv_func_setfscreatecon" = xno ; then
+ AC_CHECK_LIB(selinux,setfscreatecon)
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then
+ SELINUX_LIBS="$LIBS"
+ else
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate libselinux.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate libselinux.])
+ fi
+ fi
+ fi
+ if test "$withselinux" != no ; then
+ AC_MSG_NOTICE([building with SELinux labeling support])
+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.])
+ SELINUX_LIBS="$LIBS"
+ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon"
+ fi
+fi
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
--- krb5/src/config/pre.in
+++ krb5/src/config/pre.in
@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@
KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
LDFLAGS = @LDFLAGS@
LIBS = @LIBS@
+SELINUX_LIBS=@SELINUX_LIBS@
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB)
+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
# needs fixing if ever used on Mac OS X!
--- krb5/src/configure.in
+++ krb5/src/configure.in
@@ -1053,6 +1053,8 @@ fi
KRB5_WITH_PAM
+KRB5_WITH_SELINUX
+
# Make localedir work in autoconf 2.5x.
if test "${localedir+set}" != set; then
localedir='$(datadir)/locale'
--- krb5/src/include/k5-int.h
+++ krb5/src/include/k5-int.h
@@ -129,6 +129,7 @@ typedef unsigned char u_char;
#include "k5-platform.h"
+#include "k5-label.h"
#define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
#define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
--- krb5/src/include/k5-label.h
+++ krb5/src/include/k5-label.h
@@ -0,0 +1,32 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
+
+#ifdef THREEPARAMOPEN
+#undef THREEPARAMOPEN
+#endif
+#ifdef WRITABLEFOPEN
+#undef WRITABLEFOPEN
+#endif
+
+/* Wrapper functions which help us create files and directories with the right
+ * context labels. */
+#ifdef USE_SELINUX
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+FILE *krb5int_labeled_fopen(const char *path, const char *mode);
+int krb5int_labeled_creat(const char *path, mode_t mode);
+int krb5int_labeled_open(const char *path, int flags, ...);
+int krb5int_labeled_mkdir(const char *path, mode_t mode);
+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device);
+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)
+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)
+void *krb5int_push_fscreatecon_for(const char *pathname);
+void krb5int_pop_fscreatecon(void *previous);
+#else
+#define WRITABLEFOPEN(x,y) fopen(x,y)
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif
+#endif
--- krb5/src/include/krb5/krb5.hin
+++ krb5/src/include/krb5/krb5.hin
@@ -87,6 +87,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
+#if KRB5_PRIVATE
+#ifndef WRITABLEFOPEN
+#define WRITABLEFOPEN(x,y) fopen(x,y)
+#endif
+#endif
+
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
--- krb5/src/kadmin/dbutil/dump.c
+++ krb5/src/kadmin/dbutil/dump.c
@@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname
{
int fd = -1;
FILE *f;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
*tmpname = NULL;
if (asprintf(tmpname, "%s-XXXXXX", ofile) < 0)
goto error;
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(ofile);
+#endif
fd = mkstemp(*tmpname);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (fd == -1)
goto error;
@@ -514,7 +514,7 @@ prep_ok_file(krb5_context context, char
return 0;
}
- *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ *fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
if (*fd == -1) {
com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
exit_status++;
--- krb5/src/build-tools/krb5-config.in
+++ krb5/src/build-tools/krb5-config.in
@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@'
DEFCCNAME='@DEFCCNAME@'
DEFKTNAME='@DEFKTNAME@'
DEFCKTNAME='@DEFCKTNAME@'
+SELINUX_LIBS='@SELINUX_LIBS@'
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -218,7 +219,7 @@
fi
# If we ever support a flag to generate output suitable for static
- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
# here.
echo $lib_flags
--- krb5/src/lib/kadm5/logger.c
+++ krb5/src/lib/kadm5/logger.c
@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch
* Check for append/overwrite, then open the file.
*/
if (cp[4] == ':' || cp[4] == '=') {
- f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w");
+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w");
if (f) {
set_cloexec_file(f);
log_control.log_entries[i].lfu_filep = f;
@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext)
* In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs.
