diff options
Diffstat (limited to 'krb5-1.13-selinux-label.patch')
-rw-r--r-- | krb5-1.13-selinux-label.patch | 584 |
1 files changed, 338 insertions, 246 deletions
diff --git a/krb5-1.13-selinux-label.patch b/krb5-1.13-selinux-label.patch index 1cd86c0..feb034f 100644 --- a/krb5-1.13-selinux-label.patch +++ b/krb5-1.13-selinux-label.patch @@ -1,3 +1,8 @@ +From 2af05336edb5a2f86db22ee2937626a219f090f6 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood <rharwood@redhat.com> +Date: Tue, 23 Aug 2016 16:30:53 -0400 +Subject: [PATCH 02/19] krb5-1.13-selinux-label.patch + SELinux bases access to files on the domain of the requesting process, the operation being performed, and the context applied to the file. @@ -30,10 +35,42 @@ stomp all over us. The selabel APIs for looking up the context should be thread-safe (per Red Hat #273081), so switching to using them instead of matchpathcon(), which we used earlier, is some improvement. +--- + src/aclocal.m4 | 49 +++ + src/build-tools/krb5-config.in | 3 +- + src/config/pre.in | 3 +- + src/configure.in | 2 + + src/include/k5-int.h | 1 + + src/include/k5-label.h | 32 ++ + src/include/krb5/krb5.hin | 6 + + src/kadmin/dbutil/dump.c | 11 +- + src/kdc/main.c | 2 +- + src/lib/kadm5/logger.c | 4 +- + src/lib/kdb/kdb_log.c | 2 +- + src/lib/krb5/ccache/cc_dir.c | 26 +- + src/lib/krb5/keytab/kt_file.c | 4 +- + src/lib/krb5/os/trace.c | 2 +- + src/lib/krb5/rcache/rc_dfl.c | 13 + + src/plugins/kdb/db2/adb_openclose.c | 2 +- + src/plugins/kdb/db2/kdb_db2.c | 4 +- + src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +- + src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +- + src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +- + .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +- + src/slave/kpropd.c | 9 + + src/util/gss-kernel-lib/Makefile.in | 5 +- + src/util/profile/prof_file.c | 3 +- + src/util/support/Makefile.in | 3 +- + src/util/support/selinux.c | 381 +++++++++++++++++++++ + 26 files changed, 566 insertions(+), 22 deletions(-) + create mode 100644 src/include/k5-label.h + create mode 100644 src/util/support/selinux.c ---- krb5/src/aclocal.m4 -+++ krb5/src/aclocal.m4 -@@ -103,6 +103,7 @@ AC_SUBST_FILE(libnodeps_frag) +diff --git a/src/aclocal.m4 b/src/aclocal.m4 +index ce045ab..311f099 100644 +--- a/src/aclocal.m4 ++++ b/src/aclocal.m4 +@@ -87,6 +87,7 @@ AC_SUBST_FILE(libnodeps_frag) dnl KRB5_AC_PRAGMA_WEAK_REF WITH_LDAP @@ -41,7 +78,7 @@ which we used earlier, is some improvement. KRB5_LIB_PARAMS KRB5_AC_INITFINI KRB5_AC_ENABLE_THREADS -@@ -1791,3 +1792,51 @@ AC_SUBST(manlocalstatedir) +@@ -1739,3 +1740,51 @@ AC_SUBST(PAM_LIBS) AC_SUBST(PAM_MAN) AC_SUBST(NON_PAM_MAN) ])dnl @@ -93,9 +130,32 @@ which we used earlier, is some improvement. +LIBS="$old_LIBS" +AC_SUBST(SELINUX_LIBS) +])dnl ---- krb5/src/config/pre.in -+++ krb5/src/config/pre.in -@@ -180,6 +180,7 @@ LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@ +diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in +index f6184da..c17cb5e 100755 +--- a/src/build-tools/krb5-config.in ++++ b/src/build-tools/krb5-config.in +@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@' + DEFCCNAME='@DEFCCNAME@' + DEFKTNAME='@DEFKTNAME@' + DEFCKTNAME='@DEFCKTNAME@' ++SELINUX_LIBS='@SELINUX_LIBS@' + + LIBS='@LIBS@' + GEN_LIB=@GEN_LIB@ +@@ -255,7 +256,7 @@ if test -n "$do_libs"; then + fi + + # If we ever support a flag to generate output suitable for static +- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" ++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" + # here. + + echo $lib_flags +diff --git a/src/config/pre.in