diff --git a/krb5-1.9-selinux-label.patch b/krb5-1.10-selinux-label.patch similarity index 74% rename from krb5-1.9-selinux-label.patch rename to krb5-1.10-selinux-label.patch index 03e58c4..26460c0 100644 --- a/krb5-1.9-selinux-label.patch +++ b/krb5-1.10-selinux-label.patch @@ -31,9 +31,8 @@ The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. -diff -up krb5-1.8/src/aclocal.m4.selinux-label krb5-1.8/src/aclocal.m4 ---- krb5-1.8/src/aclocal.m4.selinux-label 2010-03-05 10:57:23.000000000 -0500 -+++ krb5-1.8/src/aclocal.m4 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/aclocal.m4 ++++ krb5/src/aclocal.m4 @@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag) dnl KRB5_AC_PRAGMA_WEAK_REF @@ -94,9 +93,8 @@ diff -up krb5-1.8/src/aclocal.m4.selinux-label krb5-1.8/src/aclocal.m4 +LIBS="$old_LIBS" +AC_SUBST(SELINUX_LIBS) +])dnl -diff -up krb5-1.8/src/config/pre.in.selinux-label krb5-1.8/src/config/pre.in ---- krb5-1.8/src/config/pre.in.selinux-label 2010-03-05 10:57:23.000000000 -0500 -+++ krb5-1.8/src/config/pre.in 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/config/pre.in ++++ krb5/src/config/pre.in @@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@ LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@ LDARGS = @LDARGS@ @@ -114,9 +112,8 @@ diff -up krb5-1.8/src/config/pre.in.selinux-label krb5-1.8/src/config/pre.in KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on Mac OS X! -diff -up krb5-1.8/src/configure.in.selinux-label krb5-1.8/src/configure.in ---- krb5-1.8/src/configure.in.selinux-label 2010-03-05 10:57:23.000000000 -0500 -+++ krb5-1.8/src/configure.in 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/configure.in ++++ krb5/src/configure.in @@ -1053,6 +1053,8 @@ fi KRB5_WITH_PAM @@ -126,9 +123,8 @@ diff -up krb5-1.8/src/configure.in.selinux-label krb5-1.8/src/configure.in AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) V5_AC_OUTPUT_MANPAGE([ -diff -up krb5-1.8/src/include/k5-int.h.selinux-label krb5-1.8/src/include/k5-int.h ---- krb5-1.8/src/include/k5-int.h.selinux-label 2010-01-04 14:59:16.000000000 -0500 -+++ krb5-1.8/src/include/k5-int.h 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/include/k5-int.h ++++ krb5/src/include/k5-int.h @@ -133,6 +133,7 @@ typedef unsigned char u_char; typedef UINT64_TYPE krb5_ui_8; typedef INT64_TYPE krb5_int64; @@ -137,9 +133,8 @@ diff -up krb5-1.8/src/include/k5-int.h.selinux-label krb5-1.8/src/include/k5-int #define DEFAULT_PWD_STRING1 "Enter password" #define DEFAULT_PWD_STRING2 "Re-enter password for verification" -diff -up krb5-1.8/src/include/k5-label.h.selinux-label krb5-1.8/src/include/k5-label.h ---- krb5-1.8/src/include/k5-label.h.selinux-label 2010-03-05 10:57:23.000000000 -0500 -+++ krb5-1.8/src/include/k5-label.h 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/include/k5-label.h ++++ krb5/src/include/k5-label.h @@ -0,0 +1,32 @@ +#ifndef _KRB5_LABEL_H +#define _KRB5_LABEL_H @@ -173,9 +168,8 @@ diff -up krb5-1.8/src/include/k5-label.h.selinux-label krb5-1.8/src/include/k5-l +#define THREEPARAMOPEN(x,y,z) open(x,y,z) +#endif +#endif -diff -up krb5-1.8/src/include/krb5/krb5.hin.selinux-label krb5-1.8/src/include/krb5/krb5.hin ---- krb5-1.8/src/include/krb5/krb5.hin.selinux-label 2010-01-21 17:49:07.000000000 -0500 -+++ krb5-1.8/src/include/krb5/krb5.hin 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/include/krb5/krb5.hin ++++ krb5/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ #define THREEPARAMOPEN(x,y,z) open(x,y,z) #endif @@ -189,9 +183,17 @@ diff -up