*/
- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+");
+ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+");
if (f) {
set_cloexec_file(f);
log_control.log_entries[lindex].lfu_filep = f;
--- krb5/src/lib/krb5/keytab/kt_file.c
+++ krb5/src/lib/krb5/keytab/kt_file.c
@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context
KTCHECKLOCK(id);
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id),
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id),
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
fopen_mode_rbplus : fopen_mode_rb);
if (!KTFILEP(id)) {
@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context
/* try making it first time around */
k5_create_secure_file(context, KTFILENAME(id));
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus);
if (!KTFILEP(id))
goto report_errno;
writevno = 1;
--- krb5/src/plugins/kdb/db2/adb_openclose.c
+++ krb5/src/plugins/kdb/db2/adb_openclose.c
@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char
* POSIX systems
*/
lockp->lockinfo.filename = strdup(lockfilename);
- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {
+ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) {
/*
* maybe someone took away write permission so we could only
* get shared locks?
--- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c
@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.
#include <string.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "btree.h"
@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo,
goto einval;
}
- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0)
+ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
goto err;
} else {
--- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ krb5/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12
#include <assert.h>
#endif
+#include "k5-int.h"
#include "db-int.h"
#include "hash.h"
#include "page.h"
@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info
new_table = 1;
}
if (file) {
- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1)
+ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1)
RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1);
}
--- krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+++ krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
@@ -179,7 +179,7 @@ done:
/* set password in the file */
old_mode = umask(0177);
- pfile = fopen(file_name, "a+");
+ pfile = WRITABLEFOPEN(file_name, "a+");
if (pfile == NULL) {
com_err(me, errno, _("Failed to open file %s: %s"), file_name,
strerror (errno));
@@ -220,6 +220,9 @@ done:
* Delete the existing entry and add the new entry
*/
FILE *newfile;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
mode_t omask;
@@ -231,7 +234,13 @@ done:
}
omask = umask(077);
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(file_name);
+#endif
newfile = fopen(tmp_file, "w");
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
umask (omask);
if (newfile == NULL) {
com_err(me, errno, _("Error creating file %s"), tmp_file);
--- krb5/src/slave/kpropd.c
+++ krb5/src/slave/kpropd.c
@@ -437,6 +437,9 @@ void doit(fd)
krb5_enctype etype;
int database_fd;
char host[INET6_ADDRSTRLEN + 1];
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
signal_wrapper(SIGALRM, alarm_handler);
alarm(params.iprop_resync_timeout);
@@ -515,9 +518,15 @@ void doit(fd)
free(name);
exit(1);
}
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(file);
+#endif
omask = umask(077);
lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600);
(void)umask(omask);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
retval = krb5_lock_file(kpropd_context, lock_fd,
KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
if (retval) {
--- krb5/src/util/profile/prof_file.c
+++ krb5/src/util/profile/prof_file.c
@@ -30,6 +30,7 @@
#endif
#include "k5-platform.h"
+#include "k5-label.h"
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_
errno = 0;
- f = fopen(new_file, "w");
+ f = WRITABLEFOPEN(new_file, "w");
if (!f) {
retval = errno;
if (retval == 0)
--- krb5/src/util/support/Makefile.in
+++ krb5/src/util/support/Makefile.in
@@ -54,6 +54,7 @@ IPC_SYMS= \
STLIBOBJS= \
threads.o \
+ selinux.o \
init-addrinfo.o \
plugins.o \
errors.o \
@@ -108,7 +109,7 @@ SRCS=\
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB)
+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
DEPLIBS=
--- krb5/src/util/support/selinux.c
+++ krb5/src/util/support/selinux.c
@@ -0,0 +1,381 @@
+/*
+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * File-opening wrappers for creating correctly-labeled files. So far, we can
+ * assume that this is Linux-specific, so we make many simplifying assumptions.
