rpms/krb5/devel krb5-1.6.3-selinux-label.patch, 1.2, 1.3 krb5.spec, 1.169, 1.170
Nalin Somabhai Dahyabhai (nalin)
fedora-extras-commits at redhat.com
Fri Jul 11 15:15:48 UTC 2008
Author: nalin
Update of /cvs/pkgs/rpms/krb5/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18891
Modified Files:
krb5-1.6.3-selinux-label.patch krb5.spec
Log Message:
- rework how labeling is handled to avoid a bootstrapping problem in headers
- don't forget to label the principal database lock file
krb5-1.6.3-selinux-label.patch:
Index: krb5-1.6.3-selinux-label.patch
===================================================================
RCS file: /cvs/pkgs/rpms/krb5/devel/krb5-1.6.3-selinux-label.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- krb5-1.6.3-selinux-label.patch 18 Mar 2008 15:49:52 -0000 1.2
+++ krb5-1.6.3-selinux-label.patch 11 Jul 2008 15:14:57 -0000 1.3
@@ -179,24 +179,11 @@
diff -ur krb5-1.6.3/src/include/k5-int.h krb5-1.6.3/src/include/k5-int.h
--- krb5-1.6.3/src/include/k5-int.h 2007-10-04 16:17:48.000000000 -0400
+++ krb5-1.6.3/src/include/k5-int.h 2008-03-06 18:51:29.000000000 -0500
-@@ -128,6 +128,20 @@
+@@ -128,6 +128,7 @@
typedef UINT64_TYPE krb5_ui_8;
typedef INT64_TYPE krb5_int64;
-+#include "k5-platform.h"
-+
-+#ifdef THREEPARAMOPEN
-+#undef THREEPARAMOPEN
-+#endif
-+
-+#ifdef USE_SELINUX
+#include "k5-label.h"
-+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)
-+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)
-+#else
-+#define WRITABLEFOPEN(x,y) fopen(x,y)
-+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
-+#endif
#define DEFAULT_PWD_STRING1 "Enter password"
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
@@ -388,7 +375,7 @@
#include <string.h>
#include <unistd.h>
-+#include <k5-int.h>
++#include "k5-int.h"
#include "db-int.h"
#include "btree.h"
@@ -408,7 +395,7 @@
#include <assert.h>
#endif
-+#include <k5-int.h>
++#include "k5-int.h"
#include "db-int.h"
#include "hash.h"
#include "page.h"
@@ -428,7 +415,7 @@
#include <stdio.h>
#include <unistd.h>
-+#include <k5-int.h>
++#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -441,6 +428,19 @@
return (NULL);
/* Create a btree in memory (backed by disk). */
+--- krb5-1.6.3/src/plugins/kdb/db2/kdb_db2.c 2008-07-11 11:10:41.000000000 -0400
++++ krb5-1.6.3/src/plugins/kdb/db2/kdb_db2.c 2008-07-11 11:10:45.000000000 -0400
+@@ -326,8 +326,8 @@
+ * should be opened read/write so that write locking can work with
+ * POSIX systems
+ */
+- if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) {
+- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) {
++ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) {
++ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) {
+ retval = errno;
+ goto err_out;
+ }
diff -ur krb5-1.6.3/src/util/profile/prof_file.c krb5-1.6.3/src/util/profile/prof_file.c
--- krb5-1.6.3/src/util/profile/prof_file.c 2005-10-21 16:03:44.000000000 -0400
+++ krb5-1.6.3/src/util/profile/prof_file.c 2008-03-06 19:02:44.000000000 -0500
@@ -448,7 +448,7 @@
#endif
#include "k5-platform.h"
-+#include "k5-int.h"
++#include "k5-label.h"
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
@@ -540,7 +540,7 @@
com_err(me, errno, "Error creating file %s", tmp_file);
--- krb5-1.6.3/src/util/support/selinux.c 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.3/src/util/support/selinux.c 2007-08-24 23:38:39.000000000 -0400
-@@ -0,0 +1,256 @@
+@@ -0,0 +1,275 @@
+/*
+ * Copyright 2007,2008 Red Hat, Inc. All Rights Reserved.