krb5-1.8/src/include/krb5/krb5.hin.selinux-label krb5-1.8/src/include/k #define KRB5_OLD_CRYPTO #include -diff -up krb5-1.8/src/kadmin/dbutil/dump.c.selinux-label krb5-1.8/src/kadmin/dbutil/dump.c ---- krb5-1.8/src/kadmin/dbutil/dump.c.selinux-label 2009-10-30 20:48:38.000000000 -0400 -+++ krb5-1.8/src/kadmin/dbutil/dump.c 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/kadmin/dbutil/dump.c ++++ krb5/src/kadmin/dbutil/dump.c +@@ -346,7 +346,7 @@ + exit_status++; + return; + } +- if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) { ++ if ((fd = THREEPARAMOPEN(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0600)) < 0) { + com_err(progname, errno, _("while creating 'ok' file, '%s'"), + file_ok); + exit_status++; @@ -1274,7 +1274,7 @@ dump_db(argc, argv) * want to get into. */ @@ -201,9 +203,8 @@ diff -up krb5-1.8/src/kadmin/dbutil/dump.c.selinux-label krb5-1.8/src/kadmin/dbu fprintf(stderr, ofopen_error, progname, ofile, error_message(errno)); exit_status++; -diff -up krb5-1.8/src/krb5-config.in.selinux-label krb5-1.8/src/krb5-config.in ---- krb5-1.8/src/krb5-config.in.selinux-label 2010-01-21 17:49:01.000000000 -0500 -+++ krb5-1.8/src/krb5-config.in 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/krb5-config.in ++++ krb5/src/krb5-config.in @@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@' PROG_RPATH_FLAGS='@PROG_RPATH_FLAGS@' PTHREAD_CFLAGS='@PTHREAD_CFLAGS@' @@ -212,18 +213,17 @@ diff -up krb5-1.8/src/krb5-config.in.selinux-label krb5-1.8/src/krb5-config.in LIBS='@LIBS@' GEN_LIB=@GEN_LIB@ -@@ -214,7 +215,7 @@ if test -n "$do_libs"; then +@@ -218,7 +219,7 @@ fi - if test $library = 'krb5'; then -- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB" -+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" - fi + # If we ever support a flag to generate output suitable for static +- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" ++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + # here. echo $lib_flags -diff -up krb5-1.8/src/lib/kadm5/logger.c.selinux-label krb5-1.8/src/lib/kadm5/logger.c ---- krb5-1.8/src/lib/kadm5/logger.c.selinux-label 2009-12-28 21:42:51.000000000 -0500 -+++ krb5-1.8/src/lib/kadm5/logger.c 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/lib/kadm5/logger.c ++++ krb5/src/lib/kadm5/logger.c @@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch * Check for append/overwrite, then open the file. */ @@ -242,9 +242,8 @@ diff -up krb5-1.8/src/lib/kadm5/logger.c.selinux-label krb5-1.8/src/lib/kadm5/lo if (f) { set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; -diff -up krb5-1.8/src/lib/krb5/keytab/kt_file.c.selinux-label krb5-1.8/src/lib/krb5/keytab/kt_file.c ---- krb5-1.8/src/lib/krb5/keytab/kt_file.c.selinux-label 2009-11-10 14:59:39.000000000 -0500 -+++ krb5-1.8/src/lib/krb5/keytab/kt_file.c 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/lib/krb5/keytab/kt_file.c ++++ krb5/src/lib/krb5/keytab/kt_file.c @@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context KTCHECKLOCK(id); @@ -263,9 +262,8 @@ diff -up krb5-1.8/src/lib/krb5/keytab/kt_file.c.selinux-label krb5-1.8/src/lib/k if (!KTFILEP(id)) goto report_errno; writevno = 1; -diff -up krb5-1.8/src/plugins/kdb/db2/adb_openclose.c.selinux-label krb5-1.8/src/plugins/kdb/db2/adb_openclose.c ---- krb5-1.8/src/plugins/kdb/db2/adb_openclose.c.selinux-label 2009-11-24 18:52:25.000000000 -0500 -+++ krb5-1.8/src/plugins/kdb/db2/adb_openclose.c 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/plugins/kdb/db2/adb_openclose.c ++++ krb5/src/plugins/kdb/db2/adb_openclose.c @@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char * POSIX systems */ @@ -275,41 +273,8 @@ diff -up krb5-1.8/src/plugins/kdb/db2/adb_openclose.c.selinux-label krb5-1.8/src /* * maybe someone took away write permission so we could only * get shared locks? -diff -up krb5-1.8/src/plugins/kdb/db2/kdb_db2.c.selinux-label krb5-1.8/src/plugins/kdb/db2/kdb_db2.c ---- krb5-1.8/src/plugins/kdb/db2/kdb_db2.c.selinux-label 2009-11-25 09:36:05.000000000 -0500 -+++ krb5-1.8/src/plugins/kdb/db2/kdb_db2.c 2010-03-05 10:57:23.000000000 -0500 -@@ -326,8 +326,8 @@ krb5_db2_db_init(krb5_context context) - * should be opened read/write so that write locking can work with - * POSIX systems - */ -- if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) { -- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) { -+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) { -+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) { - retval = errno; - goto err_out; - } -@@ -745,7 +745,7 @@ krb5_db2_db_create(krb5_context context, - if (!okname) - retval = ENOMEM; - else { -- fd = open(okname, O_CREAT | O_RDWR | O_TRUNC, 0600); -+ fd = THREEPARAMOPEN(okname, O_CREAT | O_RDWR | O_TRUNC, 0600); - if (fd < 0) - retval = errno; - else -@@ -1925,7 +1925,7 @@ krb5_db2_db_rename(context, from, to, me - retval = ENOMEM; - goto errout; - } -- db_ctx->db_lf_file = open(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600); -+ db_ctx->db_lf_file = THREEPARAMOPEN(db_ctx->db_lf_name, O_RDWR|O_CREAT, 0600); - if (db_ctx->db_lf_file < 0) { - retval = errno; - goto errout; -diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c ---- krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c.selinux-label 2009-10-30 20:48:38.000000000 -0400 -+++ krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c @@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. #include "k5-platform.h" /* mkstemp? */ @@ -327,9 +292,8 @@ diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/btree/bt_open.c.selinux-label krb5- goto err; } else { -diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c ---- krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c.selinux-label 2009-10-30 20:48:38.000000000 -0400 -+++ krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ krb5/src/plugins/kdb/db2/libdb2/hash/hash.c @@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 #include #endif @@ -347,29 +311,8 @@ diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/hash/hash.c.selinux-label krb5-1.8/ RETURN_ERROR(errno, error0); (void)fcntl(hashp->fp, F_SETFD, 1); } -diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c ---- krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c.selinux-label 2007-10-22 15:18:53.000000000 -0400 -+++ krb5-1.8/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2010-03-05 10:57:23.000000000 -0500 -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8 - #include - #include - -+#include "k5-int.h" - #include "db-int.h" - #include "recno.h" - -@@ -68,7 +69,7 @@ __rec_open(fname, flags, mode, openinfo, - int rfd, sverrno; - - /* Open the user's file -- if this fails, we're done. */ -- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) -+ if (fname != NULL && (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) - return (NULL); - - if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { -diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in.selinux-label krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in ---- krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in.selinux-label 