+ */
+
+#include "../../include/autoconf.h"
+
+#ifdef USE_SELINUX
+
+#include <k5-label.h>
+#include <k5-platform.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <pthread.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#ifdef HAVE_SELINUX_LABEL_H
+#include <selinux/label.h>
+#endif
+
+/* #define DEBUG 1 */
+
+/* Mutex used to serialize use of the process-global file creation context. */
+k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
+
+/* Make sure we finish initializing that mutex before attempting to use it. */
+k5_once_t labeled_once = K5_ONCE_INIT;
+static void
+label_mutex_init(void)
+{
+ k5_mutex_finish_init(&labeled_mutex);
+}
+
+#ifdef HAVE_SELINUX_LABEL_H
+static struct selabel_handle *selabel_ctx;
+static time_t selabel_last_changed;
+
+MAKE_FINI_FUNCTION(cleanup_fscreatecon);
+
+static void
+cleanup_fscreatecon(void)
+{
+ if (selabel_ctx != NULL) {
+ selabel_close(selabel_ctx);
+ selabel_ctx = NULL;
+ }
+}
+#endif
+
+static security_context_t
+push_fscreatecon(const char *pathname, mode_t mode)
+{
+ security_context_t previous, configuredsc, currentsc, derivedsc;
+ context_t current, derived;
+ const char *fullpath, *currentuser;
+
+ previous = NULL;
+ if (is_selinux_enabled()) {
+ if (getfscreatecon(&previous) == 0) {
+ char *genpath;
+ genpath = NULL;
+ if (pathname[0] != '/') {
+ char *wd;
+ size_t len;
+ len = 0;
+ wd = getcwd(NULL, len);
+ if (wd == NULL) {
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ len = strlen(wd) + 1 + strlen(pathname) + 1;
+ genpath = malloc(len);
+ if (genpath == NULL) {
+ free(wd);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ sprintf(genpath, "%s/%s", wd, pathname);
+ free(wd);
+ fullpath = genpath;
+ } else {
+ fullpath = pathname;
+ }
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Looking up context for "
+ "\"%s\"(%05o).\n", fullpath, mode);
+ }
+#endif
+ configuredsc = NULL;
+#ifdef HAVE_SELINUX_LABEL_H
+ if ((selabel_ctx != NULL) ||
+ (selabel_last_changed == 0)) {
+ const char *cpath;
+ struct stat st;
+ int i = -1;
+ cpath = selinux_file_context_path();
+ if ((cpath == NULL) ||
+ ((i = stat(cpath, &st)) != 0) ||
+ (st.st_mtime != selabel_last_changed)) {
+ if (selabel_ctx != NULL) {
+ selabel_close(selabel_ctx);
+ selabel_ctx = NULL;
+ }
+ selabel_last_changed = i ?
+ time(NULL) :
+ st.st_mtime;
+ }
+ }
+ if (selabel_ctx == NULL) {
+ selabel_ctx = selabel_open(SELABEL_CTX_FILE,
+ NULL, 0);
+ }
+ if (selabel_ctx != NULL) {
+ if (selabel_lookup(selabel_ctx, &configuredsc,
+ fullpath, mode) != 0) {
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ }
+#else
+ if (matchpathcon(fullpath, mode, &configuredsc) != 0) {
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+#endif
+ free(genpath);
+ if (configuredsc == NULL) {
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ currentsc = NULL;
+ getcon(&currentsc);
+ if (currentsc != NULL) {
+ derived = context_new(configuredsc);
+ if (derived != NULL) {
+ current = context_new(currentsc);
+ if (current != NULL) {
+ currentuser = context_user_get(current);
+ if (currentuser != NULL) {
+ if (context_user_set(derived,
+ currentuser) == 0) {
+ derivedsc = context_str(derived);
+ if (derivedsc != NULL) {
+ freecon(configuredsc);
+ configuredsc = strdup(derivedsc);
+ }
+ }
+ }
+ context_free(current);
+ }
+ context_free(derived);
+ }
+ freecon(currentsc);
+ }
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Setting file creation context "
+ "to \"%s\".\n", configuredsc);
+ }
+#endif
+ if (setfscreatecon(configuredsc) != 0) {
+ freecon(configuredsc);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ freecon(configuredsc);
+#ifdef DEBUG
+ } else {
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Unable to determine "
+ "current context.\n");
+ }
+#endif
+ }
+ }
+ return previous;
+}
+
+static void
+pop_fscreatecon(security_context_t previous)
+{
+ if (is_selinux_enabled()) {
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ if (previous != NULL) {
+ fprintf(stderr, "Resetting file creation "
+ "context to \"%s\".\n", previous);
+ } else {
+ fprintf(stderr, "Resetting file creation "
+ "context to default.\n");
+ }
+ }
+#endif
+ setfscreatecon(previous);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ }
+}
+
+void *
+krb5int_push_fscreatecon_for(const char *pathname)
+{
+ struct stat st;
+ void *retval;
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ if (stat(pathname, &st) != 0) {
+ st.st_mode = S_IRUSR | S_IWUSR;
+ }
+ retval = push_fscreatecon(pathname, st.st_mode);
+ return retval ? retval : (void *) -1;
+}
+
+void
+krb5int_pop_fscreatecon(void *con)
+{
+ if (con != NULL) {
+ pop_fscreatecon((con == (void *) -1) ? NULL : con);
+ k5_mutex_unlock(&labeled_mutex);
+ }
+}
+
+FILE *
+krb5int_labeled_fopen(const char *path, const char *mode)
+{
+ FILE *fp;
+ int errno_save;
+ security_context_t ctx;
+
+ if ((strcmp(mode, "r") == 0) ||
+ (strcmp(mode, "rb") == 0)) {
+ return fopen(path, mode);
+ }
+
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+ fp = fopen(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ return fp;
+}
+
+int
+krb5int_labeled_creat(const char *path, mode_t mode)
+{
+ int fd;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+ fd = creat(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ return fd;
+}
+
+int
+krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev)
+{
+ int ret;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, mode);
+ ret = mknod(path, mode, dev);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ return ret;
+}
+
+int
+krb5int_labeled_mkdir(const char *path, mode_t mode)
+{
+ int ret;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, S_IFDIR);
+ ret = mkdir(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ return ret;
+}
+
+int
+krb5int_labeled_open(const char *path, int flags, ...)