b/src/config/pre.in +index b0d9015..63271e7 100644 +--- a/src/config/pre.in ++++ b/src/config/pre.in +@@ -174,6 +174,7 @@ LD = $(PURE) @LD@ KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include LDFLAGS = @LDFLAGS@ LIBS = @LIBS@ @@ -103,7 +163,7 @@ which we used earlier, is some improvement. INSTALL=@INSTALL@ INSTALL_STRIP= -@@ -379,7 +380,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) +@@ -395,7 +396,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME) # HESIOD_LIBS is -lhesiod... HESIOD_LIBS = @HESIOD_LIBS@ @@ -112,9 +172,11 @@ which we used earlier, is some improvement. KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on Mac OS X! ---- krb5/src/configure.in -+++ krb5/src/configure.in -@@ -1053,6 +1053,8 @@ fi +diff --git a/src/configure.in b/src/configure.in +index 8846ca0..9ec8d84 100644 +--- a/src/configure.in ++++ b/src/configure.in +@@ -1329,6 +1329,8 @@ AC_PATH_PROG(GROFF, groff) KRB5_WITH_PAM @@ -123,8 +185,10 @@ which we used earlier, is some improvement. # Make localedir work in autoconf 2.5x. if test "${localedir+set}" != set; then localedir='$(datadir)/locale' ---- krb5/src/include/k5-int.h -+++ krb5/src/include/k5-int.h +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 41c3d1b..6b7b2e3 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h @@ -129,6 +129,7 @@ typedef unsigned char u_char; @@ -133,8 +197,11 @@ which we used earlier, is some improvement. #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */ #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */ ---- krb5/src/include/k5-label.h -+++ krb5/src/include/k5-label.h +diff --git a/src/include/k5-label.h b/src/include/k5-label.h +new file mode 100644 +index 0000000..dfaaa84 +--- /dev/null ++++ b/src/include/k5-label.h @@ -0,0 +1,32 @@ +#ifndef _KRB5_LABEL_H +#define _KRB5_LABEL_H @@ -168,8 +235,10 @@ which we used earlier, is some improvement. +#define THREEPARAMOPEN(x,y,z) open(x,y,z) +#endif +#endif ---- krb5/src/include/krb5/krb5.hin -+++ krb5/src/include/krb5/krb5.hin +diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin +index e2c08ae..c93a0f2 100644 +--- a/src/include/krb5/krb5.hin ++++ b/src/include/krb5/krb5.hin @@ -87,6 +87,12 @@ #define THREEPARAMOPEN(x,y,z) open(x,y,z) #endif @@ -183,9 +252,11 @@ which we used earlier, is some improvement. #define KRB5_OLD_CRYPTO #include <stdlib.h> ---- krb5/src/kadmin/dbutil/dump.c -+++ krb5/src/kadmin/dbutil/dump.c -@@ -376,12 +376,21 @@ create_ofile(char *ofile, char **tmpname +diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c +index 253bf3f..9c8c3dc 100644 +--- a/src/kadmin/dbutil/dump.c ++++ b/src/kadmin/dbutil/dump.c +@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname) { int fd = -1; FILE *f; @@ -207,7 +278,7 @@ which we used earlier, is some improvement. if (fd == -1) goto error; -@@ -514,7 +514,7 @@ prep_ok_file(krb5_context context, char +@@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd) return 0; } @@ -216,28 +287,24 @@ which we used earlier, is some improvement. if (*fd == -1) { com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); exit_status++; ---- krb5/src/build-tools/krb5-config.in -+++ krb5/src/build-tools/krb5-config.in -@@ -38,6 +38,7 @@ RPATH_FLAG='@RPATH_FLAG@' - DEFCCNAME='@DEFCCNAME@' - DEFKTNAME='@DEFKTNAME@' - DEFCKTNAME='@DEFCKTNAME@' -+SELINUX_LIBS='@SELINUX_LIBS@' - - LIBS='@LIBS@' - GEN_LIB=@GEN_LIB@ -@@ -218,7 +219,7 @@ - fi - - # If we ever support a flag to generate output suitable for static -- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB" -+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" - # here. +diff --git