[packages/krb5] - up to 1.15 - updated manpages,tests patches - updated selinux-label from Fedora - removed outdaed
qboosh
qboosh at pld-linux.org
Sat Feb 18 23:18:49 CET 2017
commit b7cf85b107309939af30a1e4d0d83f68cde60869
Author: Jakub Bogusz <qboosh at pld-linux.org>
Date: Sat Feb 18 23:20:05 2017 +0100
- up to 1.15
- updated manpages,tests patches
- updated selinux-label from Fedora
- removed outdaed ksu-access,kprop-mktemp,send-pr-tempfile,trunk-doublelog patches
- added db185 patch, allow to use system db
- added audit patch, enable audit module
krb5-audit.patch | 49 ++
krb5-db185.patch | 44 ++
krb5-kprop-mktemp.patch | 40 --
krb5-ksu-access.patch | 45 --
krb5-manpages.patch | 14 +-
krb5-selinux-label.patch | 1393 +++++++++++++++++++++++++------------------
krb5-send-pr-tempfile.patch | 39 --
krb5-tests.patch | 238 ++++----
krb5-trunk-doublelog.patch | 16 -
krb5.spec | 105 ++--
10 files changed, 1096 insertions(+), 887 deletions(-)
---
diff --git a/krb5.spec b/krb5.spec
index 43fc0eb..b94ad9c 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -5,22 +5,30 @@
# (s)he is on hers/his own.
# - baggins/at/pld-linux.org
#
+# TODO:
+# - fix as-needed (move flags before libs in link commands)
+# - is =-lresolv in --with-netlib needed?
+# - --with-system-verto (pkg-config libverto)
+#
# Conditional build:
-%bcond_without doc # without documentation which needed TeX
+%bcond_without doc # documentation [requires TeX]
+%bcond_without audit # audit plugin
+%bcond_with hesiod # Hesiod support
+%bcond_without ldap # OpenLDAP database backend module
+%bcond_with selinux # SELinux support
+%bcond_without system_db # system Berkeley DB (via DB 1.85 API)
%bcond_without tcl # build without tcl (tcl is needed for tests)
-%bcond_without openldap # don't build openldap plugin
-%bcond_with selinux # build with selinux support
%bcond_without tests # don't perform make check
#
Summary: Kerberos V5 System
Summary(pl.UTF-8): System Kerberos V5
Name: krb5
-Version: 1.12.1
+Version: 1.15
Release: 0.1
License: MIT
Group: Networking
-Source0: http://web.mit.edu/kerberos/dist/krb5/1.12/%{name}-%{version}-signed.tar
-# Source0-md5: 524b1067b619cb5bf780759b6884c3f5
+Source0: http://web.mit.edu/kerberos/dist/krb5/1.15/%{name}-%{version}.tar.gz
+# Source0-md5: cd43a3316ebbb86b2a9020b485b1a819
Source2: %{name}kdc.init
Source4: kadm5.acl
Source5: kerberos.logrotate
@@ -34,33 +42,40 @@ Source16: kpropd.init
Source17: kadmind.init
Source18: kpropd.acl
Patch0: %{name}-manpages.patch
-Patch3: %{name}-ksu-access.patch
+Patch1: %{name}-audit.patch
+Patch2: %{name}-db185.patch
Patch4: %{name}-ksu-path.patch
# http://lite.mit.edu/
Patch6: %{name}-ktany.patch
Patch11: %{name}-brokenrev.patch
Patch12: %{name}-dns.patch
Patch13: %{name}-enospc.patch
-Patch15: %{name}-kprop-mktemp.patch
-Patch19: %{name}-send-pr-tempfile.patch
Patch23: %{name}-tests.patch
Patch24: %{name}-config.patch
Patch29: %{name}-selinux-label.patch
-Patch200: %{name}-trunk-doublelog.patch
URL: http://web.mit.edu/kerberos/www/
BuildRequires: /bin/csh
+%{?with_audit:BuildRequires: audit-libs-devel}
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: bison
+%{?with_ldap:BuildRequires: cyrus-sasl-devel >= 2}
+%{?with_system_db:BuildRequires: db-devel}
BuildRequires: flex
+BuildRequires: gettext-tools
BuildRequires: ghostscript
+%{?with_hesiod:BuildRequires: hesiod-devel}
BuildRequires: keyutils-devel
+BuildRequires: libcom_err-devel
+# only for internal ss
+#BuildRequires: libedit-devel
+%{?with_selinux:BuildRequires: libselinux-devel}
# for bindir/mk_cmds
BuildRequires: libss-devel >= 1.35
BuildRequires: ncurses-devel
-%{?with_openldap:BuildRequires: openldap-devel >= 2.4.6}
-BuildRequires: openssl-devel >= 0.9.8
-%{?with_selinux:BuildRequires: libselinux-devel}
+%{?with_ldap:BuildRequires: openldap-devel >= 2.4.6}
+BuildRequires: openssl-devel >= 1.0.0
+BuildRequires: pkgconfig
BuildRequires: rpmbuild(macros) >= 1.268
%{?with_tcl:BuildRequires: tcl-devel}
BuildRequires: words
@@ -68,6 +83,14 @@ BuildRequires: words
BuildRequires: doxygen
BuildRequires: sphinx-pdg
%endif
+%if %{with tests}
+BuildRequires: cmocka-devel
+BuildRequires: perl-base
+BuildRequires: python >= 1:2.5
+# we have "online" tests disabled, so probably not needed
+#BuildRequires: resolv_wrapper >= 1.1.5
+BuildRequires: tcl-devel
+%endif
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
%define _localstatedir /var/lib/kerberos
@@ -334,6 +357,7 @@ Requires: %{name}-libs = %{version}-%{release}
Requires: keyutils-devel
Requires: libcom_err-devel
Conflicts: heimdal-devel
+Obsoletes: krb5-static
%description devel
Header files for Kerberos V5 libraries and development documentation.