+{
+ int fd;
+ int errno_save;
+ security_context_t ctx;
+ mode_t mode;
+ va_list ap;
+
+ if ((flags & O_CREAT) == 0) {
+ return open(path, flags);
+ }
+
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+
+ va_start(ap, flags);
+ mode = va_arg(ap, mode_t);
+ fd = open(path, flags, mode);
+ va_end(ap);
+
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ errno = errno_save;
+ return fd;
+}
+
+#endif
--- krb5/src/lib/krb5/rcache/rc_dfl.c
+++ krb5/src/lib/krb5/rcache/rc_dfl.c
@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context
krb5_error_code retval = 0;
krb5_rcache tmp;
krb5_deltat lifespan = t->lifespan; /* save original lifespan */
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (! t->recovering) {
name = t->name;
@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context
retval = krb5_rc_resolve(context, tmp, 0);
if (retval)
goto cleanup;
+#ifdef USE_SELINUX
+ if (t->d.fn != NULL)
+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
+ else
+ selabel = NULL;
+#endif
retval = krb5_rc_initialize(context, tmp, lifespan);
+#ifdef USE_SELINUX
+ if (selabel != NULL)
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (retval)
goto cleanup;
for (q = t->a; q; q = q->na) {
--- krb5/src/lib/krb5/ccache/cc_dir.c
+++ krb5/src/lib/krb5/ccache/cc_dir.c
@@ -185,10 +185,19 @@ write_primary_file(const char *primary_p
char *newpath = NULL;
FILE *fp = NULL;
int fd = -1, status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
return ENOMEM;
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(primary_path);
+#endif
fd = mkstemp(newpath);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
if (fd < 0)
goto cleanup;
#ifdef HAVE_CHMOD
@@ -223,10 +232,23 @@
verify_dir(krb5_context context, const char *dirname)
{
struct stat st;
+ int status;
+#ifdef USE_SELINUX
+ void *selabel;
+#endif
if (stat(dirname, &st) < 0) {
- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
- return 0;
+ if (errno == ENOENT) {
+#ifdef USE_SELINUX
+ selabel = krb5int_push_fscreatecon_for(dirname);
+#endif
+ status = mkdir(dirname, S_IRWXU);
+#ifdef USE_SELINUX
+ krb5int_pop_fscreatecon(selabel);
+#endif
+ if (status == 0)
+ return 0;
+ }
k5_setmsg(context, KRB5_FCC_NOFILE,
_("Credential cache directory %s does not exist"),
dirname);
--- krb5/src/lib/krb5/os/trace.c
+++ krb5/src/lib/krb5/os/trace.c
@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con
fd = malloc(sizeof(*fd));
if (fd == NULL)
return ENOMEM;
- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
if (*fd == -1) {
free(fd);
return errno;
--- krb5/src/plugins/kdb/db2/kdb_db2.c
+++ krb5/src/plugins/kdb/db2/kdb_db2.c
@@ -683,8 +683,8 @@
if (retval)
return retval;
- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
- 0600);
+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
+ O_CREAT | O_RDWR | O_TRUNC, 0600);
if (dbc->db_lf_file < 0) {
retval = errno;
goto cleanup;
--- krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+++ krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c
@@ -51,6 +51,7 @@
#include <stdio.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,8 @@
int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
+ if (fname != NULL &&
+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
--- krb5/src/kdc/main.c
+++ krb5/src/kdc/main.c
@@ -905,7 +905,7 @@ write_pid_file(const char *path)