a/src/kdc/main.c b/src/kdc/main.c +index 82dfc0e..936f46b 100644 +--- a/src/kdc/main.c ++++ b/src/kdc/main.c +@@ -847,7 +847,7 @@ write_pid_file(const char *path) + FILE *file; + unsigned long pid; - echo $lib_flags ---- krb5/src/lib/kadm5/logger.c -+++ krb5/src/lib/kadm5/logger.c -@@ -425,7 +425,7 @@ krb5_klog_init(krb5_context kcontext, ch +- file = fopen(path, "w"); ++ file = WRITABLEFOPEN(path, "w"); + if (file == NULL) + return errno; + pid = (unsigned long) getpid(); +diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c +index 19c4355..64f9641 100644 +--- a/src/lib/kadm5/logger.c ++++ b/src/lib/kadm5/logger.c +@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do * Check for append/overwrite, then open the file. */ if (cp[4] == ':' || cp[4] == '=') { @@ -246,7 +313,7 @@ which we used earlier, is some improvement. if (f) { set_cloexec_file(f); log_control.log_entries[i].lfu_filep = f; -@@ -961,7 +961,7 @@ krb5_klog_reopen(krb5_context kcontext) +@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext) * In case the old logfile did not get moved out of the * way, open for append to prevent squashing the old logs. */ @@ -255,9 +322,74 @@ which we used earlier, is some improvement. if (f) { set_cloexec_file(f); log_control.log_entries[lindex].lfu_filep = f; ---- krb5/src/lib/krb5/keytab/kt_file.c -+++ krb5/src/lib/krb5/keytab/kt_file.c -@@ -1050,7 +1050,7 @@ krb5_ktfileint_open(krb5_context context +diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c +index 99cda59..523b99a 100644 +--- a/src/lib/kdb/kdb_log.c ++++ b/src/lib/kdb/kdb_log.c +@@ -476,7 +476,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) + int ulogfd = -1; + + if (stat(logname, &st) == -1) { +- ulogfd = open(logname, O_RDWR | O_CREAT, 0600); ++ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); + if (ulogfd == -1) + return errno; + +diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c +index bba64e5..73f0fe6 100644 +--- a/src/lib/krb5/ccache/cc_dir.c ++++ b/src/lib/krb5/ccache/cc_dir.c +@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents) + char *newpath = NULL; + FILE *fp = NULL; + int fd = -1, status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) + return ENOMEM; ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(primary_path); ++#endif + fd = mkstemp(newpath); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (fd < 0) + goto cleanup; + #ifdef HAVE_CHMOD +@@ -221,10 +230,23 @@ static krb5_error_code + verify_dir(krb5_context context, const char *dirname) + { + struct stat st; ++ int status; ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (stat(dirname, &st) < 0) { +- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) +- return 0; ++ if (errno == ENOENT) { ++#ifdef USE_SELINUX ++ selabel = krb5int_push_fscreatecon_for(dirname); ++#endif ++ status = mkdir(dirname, S_IRWXU); ++#ifdef USE_SELINUX ++ krb5int_pop_fscreatecon(selabel); ++#endif ++ if (status == 0) ++ return 0; ++ } + k5_setmsg(context, KRB5_FCC_NOFILE, + _("Credential cache directory %s does not exist"), + dirname); +diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c +index e105a51..ff1fc54 100644 +--- a/src/lib/krb5/keytab/kt_file.c ++++ b/src/lib/krb5/keytab/kt_file.c +@@ -1030,7 +1030,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) KTCHECKLOCK(id); errno = 0; @@ -266,7 +398,7 @@ which we used earlier, is some improvement. (mode == KRB5_LOCKMODE_EXCLUSIVE) ? fopen_mode_rbplus : fopen_mode_rb); if (!KTFILEP(id)) { -@@ -1058,7 +1058,7 @@ krb5_ktfileint_open(krb5_context context +@@ -1038,7 +1038,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) /* try