@@ -365,22 +389,18 @@ MIT Kerberos V5 documentation in HTML format.
Dokumentacja systemu MIT Kerberos V5 w formacie HTML.
%prep
-%setup -q -c
-tar xf %{name}-%{version}.tar.gz
-mv %{name}-%{version}/* .
+%setup -q
%patch0 -p1
-%patch3 -p1
+%patch1 -p1
+%{?with_system_db:%patch2 -p1}
%patch4 -p1
%patch6 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
-%patch15 -p1
-%patch19 -p1
%patch23 -p1
%patch24 -p1
%{?with_selinux:%patch29 -p1}
-%patch200 -p1
%build
cd src
@@ -405,20 +425,19 @@ done
CC=%{__cc} \
CFLAGS="$CFLAGS" \
CPPFLAGS="$CPPFLAGS" \
- %{?with_openldap:OPENLDAP_PLUGIN=yes} \
- %{!?with_openldap:OPENLDAP_PLUGIN=""} \
- %{?with_selinux:--with-selinux} \
--libexecdir=%{_libdir} \
- --enable-shared \
--disable-rpath \
- --enable-dns \
- --enable-dns-for-kdc \
+ %{?with_audit:--enable-audit-plugin=simple} \
--enable-dns-for-realm \
+ --with-crypto-impl=openssl \
+ %{?with_hesiod:--with-hesiod} \
+ %{?with_ldap:--with-ldap} \
--with-netlib=-lresolv \
- %{?with_tcl:--with-tcl=%{_prefix}} \
- %{!?with_tcl:--without-tcl} \
+ %{?with_selinux:--with-selinux} \
+ %{?with_system_db:--with-system-db} \
--with-system-et \
- --with-system-ss
+ --with-system-ss \
+ --with-tcl=%{?with_tcl:%{_prefix}}%{!?with_tcl:no}
%{__make} \
TCL_LIBPATH="-L%{_libdir}"
@@ -457,7 +476,7 @@ install %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/krb5kdc
install %{SOURCE16} $RPM_BUILD_ROOT/etc/rc.d/init.d/kpropd
install %{SOURCE17} $RPM_BUILD_ROOT/etc/rc.d/init.d/kadmind
-%if %{with openldap}
+%if %{with ldap}
install src/plugins/kdb/ldap/libkdb_ldap/kerberos.{schema,ldif} $RPM_BUILD_ROOT%{schemadir}
%endif
@@ -469,7 +488,7 @@ echo '.so man1/kadmin.1' > $RPM_BUILD_ROOT%{_mandir}/man8/kadmin.local.8
# fix permissions for deps generation
find $RPM_BUILD_ROOT -type f -name '*.so*' | xargs chmod +x
-# the only translation is empty (as of 1.12.1)
+# the only translation is empty (as of 1.15)
#find_lang mit-krb5
%clean
@@ -589,7 +608,6 @@ fi
%attr(755,root,root) %{_sbindir}/sserver
%attr(755,root,root) %{_sbindir}/uuserver
-%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/k5srvutil.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
@@ -599,7 +617,7 @@ fi
%{_mandir}/man8/kproplog.8*
%{_mandir}/man8/sserver.8*
-%if %{with openldap}
+%if %{with ldap}
%files server-ldap
%defattr(644,root,root,755)
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/kldap.so
@@ -622,11 +640,17 @@ fi
%attr(755,root,root) %{_sbindir}/krb5kdc
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