FILE *file;
unsigned long pid;
- file = fopen(path, "w");
+ file = WRITABLEFOPEN(path, "w");
if (file == NULL)
return errno;
pid = (unsigned long) getpid();
--- krb5/src/lib/kdb/kdb_log.c
+++ krb5/src/lib/kdb/kdb_log.c
@@ -456,7 +456,7 @@ ulog_map(krb5_context context, const cha
int ulogfd = -1;
if (stat(logname, &st) == -1) {
- ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
if (ulogfd == -1)
return errno;
--- krb5/src/util/gss-kernel-lib/Makefile.in
+++ krb5/src/util/gss-kernel-lib/Makefile.in
@@ -60,6 +60,7 @@ HEADERS= \
gssapi_err_generic.h \
k5-int.h \
k5-int-pkinit.h \
+ k5-label.h \
k5-thread.h \
k5-platform.h \
k5-buf.h \
@@ -166,10 +167,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_
$(CP) $(GSS_GENERIC)/gssapi_generic.h $@
gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h
$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@
-k5-int.h: $(INCLUDE)/k5-int.h
+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h
$(CP) $(INCLUDE)/k5-int.h $@
k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h
$(CP) $(INCLUDE)/k5-int-pkinit.h $@
+k5-label.h: $(INCLUDE)/k5-label.h
+ $(CP) $(INCLUDE)/k5-label.h $@
k5-thread.h: $(INCLUDE)/k5-thread.h
$(CP) $(INCLUDE)/k5-thread.h $@
k5-platform.h: $(INCLUDE)/k5-platform.h

View File

@ -0,0 +1,32 @@
From 0e65104d521d29664c129c1cf5e918bf54ac055e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 19 May 2015 10:38:51 -0400
Subject: [PATCH] Fix bindresvport_sa port byte swap bug
The sa_setport() helper handles conversion to network byte order, so
bindresvport_sa() should not itself call htons() on the port argument.
(This bug was introduced in commit
0d04b60d159ab83b943e43802b1449a3b074bc83 when adding
bindresvport_sa(). It was my fault, not Andreas Schneider's.)
ticket: 8197 (new)
target_version: 1.13.3
tags: pullup
---
src/lib/rpc/bindresvport.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/rpc/bindresvport.c b/src/lib/rpc/bindresvport.c
index ccc4d73..a421dd8 100644
--- a/src/lib/rpc/bindresvport.c
+++ b/src/lib/rpc/bindresvport.c
@@ -76,7 +76,7 @@ bindresvport_sa(int sd, struct sockaddr *sa)
res = -1;
errno = EADDRINUSE;
for (i = 0; i < NPORTS && res < 0 && errno == EADDRINUSE; i++) {
- sa_setport(sa, htons(port++));
+ sa_setport(sa, port++);
if (port > ENDPORT) {
port = STARTPORT;
}

View File

@ -0,0 +1,142 @@
From 95c3cab051aa1b8b4f7eb309bf135e8f51665baa Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Sun, 25 Jan 2015 16:53:49 -0500
Subject: [PATCH] Support KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
Add support for multi-hop preauth mechs.
In the KDC, allow kdcpreauth modules to return
KDC_ERR_MORE_PREAUTH_DATA_REQUIRED as defined in RFC 6113.
In libkrb5, treat this code like KDC_ERR_PREAUTH_REQUIRED. clpreauth
modules can use the modreq parameter to distinguish between the first
and subsequent KDC messages. We assume that the error padata will
include an element of the preauth mech's type, or at least of a type
recognized by the clpreauth module.
Also reset the list of previously attempted preauth types for both
kinds of errors. That list is really only appropriate for retrying
after a failed preauth attempt, which we don't currently do. Add an
intermediate variable for the reply code to avoid a long conditional
expression.