2009-11-22 13:13:29.000000000 -0500 -+++ krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/plugins/kdb/db2/libdb2/test/Makefile.in ++++ krb5/src/plugins/kdb/db2/libdb2/test/Makefile.in @@ -12,7 +12,8 @@ PROG_RPATH=$(KRB5_LIBDIR) KRB5_RUN_ENV= @KRB5_RUN_ENV@ @@ -380,9 +323,8 @@ diff -up krb5-1.8/src/plugins/kdb/db2/libdb2/test/Makefile.in.selinux-label krb5 DB_DEPLIB = ../libdb$(DEPLIBEXT) all:: -diff -up krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c.selinux-label krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ---- krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c.selinux-label 2009-11-24 18:52:25.000000000 -0500 -+++ krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c @@ -1091,7 +1091,7 @@ /* Create a temporary file which contains all the entries except the @@ -435,7 +377,7 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c.selinux-la - pfile = fopen(file_name, "a+"); + pfile = WRITABLEFOPEN(file_name, "a+"); if (pfile == NULL) { - com_err(me, errno, "Failed to open file %s: %s", file_name, + com_err(me, errno, _("Failed to open file %s: %s"), file_name, strerror (errno)); @@ -2069,7 +2069,7 @@ } @@ -445,10 +387,9 @@ diff -up krb5-1.8/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c.selinux-la + newfile = WRITABLEFOPEN(tmp_file, "w"); umask (omask); if (newfile == NULL) { - com_err(me, errno, "Error creating file %s", tmp_file); -diff -up krb5-1.8/src/slave/kpropd.c.selinux-label krb5-1.8/src/slave/kpropd.c ---- krb5-1.8/src/slave/kpropd.c.selinux-label 2009-12-31 17:25:11.000000000 -0500 -+++ krb5-1.8/src/slave/kpropd.c 2010-03-05 10:57:23.000000000 -0500 + com_err(me, errno, _("Error creating file %s"), tmp_file); +--- krb5/src/slave/kpropd.c ++++ krb5/src/slave/kpropd.c @@ -328,7 +328,7 @@ retry: if (!debug && iproprole != IPROP_SLAVE) daemon(1, 0); @@ -458,9 +399,34 @@ diff -up krb5-1.8/src/slave/kpropd.c.selinux-label krb5-1.8/src/slave/kpropd.c fprintf(pidfile, "%d\n", getpid()); fclose(pidfile); } else -diff -up krb5-1.8/src/util/profile/prof_file.c.selinux-label krb5-1.8/src/util/profile/prof_file.c ---- krb5-1.8/src/util/profile/prof_file.c.selinux-label 2009-12-27 19:21:20.000000000 -0500 -+++ krb5-1.8/src/util/profile/prof_file.c 2010-03-05 10:57:23.000000000 -0500 +@@ -437,6 +437,9 @@ void doit(fd) + krb5_enctype etype; + int database_fd; + char host[INET6_ADDRSTRLEN+1]; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (kpropd_context->kdblog_context && + kpropd_context->kdblog_context->iproprole == IPROP_SLAVE) { +@@ -515,9 +518,15 @@ void doit(fd) + free(name); + exit(1); + } ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(file); ++#endif + omask = umask(077); + lock_fd = open(temp_file_name, O_RDWR|O_CREAT, 0600); + (void) umask(omask); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + retval = krb5_lock_file(kpropd_context, lock_fd, + KRB5_LOCKMODE_EXCLUSIVE|KRB5_LOCKMODE_DONTBLOCK); + if (retval) { +--- krb5/src/util/profile/prof_file.c ++++ krb5/src/util/profile/prof_file.c @@ -30,6 +30,7 @@ #endif @@ -478,9 +444,8 @@ diff -up krb5-1.8/src/util/profile/prof_file.c.selinux-label krb5-1.8/src/util/p if (!f) { retval = errno; if (retval == 0) -diff -up krb5-1.8/src/util/support/Makefile.in.selinux-label krb5-1.8/src/util/support/Makefile.in ---- krb5-1.8/src/util/support/Makefile.in.selinux-label 2009-11-23 20:25:10.000000000 -0500 -+++ krb5-1.8/src/util/support/Makefile.in 2010-03-05 10:57:23.000000000 -0500 +--- krb5/src/util/support/Makefile.in ++++ krb5/src/util/support/Makefile.in @@ -54,6 +54,7 @@ IPC_SYMS= \ STLIBOBJS= \ @@ -498,10 +463,9 @@ diff -up krb5-1.8/src/util/support/Makefile.in.selinux-label krb5-1.8/src/util/s SHLIB_DIRS= SHLIB_RDIRS=$(KRB5_LIBDIR) -diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/support/selinux.c ---- krb5-1.8/src/util/support/selinux.c.selinux-label 2010-03-05 10:57:23.000000000 -0500 -+++ krb5-1.8/src/util/support/selinux.c 2010-03-05 10:57:23.000000000 -0500 -@@ -0,0 +1,362 @@ +--- krb5/src/util/support/selinux.c ++++ krb5/src/util/support/selinux.c +@@ -0,0 +1,374 @@ +/* + * Copyright 2007,2008,2009,2011 Red Hat, Inc. All Rights Reserved. + * @@ -725,16 +689,28 @@ diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/sup +krb5int_push_fscreatecon_for(const char *pathname) +{ + struct stat st; -+ if (stat(pathname, &st) != 0) { -+ st.st_mode = S_IRUSR | S_IWUSR; ++ void *retval; ++ k5_once(&labeled_once, label_mutex_init); ++ if (k5_mutex_lock(&labeled_mutex) == 0) { ++ if (stat(pathname, &st) != 0) { ++ st.st_mode = S_IRUSR | S_IWUSR; ++ } ++ retval = push_fscreatecon(pathname, st.st_mode); ++ return retval ? retval : (void *) -1; ++ } else { ++ return NULL; + } -+ return push_fscreatecon(pathname, st.st_mode); +} + +void +krb5int_pop_fscreatecon(void *con) +{ -+ pop_fscreatecon(con); ++ if (con != NULL) { ++ if (con != (void *) -1) { ++ pop_fscreatecon(con); ++ } ++ k5_mutex_unlock(&labeled_mutex); ++ } +} + +FILE * @@ -864,9 +840,8 @@ diff -up krb5-1.8/src/util/support/selinux.c.selinux-label krb5-1.8/src/util/sup +} + +#endif -diff -up krb5-1.8/src/lib/krb5/rcache/rc_dfl.c krb5-1.8/src/lib/krb5/rcache/rc_dfl.c ---- krb5-1.8/src/lib/krb5/rcache/rc_dfl.c 2011-06-13 21:04:04.994208850 -0400 -+++ krb5-1.8/src/lib/krb5/rcache/rc_dfl.c 2011-06-13 21:05:07.416208760 -0400 +--- krb5/src/lib/krb5/rcache/rc_dfl.c ++++ krb5/src/lib/krb5/rcache/rc_dfl.c @@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context krb5_error_code retval = 0; krb5_rcache tmp; @@ -895,3 +870,58 @@ diff -up krb5-1.8/src/lib/krb5/rcache/rc_dfl.c krb5-1.8/src/lib/krb5/rcache/rc_d if (retval) goto cleanup; for (q = t->a; q; q = q->na) { +--- krb5/src/plugins/kdb/db2/kdb_db2.c ++++ krb5/src/plugins/kdb/db2/kdb_db2.c +@@ -683,8 +683,8 @@ + if (retval) + return retval; + +- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, +- 0600); ++ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, ++ O_CREAT | O_RDWR | O_TRUNC, 0600); + if (dbc->db_lf_file < 0) { + retval = errno; + goto cleanup; +--- krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ + #include + #include + ++#include "k5-int.h" + #include "db-int.h" + #include "recno.h" + +@@ -68,7 +69,8 @@ + int rfd = -1, sverrno; + + /* Open the user's file -- if this fails, we're done. */ +- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) ++ if (fname != NULL && ++ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + return (NULL); + + if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { +--- krb5/src/kdc/main.c ++++ krb5/src/kdc/main.c +@@ -905,7 +905,7 @@ write_pid_file(const char *path) + FILE *file; + unsigned long pid; + +- file = fopen(path, "w"); ++ file = WRITABLEFOPEN(path, "w"); + if (file == NULL) + return errno; + pid = (unsigned long) getpid(); +--- krb5/src/lib/kdb/kdb_log.c ++++ krb5/src/lib/kdb/kdb_log.c +@@ -566,7 +566,7 @@ ulog_map(krb5_context context, const cha + return (errno); + } + +- if ((ulogfd = open(logname, O_RDWR+O_CREAT, 0600)) == -1) { ++ if ((ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600)) == -1) { + return (errno); + } +