making it first time around */ k5_create_secure_file(context, KTFILENAME(id)); errno = 0; @@ -275,20 +407,84 @@ which we used earlier, is some improvement. if (!KTFILEP(id)) goto report_errno; writevno = 1; ---- krb5/src/plugins/kdb/db2/adb_openclose.c -+++ krb5/src/plugins/kdb/db2/adb_openclose.c -@@ -201,7 +201,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char +diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c +index 83c8d4d..a192461 100644 +--- a/src/lib/krb5/os/trace.c ++++ b/src/lib/krb5/os/trace.c +@@ -397,7 +397,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename) + fd = malloc(sizeof(*fd)); + if (fd == NULL) + return ENOMEM; +- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); ++ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); + if (*fd == -1) { + free(fd); + return errno; +diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c +index 2fb6aa0..c453189 100644 +--- a/src/lib/krb5/rcache/rc_dfl.c ++++ b/src/lib/krb5/rcache/rc_dfl.c +@@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) + krb5_error_code retval = 0; + krb5_rcache tmp; + krb5_deltat lifespan = t->lifespan; /* save original lifespan */ ++#ifdef USE_SELINUX ++ void *selabel; ++#endif + + if (! t->recovering) { + name = t->name; +@@ -815,7 +818,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) + retval = krb5_rc_resolve(context, tmp, 0); + if (retval) + goto cleanup; ++#ifdef USE_SELINUX ++ if (t->d.fn != NULL) ++ selabel = krb5int_push_fscreatecon_for(t->d.fn); ++ else ++ selabel = NULL; ++#endif + retval = krb5_rc_initialize(context, tmp, lifespan); ++#ifdef USE_SELINUX ++ if (selabel != NULL) ++ krb5int_pop_fscreatecon(selabel); ++#endif + if (retval) + goto cleanup; + for (q = t->a; q; q = q->na) { +diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c +index 7db30a3..2b9d019 100644 +--- a/src/plugins/kdb/db2/adb_openclose.c ++++ b/src/plugins/kdb/db2/adb_openclose.c +@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename, + * needs be open read/write so that write locking can work with * POSIX systems */ - lockp->lockinfo.filename = strdup(lockfilename); - if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) { + if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) { /* * maybe someone took away write permission so we could only * get shared locks? ---- krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c -+++ krb5/src/plugins/kdb/db2/libdb2/btree/bt_open.c -@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8. +diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c +index e97b841..5d1cd61 100644 +--- a/src/plugins/kdb/db2/kdb_db2.c ++++ b/src/plugins/kdb/db2/kdb_db2.c +@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc) + if (retval) + return retval; + +- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, +- 0600); ++ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, ++ O_CREAT | O_RDWR | O_TRUNC, 0600); + if (dbc->db_lf_file < 0) { + retval = errno; + goto cleanup; +diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +index 2977b17..d5809a5 100644 +--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c ++++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c +@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95"; #include <string.h> #include <unistd.h> @@ -296,7 +492,7 @@ which we used earlier, is some improvement. #include "db-int.h" #include "btree.h" -@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, +@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags) goto einval; } @@ -305,9 +501,11 @@ which we used earlier, is some improvement. goto err; } else { ---- krb5/src/plugins/kdb/db2/libdb2/hash/hash.c -+++ krb5/src/plugins/kdb/db2/libdb2/hash/hash.c -@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 +diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c +index 2a5b4f8..7239d03 100644 +--- a/src/plugins/kdb/db2/libdb2/hash/hash.c ++++ b/src/plugins/kdb/db2/libdb2/hash/hash.