[ghudson@mit.edu: adjust get_in_tkt.c logic to avoid needing a helper
function; clarify commit message]
ticket: 8063 (new)
---
doc/plugindev/clpreauth.rst | 6 +++---
src/include/k5-int.h | 1 +
src/kdc/kdc_preauth.c | 2 ++
src/lib/krb5/error_tables/krb5_err.et | 2 +-
src/lib/krb5/krb/get_in_tkt.c | 13 ++++++++-----
5 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/doc/plugindev/clpreauth.rst b/doc/plugindev/clpreauth.rst
index c3e7298..38aa52e 100644
--- a/doc/plugindev/clpreauth.rst
+++ b/doc/plugindev/clpreauth.rst
@@ -21,9 +21,9 @@ A clpreauth module is generally responsible for:
just returns ``PA_REAL``, indicating that it implements a normal
preauthentication type.
-* Examining the padata information included in the preauth_required
- error and producing padata values for the next AS request. This is
- done with the **process** method.
+* Examining the padata information included in a PREAUTH_REQUIRED or
+ MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the
+ next AS request. This is done with the **process** method.
* Examining the padata information included in a successful ticket
reply, possibly verifying the KDC identity and computing a reply
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index a1ea25a..4868e7d 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -391,6 +391,7 @@ typedef unsigned char u_char;
not find a KDC */
#define KRB_AP_ERR_IAKERB_KDC_NO_RESPONSE 86 /* The KDC did not respond
to the IAKERB proxy */
+#define KDC_ERR_MORE_PREAUTH_DATA_REQUIRED 91 /* RFC 6113 */
#define KRB_ERR_MAX 127 /* err table base max offset for protocol err codes */
/*
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 50cc252..dd83844 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -1000,6 +1000,8 @@ finish_check_padata(struct padata_state *state, krb5_error_code code)
case KRB5KDC_ERR_DISCARD:
/* pkinit alg-agility */
case KRB5KDC_ERR_NO_ACCEPTABLE_KDF:
+ /* rfc 6113 */
+ case KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED:
(*oldrespond)(oldarg, code);
return;
default:
diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et
index 5c6f10b..7ba7c1e 100644
--- a/src/lib/krb5/error_tables/krb5_err.et
+++ b/src/lib/krb5/error_tables/krb5_err.et
@@ -132,7 +132,7 @@ error_code KRB5PLACEHOLD_87, "KRB5 error code 87"
error_code KRB5PLACEHOLD_88, "KRB5 error code 88"
error_code KRB5PLACEHOLD_89, "KRB5 error code 89"
error_code KRB5PLACEHOLD_90, "KRB5 error code 90"
-error_code KRB5PLACEHOLD_91, "KRB5 error code 91"
+error_code KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, "More preauthentication data is required"
error_code KRB5PLACEHOLD_92, "KRB5 error code 92"
error_code KRB5KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTION, "An unsupported critical FAST option was requested"
error_code KRB5PLACEHOLD_94, "KRB5 error code 94"
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index f9bc027..fa8afcc 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1239,7 +1239,8 @@ init_creds_step_request(krb5_context context,
clear_cc_config_out_data(context, ctx);
if (ctx->err_reply == NULL) {
- /* either our first attempt, or retrying after PREAUTH_NEEDED */
+ /* Either our first attempt, or retrying after KDC_ERR_PREAUTH_REQUIRED
+ * or KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */
code = k5_preauth(context, ctx, ctx->preauth_to_use,
ctx->preauth_required, &ctx->request->padata,
&ctx->selected_preauth_type);
@@ -1408,6 +1409,7 @@ init_creds_step_reply(krb5_context context,
krb5_preauthtype kdc_pa_type;
krb5_boolean retry = FALSE;
int canon_flag = 0;
+ uint32_t reply_code;
krb5_keyblock *strengthen_key = NULL;
krb5_keyblock encrypting_key;
krb5_boolean fast_avail;
@@ -1431,6 +1433,7 @@ init_creds_step_reply(krb5_context context,
&retry);
if (code != 0)
goto cleanup;
+ reply_code = ctx->err_reply->error;
if (negotiation_requests_restart(context, ctx, ctx->err_padata)) {
ctx->have_restarted = 1;
k5_preauth_request_context_fini(context);
@@ -1441,9 +1444,10 @@ init_creds_step_reply(krb5_context context,
ctx->err_reply = NULL;
krb5_free_pa_data(context, ctx->err_padata);
ctx->err_padata = NULL;
- } else if (ctx->err_reply->error == KDC_ERR_PREAUTH_REQUIRED &&
- retry) {
+ } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED ||
+ reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) {
/* reset the list of preauth types to try */
+ k5_reset_preauth_types_tried(context);
krb5_free_pa_data(context, ctx->preauth_to_use);
ctx->preauth_to_use = ctx->err_padata;
ctx->err_padata = NULL;
@@ -1480,8 +1484,7 @@ init_creds_step_reply(krb5_context context,
code = 0;
} else {
/* error + no hints = give up */
- code = (krb5_error_code)ctx->err_reply->error +
- ERROR_TABLE_BASE_krb5;
+ code = (krb5_error_code)reply_code + ERROR_TABLE_BASE_krb5;
}
}

View File

@ -1,13 +0,0 @@
e2fsprogs in is missing a declaration for this function. However, it is
present as a symbol. And we know its declaration internally.