+%if %{with audit}
+%dir %{_libdir}/krb5/plugins/audit
+%attr(755,root,root) %{_libdir}/krb5/plugins/audit/k5audit.so
+%endif
%dir %{_libdir}/krb5/plugins/kdb
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/db2.so
%dir %{_libdir}/krb5/plugins/preauth
%attr(755,root,root) %{_libdir}/krb5/plugins/preauth/otp.so
%attr(755,root,root) %{_libdir}/krb5/plugins/preauth/pkinit.so
+%dir %{_libdir}/krb5/plugins/tls
+%attr(755,root,root) %{_libdir}/krb5/plugins/tls/k5tls.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man8/krb5kdc.8*
@@ -684,7 +708,7 @@ fi
%files libs
# -f mit-krb5.lang
%defattr(644,root,root,755)
-%doc NOTICE README doc/CHANGES
+%doc NOTICE README
%attr(755,root,root) %{_libdir}/libgssapi_krb5.so.*.*
%attr(755,root,root) %ghost %{_libdir}/libgssapi_krb5.so.2
%attr(755,root,root) %{_libdir}/libgssrpc.so.*.*
@@ -692,11 +716,11 @@ fi
%attr(755,root,root) %{_libdir}/libk5crypto.so.*.*
%attr(755,root,root) %ghost %{_libdir}/libk5crypto.so.3
%attr(755,root,root) %{_libdir}/libkadm5clnt_mit.so.*.*
-%attr(755,root,root) %ghost %{_libdir}/libkadm5clnt_mit.so.9
+%attr(755,root,root) %ghost %{_libdir}/libkadm5clnt_mit.so.11
%attr(755,root,root) %{_libdir}/libkadm5srv_mit.so.*.*
-%attr(755,root,root) %ghost %{_libdir}/libkadm5srv_mit.so.9
+%attr(755,root,root) %ghost %{_libdir}/libkadm5srv_mit.so.11
%attr(755,root,root) %{_libdir}/libkdb5.so.*.*
-%attr(755,root,root) %ghost %{_libdir}/libkdb5.so.7
+%attr(755,root,root) %ghost %{_libdir}/libkdb5.so.8
%attr(755,root,root) %{_libdir}/libkrad.so.*.*
%attr(755,root,root) %ghost %{_libdir}/libkrad.so.0
%attr(755,root,root) %{_libdir}/libkrb5.so.*.*
@@ -742,13 +766,6 @@ fi
%{_pkgconfigdir}/mit-krb5-gssapi.pc
%{_mandir}/man1/krb5-config.1*
-%if 0
-configure: error: Sorry, static libraries do not work in this release.
-%files static
-%defattr(644,root,root,755)
-%{_libdir}/*.a
-%endif
-
%files doc
%defattr(644,root,root,755)
%doc doc/html/*
diff --git a/krb5-audit.patch b/krb5-audit.patch
new file mode 100644
index 0000000..24c3612
--- /dev/null
+++ b/krb5-audit.patch
@@ -0,0 +1,49 @@
+--- krb5-1.15/src/plugins/audit/simple/Makefile.in.orig 2017-02-18 20:40:33.750668806 +0100
++++ krb5-1.15/src/plugins/audit/simple/Makefile.in 2017-02-18 20:40:37.277335431 +0100
+@@ -1,5 +1,6 @@
+ mydir=plugins$(S)audit$(S)simple
+ BUILDTOP=$(REL)..$(S)..$(S)..
++MODULE_INSTALL_DIR = $(KRB5_AUDIT_MODULE_DIR)
+
+ LIBBASE=k5audit
+ LIBMAJOR=1
+@@ -8,7 +8,7 @@
+
+ #Depends on libkrb5 and libkrb5support.