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95"; #include <assert.h> #endif @@ -315,7 +513,7 @@ which we used earlier, is some improvement. #include "db-int.h" #include "hash.h" #include "page.h" -@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info +@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags) new_table = 1; } if (file) { @@ -324,9 +522,33 @@ which we used earlier, is some improvement. RETURN_ERROR(errno, error0); (void)fcntl(hashp->fp, F_SETFD, 1); } ---- krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -+++ krb5/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -179,7 +179,7 @@ done: +diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +index d8b26e7..b0daa7c 100644 +--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c ++++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c +@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94"; + #include <stdio.h> + #include <unistd.h> + ++#include "k5-int.h" + #include "db-int.h" + #include "recno.h" + +@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags) + int rfd = -1, sverrno; + + /* Open the user's file -- if this fails, we're done. */ +- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) ++ if (fname != NULL && ++ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) + return (NULL); + + if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { +diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +index 64d0f91..5d5c0a6 100644 +--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c ++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +@@ -178,7 +178,7 @@ done: /* set password in the file */ old_mode = umask(0177); @@ -335,7 +557,7 @@ which we used earlier, is some improvement. if (pfile == NULL) { com_err(me, errno, _("Failed to open file %s: %s"), file_name, strerror (errno)); -@@ -220,6 +220,9 @@ done: +@@ -219,6 +219,9 @@ done: * Delete the existing entry and add the new entry */ FILE *newfile; @@ -345,7 +567,7 @@ which we used earlier, is some improvement. mode_t omask; -@@ -231,7 +234,13 @@ done: +@@ -230,7 +233,13 @@ done: } omask = umask(077); @@ -359,9 +581,11 @@ which we used earlier, is some improvement. umask (omask); if (newfile == NULL) { com_err(me, errno, _("Error creating file %s"), tmp_file); ---- krb5/src/slave/kpropd.c -+++ krb5/src/slave/kpropd.c -@@ -437,6 +437,9 @@ void doit(fd) +diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c +index 1383156..a950924 100644 +--- a/src/slave/kpropd.c ++++ b/src/slave/kpropd.c +@@ -464,6 +464,9 @@ doit(int fd) krb5_enctype etype; int database_fd; char host[INET6_ADDRSTRLEN + 1]; @@ -371,7 +595,7 @@ which we used earlier, is some improvement. signal_wrapper(SIGALRM, alarm_handler); alarm(params.iprop_resync_timeout); -@@ -515,9 +518,15 @@ void doit(fd) +@@ -520,9 +523,15 @@ doit(int fd) free(name); exit(1); } @@ -387,9 +611,37 @@ which we used earlier, is some improvement. retval = krb5_lock_file(kpropd_context, lock_fd, KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); if (retval) { ---- krb5/src/util/profile/prof_file.c -+++ krb5/src/util/profile/prof_file.c -@@ -30,6 +30,7 @@ +diff --git a/src/util/gss-kernel-lib/Makefile.in b/src/util/gss-kernel-lib/Makefile.in +index f70f3c6..7a2f9cc 100644 +--- a/src/util/gss-kernel-lib/Makefile.in ++++ b/src/util/gss-kernel-lib/Makefile.in +@@ -61,6 +61,7 @@ HEADERS= \ + gssapi_err_generic.h \ + k5-int.h \ + k5-int-pkinit.h \ ++ k5-label.h \ + k5-thread.h \ + k5-platform.h \ + k5-buf.h \ +@@ -162,10 +163,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_generic.h + $(CP) $(GSS_GENERIC)/gssapi_generic.h $@ + gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h + $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@ +-k5-int.h: $(INCLUDE)/k5-int.h ++k5-int.h: $(INCLUDE)/k5-int.h k5-label.h + $(CP) $(INCLUDE)/k5-int.h $@ + k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h + $(CP) $(INCLUDE)/k5-int-pkinit.h $@ ++k5-label.h: $(INCLUDE)/k5-label.h ++ $(CP) $(INCLUDE)/k5-label.h $@ + k5-thread.h: $(INCLUDE)/k5-thread.h + $(CP) $(INCLUDE)/k5-thread.h $@ + k5-platform.h: $(INCLUDE)/k5-platform.h +diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c +index 907c119..0f5462a 100644 +--- a/src/util/profile/prof_file.c ++++ b/src/util/profile/prof_file.c +@@ -33,6 +33,7 @@ #endif #include "k5-platform.h" @@ -397,7 +649,7 @@ which we used earlier, is some improvement. struct global_shared_profile_data { /* This is the head of the global list of shared trees */ -@@ -418,7 +419,7 @@ static errcode_t write_data_to_file(prf_ +@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile, errno = 0; @@ -406,9 +658,11 @@ which we used earlier, is some improvement. if (!f) { retval = errno; if (retval == 0) ---- krb5/src/util/support/Makefile.in -+++ krb5/src/util/support/Makefile.in -@@ -54,6 +54,7 @@ IPC_SYMS= \ +diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in +index 5181762..f77acd4 100644 +--- a/src/util/support/Makefile.in ++++ b/src/util/support/Makefile.in +@@ -59,6 +59,7 @@ IPC_SYMS= \ STLIBOBJS= \ threads.o \ @@ -416,7 +670,7 @@ which we used earlier, is some improvement. init-addrinfo.o \ plugins.o \ errors.o \ -@@ -108,7 +109,7 @@ SRCS=\ +@@ -131,7 +132,7 @@ SRCS=\ SHLIB_EXPDEPS = # Add -lm if dumping thread stats, for sqrt. @@ -425,8 +679,11 @@ which we used earlier, is some improvement. DEPLIBS= ---- krb5/src/util/support/selinux.c -+++ krb5/src/util/support/selinux.c +diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c +new file mode 100644 +index 0000000..ffba6a9 +--- /dev/null ++++ b/src/util/support/selinux.c @@ -0,0 +1,381 @@ +/* + * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc. All Rights Reserved. @@ -809,171 +1066,6 @@ which we used earlier, is some improvement. +} + +#endif ---- krb5/src/lib/krb5/rcache/rc_dfl.c -+++ krb5/src/lib/krb5/rcache/rc_dfl.c -@@ -813,6 +813,9 @@ krb5_rc_dfl_expunge_locked(krb5_context - krb5_error_code retval = 0; - krb5_rcache tmp; - krb5_deltat lifespan = t->lifespan; /* save original lifespan */ -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (! t->recovering) { - name = t->name; -@@ -834,7 +837,17 @@ krb5_rc_dfl_expunge_locked(krb5_context - retval = krb5_rc_resolve(context, tmp, 0); - if (retval) - goto cleanup; -+#ifdef USE_SELINUX -+ if (t->d.fn != NULL) -+ selabel = krb5int_push_fscreatecon_for(t->d.fn); -+ else -+ selabel = NULL; -+#endif - retval = krb5_rc_initialize(context, tmp, lifespan); -+#ifdef USE_SELINUX -+ if (selabel != NULL) -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (retval) - goto cleanup; - for (q = t->a; q; q = q->na) { ---- krb5/src/lib/krb5/ccache/cc_dir.c -+++ krb5/src/lib/krb5/ccache/cc_dir.c -@@ -185,10 +185,19 @@ write_primary_file(const char *primary_p - char *newpath = NULL; - FILE *fp = NULL; - int fd = -1, status; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0) - return