--- krb5/src/kadmin/cli/ss_wrapper.c 2015-09-23 20:51:05.843606511 +0000
+++ krb5/src/kadmin/cli/ss_wrapper.c 2015-09-23 20:52:03.783605671 +0000
@@ -29,6 +29,8 @@
#include <ss/ss.h>
#include "kadmin.h"
+int ss_execute_command(int sci_idx, char **);
+
extern ss_request_table kadmin_cmds;
extern int exit_status;
extern char *whoami;

26
krb5-1.9-debuginfo.patch Normal file
View File

@ -0,0 +1,26 @@
We want to keep these y.tab.c files around because the debuginfo points to
them. It would be more elegant at the end to use symbolic links, but that
could mess up people working in the tree on other things.
--- src/kadmin/cli/Makefile.in
+++ src/kadmin/cli/Makefile.in
@@ -43,3 +43,8 @@ clean-unix::
# CC_LINK is not meant for compilation and this use may break in the future.
datetest: getdate.c
$(CC_LINK) $(ALL_CFLAGS) -DTEST -o datetest getdate.c
+
+%.c: %.y
+ $(RM) y.tab.c $@
+ $(YACC.y) $<
+ $(CP) y.tab.c $@
--- src/plugins/kdb/ldap/ldap_util/Makefile.in
+++ src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -22,7 +22,7 @@ $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KR
getdate.c: $(GETDATE)
$(RM) getdate.c y.tab.c
$(YACC) $(GETDATE)
- $(MV) y.tab.c getdate.c
+ $(CP) y.tab.c getdate.c
install::
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)

53
krb5-kvno-230379.patch Normal file
View File

@ -0,0 +1,53 @@
From patch attached to http://krbdev.mit.edu/rt/Ticket/Display.html?id=3349,
at http://krbdev.mit.edu/rt/Ticket/Attachment/23851/13214/kvno.diff, adjusted
as needed to apply to 1.10. FIXME: I'd like to better handle cases where we
have a new key with the right version stored later in the keytab file.
Currently, we're setting up to overlook that possibility.
Note that this only affects the path taken when krb5_rd_rep() is passed a
server principal name, as without a server principal name it already tries
all of the keys it finds in the keytab, regardless of version numbers.
Index: krb5/src/kadmin/ktutil/ktutil.c
===================================================================
--- krb5/src/kadmin/ktutil/ktutil.c (revision 3367)
+++ krb5/src/kadmin/ktutil/ktutil.c (working copy)
@@ -155,7 +155,7 @@
char *princ = NULL;
char *enctype = NULL;
krb5_kvno kvno = 0;
- int use_pass = 0, use_key = 0, i;
+ int use_pass = 0, use_key = 0, use_kvno = 0, i;
for (i = 1; i < argc; i++) {
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) {
@@ -164,6 +164,7 @@
}
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) {
kvno = (krb5_kvno) atoi(argv[++i]);
+ use_kvno++;
continue;
}
if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) {
@@ -180,7 +181,7 @@
}
}
- if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) {
+ if (argc != 8 || !(princ && use_kvno && enctype) || (use_pass+use_key != 1)) {
fprintf(stderr, _("usage: %s (-key | -password) -p principal "
"-k kvno -e enctype\n"), argv[0]);
return;
Index: krb5/src/lib/krb5/keytab/kt_file.c
===================================================================
--- krb5/src/lib/krb5/keytab/kt_file.c (revision 3367)
+++ krb5/src/lib/krb5/keytab/kt_file.c (working copy)
@@ -349,7 +349,7 @@
higher than that. Short-term workaround: only compare
the low 8 bits. */
- if (new_entry.vno == (kvno & 0xff)) {
+ if (new_entry.vno == (kvno & 0xff) || new_entry.vno == IGNORE_VNO) {
krb5_kt_free_entry(context, &cur_entry);
cur_entry = new_entry;
break;

View File