+ *
@@ -579,6 +579,7 @@
+#ifdef USE_SELINUX
+
+#include <k5-label.h>
++#include <k5-thread.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
@@ -594,7 +595,16 @@
+
+/* #define DEBUG 1 */
+
-+static pthread_mutex_t labeled_lock = PTHREAD_MUTEX_INITIALIZER;
++/* Mutex used to serialize use of the process-global file creation context. */
++k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
++
++/* Make sure we finish initializing that mutex before attempting to use it. */
++k5_once_t labeled_once = K5_ONCE_INIT;
++static void
++label_mutex_init(void)
++{
++ k5_mutex_finish_init(&labeled_mutex);
++}
+
+static security_context_t
+push_fscreatecon(const char *pathname, mode_t mode)
@@ -703,12 +713,17 @@
+ int errno_save;
+ security_context_t ctx;
+
-+ pthread_mutex_lock(&labeled_lock);
++ if (strcmp(mode, "r") == 0) {
++ return fopen(path, mode);
++ }
++
++ k5_once(&labeled_once, label_mutex_init);
++ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+ fp = fopen(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
-+ pthread_mutex_unlock(&labeled_lock);
++ k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save;
+ return fp;
@@ -721,12 +736,13 @@
+ int errno_save;
+ security_context_t ctx;
+
-+ pthread_mutex_lock(&labeled_lock);
++ k5_once(&labeled_once, label_mutex_init);
++ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+ fd = creat(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
-+ pthread_mutex_unlock(&labeled_lock);
++ k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save;
+ return fd;
@@ -739,12 +755,13 @@
+ int errno_save;
+ security_context_t ctx;
+
-+ pthread_mutex_lock(&labeled_lock);
++ k5_once(&labeled_once, label_mutex_init);
++ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, mode);
+ ret = mknod(path, mode, dev);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
-+ pthread_mutex_unlock(&labeled_lock);
++ k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save;
+ return ret;
@@ -757,12 +774,13 @@
+ int errno_save;
+ security_context_t ctx;
+
-+ pthread_mutex_lock(&labeled_lock);
++ k5_once(&labeled_once, label_mutex_init);
++ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, S_IFDIR);
+ ret = mkdir(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
-+ pthread_mutex_unlock(&labeled_lock);
++ k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save;
+ return ret;
@@ -781,7 +799,8 @@
+ return open(path, flags);
+ }
+
-+ pthread_mutex_lock(&labeled_lock);
++ k5_once(&labeled_once, label_mutex_init);
++ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+
+ va_start(ap, flags);
@@ -792,16 +811,21 @@
+ errno_save = errno;
+
+ pop_fscreatecon(ctx);
-+ pthread_mutex_unlock(&labeled_lock);
++ k5_mutex_unlock(&labeled_mutex);
+ return fd;
+}
+
+#endif
--- krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:00:02.000000000 -0400
-@@ -0,0 +1,17 @@
+@@ -0,0 +1,27 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
++
++#ifdef THREEPARAMOPEN
++#undef THREEPARAMOPEN
++#endif
++
+/* Wrapper functions which help us create files and directories with the right
+ * context labels. */
+#ifdef USE_SELINUX
@@ -815,5 +839,10 @@
+int krb5int_labeled_open(const char *path, int flags, ...);
+int krb5int_labeled_mkdir(const char *path, mode_t mode);
+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device);
++#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)
++#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)
++#else
++#define WRITABLEFOPEN(x,y) fopen(x,y)
++#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif
+#endif
Index: krb5.spec
===================================================================
RCS file: /cvs/pkgs/rpms/krb5/devel/krb5.spec,v
retrieving revision 1.169
retrieving revision 1.170
diff -u -r1.169 -r1.170
--- krb5.spec 14 Jun 2008 18:22:01 -0000 1.169
+++ krb5.spec 11 Jul 2008 15:14:57 -0000 1.170
@@ -1466,10 +1466,6 @@
--with-pam \
--with-pam-login-service=%{login_pam_service} \
--with-selinux
-# Generate krb5/krb5.h
-pushd include
-make krb5/krb5.h
-popd
# Now build it.
make
More information about the fedora-extras-commits
mailing list