ENOMEM; -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(primary_path); -+#endif - fd = mkstemp(newpath); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif - if (fd < 0) - goto cleanup; - #ifdef HAVE_CHMOD -@@ -223,10 +232,23 @@ - verify_dir(krb5_context context, const char *dirname) - { - struct stat st; -+ int status; -+#ifdef USE_SELINUX -+ void *selabel; -+#endif - - if (stat(dirname, &st) < 0) { -- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0) -- return 0; -+ if (errno == ENOENT) { -+#ifdef USE_SELINUX -+ selabel = krb5int_push_fscreatecon_for(dirname); -+#endif -+ status = mkdir(dirname, S_IRWXU); -+#ifdef USE_SELINUX -+ krb5int_pop_fscreatecon(selabel); -+#endif -+ if (status == 0) -+ return 0; -+ } - k5_setmsg(context, KRB5_FCC_NOFILE, - _("Credential cache directory %s does not exist"), - dirname); ---- krb5/src/lib/krb5/os/trace.c -+++ krb5/src/lib/krb5/os/trace.c -@@ -401,7 +401,7 @@ krb5_set_trace_filename(krb5_context con - fd = malloc(sizeof(*fd)); - if (fd == NULL) - return ENOMEM; -- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); -+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600); - if (*fd == -1) { - free(fd); - return errno; ---- krb5/src/plugins/kdb/db2/kdb_db2.c -+++ krb5/src/plugins/kdb/db2/kdb_db2.c -@@ -683,8 +683,8 @@ - if (retval) - return retval; - -- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC, -- 0600); -+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name, -+ O_CREAT | O_RDWR | O_TRUNC, 0600); - if (dbc->db_lf_file < 0) { - retval = errno; - goto cleanup; ---- krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c -+++ krb5/src/plugins/kdb/db2/libdb2/recno/rec_open.c -@@ -51,6 +51,7 @@ - #include <stdio.h> - #include <unistd.h> - -+#include "k5-int.h" - #include "db-int.h" - #include "recno.h" - -@@ -68,7 +69,8 @@ - int rfd = -1, sverrno; - - /* Open the user's file -- if this fails, we're done. */ -- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) -+ if (fname != NULL && -+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) - return (NULL); - - if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) { ---- krb5/src/kdc/main.c -+++ krb5/src/kdc/main.c -@@ -905,7 +905,7 @@ write_pid_file(const char *path) - FILE *file; - unsigned long pid; - -- file = fopen(path, "w"); -+ file = WRITABLEFOPEN(path, "w"); - if (file == NULL) - return errno; - pid = (unsigned long) getpid(); ---- krb5/src/lib/kdb/kdb_log.c -+++ krb5/src/lib/kdb/kdb_log.c -@@ -456,7 +456,7 @@ ulog_map(krb5_context context, const cha - int ulogfd = -1; - - if (stat(logname, &st) == -1) { -- ulogfd = open(logname, O_RDWR | O_CREAT, 0600); -+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600); - if (ulogfd == -1) - return errno; - ---- krb5/src/util/gss-kernel-lib/Makefile.in -+++ krb5/src/util/gss-kernel-lib/Makefile.in -@@ -60,6 +60,7 @@ HEADERS= \ - gssapi_err_generic.h \ - k5-int.h \ - k5-int-pkinit.h \ -+ k5-label.h \ - k5-thread.h \ - k5-platform.h \ - k5-buf.h \ -@@ -166,10 +167,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_ - $(CP) $(GSS_GENERIC)/gssapi_generic.h $@ - gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h - $(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@ --k5-int.h: $(INCLUDE)/k5-int.h -+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h - $(CP) $(INCLUDE)/k5-int.h $@ - k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h - $(CP) $(INCLUDE)/k5-int-pkinit.h $@ -+k5-label.h: $(INCLUDE)/k5-label.h -+ $(CP) $(INCLUDE)/k5-label.h $@ - k5-thread.h: $(INCLUDE)/k5-thread.h - $(CP) $(INCLUDE)/k5-thread.h $@ - k5-platform.h: $(INCLUDE)/k5-platform.h +-- +2.9.3 + |