@ -38,12 +38,12 @@
%global configured_default_ccache_name KEYRING:persistent:%%{uid}
%endif
%global prerelease -alpha1
%global prerelease %{nil}
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.14
Release: 2%{?dist}
Version: 1.13.2
Release: 12%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
@ -75,12 +75,21 @@ Source39: krb5-krb5kdc.conf
# Carry this locally until it's available in a packaged form.
Source100: noport.c
Patch6: krb5-1.12-ksu-path.patch
Patch12: krb5-1.12-ktany.patch
Patch16: krb5-1.12-buildconf.patch
Patch23: krb5-1.3.1-dns.patch
Patch39: krb5-1.12-api.patch
Patch60: krb5-1.12.1-pam.patch
Patch63: krb5-1.13-selinux-label.patch
Patch71: krb5-1.13-dirsrv-accountlock.patch
Patch86: krb5-1.9-debuginfo.patch
Patch105: krb5-kvno-230379.patch
Patch129: krb5-1.11-run_user_0.patch
Patch134: krb5-1.11-kpasswdtest.patch
Patch140: krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED.patch
Patch143: krb5-tests_use_libs_from_build.patch
Patch145: krb5-1.14-ss_execute_command-missing.patch
Patch144: krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial.patch
Patch146: krb5-1.14-no_system_krb5_conf.patch
License: MIT
@ -247,13 +256,30 @@ certificate.
ln NOTICE LICENSE
%patch60 -p1 -b .pam
%patch63 -p1 -b .selinux-label
%patch6 -p1 -b .ksu-path
%patch12 -p1 -b .ktany
%patch16 -p1 -b .buildconf %{?_rawbuild}
%patch23 -p1 -b .dns %{?_rawbuild}
%patch39 -p1 -b .api
%patch71 -p1 -b .dirsrv-accountlock %{?_rawbuild}
%patch86 -p0 -b .debuginfo
%patch105 -p1 -b .kvno
# Apply when the hard-wired or configured default location is
# DIR:/run/user/%%{uid}/krb5cc.
%patch129 -p1 -b .run_user_0
%patch134 -p1 -b .kpasswdtest
%patch140 -p1 -b .krb5-1.14-support-kdc_err_more_preauth_data_required
%patch143 -p1 -b .krb5-tests_use_libs_from_build
%patch145 -p1 -b .ss_execute_command
%patch146 -p1 -b .no_system_krb5_conf
%patch144 -p1 -b .krb5-1.13.3-bindresvport_sa_port_byte_swap_bug_triggering_selinux_avc_denial
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -551,9 +577,6 @@ rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/kdc.conf"
rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/krb5.conf"
rm -- "$RPM_BUILD_ROOT/%{_docdir}/krb5-libs/examples/services.append"
# This is needed only for tests
rm -- "$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/preauth/test.so"
%find_lang %{gettext_domain}
%clean
@ -866,14 +889,8 @@ exit 0
%changelog
* Tue Sep 29 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-2
- Patch around bad system krb5.conf in test suite
- Reinstate /etc/krb5.conf.d
* Wed Sep 23 2015 Robbie Harwood <rharwood@redhat.com> - 1.14-1
- New upstream version; krb5-1.14-alpha1
- Drop patches that have since been applied
- Work around an issue with ss_execute_command() not being available
* Thu Oct 01 2015 Robbie Harwood <rharwood@redhat.com> - 1.13.2-12
- Enable building with bad system /etc/krb5.conf
* Wed Sep 23 2015 Robbie Harwood <rharwood@redhat.com> - 1.13.2-11
- Drop dependency on pax, ksh

View File

@ -1,3 +1,3 @@
5acb7f742232d83d79b08de80ff7ff5d krb5-1.14-alpha1-pdfs.tar
61a7f5ab611cb6fd8df88266941b5031 krb5-1.14-alpha1.tar.gz
f17871d721eef7ca56a61565f3176c43 krb5-1.14-alpha1.tar.gz.asc
f9b9275c6ceb9e6c39fabecc00c6a059 krb5-1.13.2.tar.gz
b62135d2089349b571479feb39f049c9 krb5-1.13.2.tar.gz.asc
095ed64aa1d28f06db1d9b3d89bd8d6b krb5-1.13.2-pdfs.tar