+ SHLIB_EXPDEPS= $(KRB5_BASE_DEPLIBS)
+-SHLIB_EXPLIBS= $(KRB5_BASE_LIBS)
++SHLIB_EXPLIBS= $(KRB5_BASE_LIBS) $(AUDIT_IMPL_LIBS)
+
+ STOBJLISTS= OBJS.ST ../OBJS.ST
+ STLIBOBJS= au_simple_main.o
+--- krb5-1.15/src/config/pre.in.orig 2016-12-01 23:31:24.000000000 +0100
++++ krb5-1.15/src/config/pre.in 2017-02-18 20:50:40.537328544 +0100
+@@ -217,6 +217,8 @@
+ KRB5_AD_MODULE_DIR = $(MODULE_DIR)/authdata
+ KRB5_LIBKRB5_MODULE_DIR = $(MODULE_DIR)/libkrb5
+ KRB5_TLS_MODULE_DIR = $(MODULE_DIR)/tls
++# TODO: check subdir name
++KRB5_AUDIT_MODULE_DIR = $(MODULE_DIR)/audit
+ KRB5_LOCALEDIR = @localedir@
+ GSS_MODULE_DIR = @libdir@/gss
+ KRB5_INCSUBDIRS = \
+@@ -445,6 +445,8 @@
+ TLS_IMPL_CFLAGS = @TLS_IMPL_CFLAGS@
+ TLS_IMPL_LIBS = @TLS_IMPL_LIBS@
+
++AUDIT_IMPL_LIBS = @AUDIT_IMPL_LIBS@
++
+ # Whether we have the SASL header file for the LDAP KDB module
+ HAVE_SASL = @HAVE_SASL@
+
+--- krb5-1.15/src/Makefile.in.orig 2016-12-01 23:31:24.000000000 +0100
++++ krb5-1.15/src/Makefile.in 2017-02-18 22:24:54.577263986 +0100
+@@ -64,7 +64,7 @@
+ $(KRB5_LIBDIR) $(KRB5_INCDIR) \
+ $(KRB5_DB_MODULE_DIR) $(KRB5_PA_MODULE_DIR) \
+ $(KRB5_AD_MODULE_DIR) \
+- $(KRB5_LIBKRB5_MODULE_DIR) $(KRB5_TLS_MODULE_DIR) \
++ $(KRB5_LIBKRB5_MODULE_DIR) $(KRB5_TLS_MODULE_DIR) $(KRB5_AUDIT_MODULE_DIR) \
+ @localstatedir@ @localstatedir@/krb5kdc \
+ @runstatedir@ @runstatedir@/krb5kdc \
+ $(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \
diff --git a/krb5-db185.patch b/krb5-db185.patch
new file mode 100644
index 0000000..4cae175
--- /dev/null
+++ b/krb5-db185.patch
@@ -0,0 +1,44 @@
+--- krb5-1.15/src/plugins/kdb/db2/adb_openclose.c.orig 2016-12-01 23:31:25.000000000 +0100
++++ krb5-1.15/src/plugins/kdb/db2/adb_openclose.c 2017-02-18 20:57:02.910657512 +0100
+@@ -11,7 +11,7 @@
+ #include <unistd.h>
+ #include "policy_db.h"
+ #include <stdlib.h>
+-#include <db.h>
++#include <db_185.h>
+
+ struct _locklist {
+ osa_adb_lock_ent lockinfo;
+--- krb5-1.15/src/plugins/kdb/db2/db2_exp.c.orig 2016-12-01 23:31:25.000000000 +0100
++++ krb5-1.15/src/plugins/kdb/db2/db2_exp.c 2017-02-18 20:57:11.003990754 +0100
+@@ -38,7 +38,7 @@
+ #include <unistd.h>
+ #endif
+
+-#include <db.h>
++#include <db_185.h>
+ #include <stdio.h>
+ #include <errno.h>
+ #include <utime.h>
+--- krb5-1.15/src/plugins/kdb/db2/kdb_db2.c.orig 2016-12-01 23:31:25.000000000 +0100
++++ krb5-1.15/src/plugins/kdb/db2/kdb_db2.c 2017-02-18 20:57:18.803990663 +0100
+@@ -57,7 +57,7 @@
+ #include <unistd.h>
+ #endif
+
+-#include <db.h>
++#include <db_185.h>
+ #include <stdio.h>
+ #include <errno.h>
+ #include <utime.h>
+--- krb5-1.15/src/plugins/kdb/db2/policy_db.h.orig 2016-12-01 23:31:25.000000000 +0100
++++ krb5-1.15/src/plugins/kdb/db2/policy_db.h 2017-02-18 20:56:51.160657645 +0100
+@@ -30,7 +30,7 @@
+ where we find u_int32_t. */
+ #include <gssrpc/types.h>
+ #include <gssrpc/xdr.h>
+-#include <db.h>
++#include <db_185.h>
+ #include "adb_err.h"
+ #include <com_err.h>
+
diff --git a/krb5-kprop-mktemp.patch b/krb5-kprop-mktemp.patch
deleted file mode 100644
index b2fd775..0000000
--- a/krb5-kprop-mktemp.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Use an in-memory ccache to silence a compiler warning.
---- krb5-1.12.1/src/slave/kprop.c.orig 2014-01-16 01:44:15.000000000 +0100
-+++ krb5-1.12.1/src/slave/kprop.c 2014-03-13 17:07:46.637105824 +0100
-@@ -187,9 +187,9 @@
- void get_tickets(context)
- krb5_context context;
- {
-- char buf[BUFSIZ], *def_realm;
-+ char *def_realm;
- krb5_error_code retval;
-- static char tkstring[] = "/tmp/kproptktXXXXXX";
-+ char tkstring[] = "MEMORY:_kproptkt";
- krb5_keytab keytab = NULL;
-
- /*
-@@ -230,20 +230,17 @@
- #endif
-
- /*
-- * Initialize cache file which we're going to be using
-+ * Initialize an in-memory cache for temporary use
- */
-- (void) mktemp(tkstring);
-- snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
--
-- retval = krb5_cc_resolve(context, buf, &ccache);
-+ retval = krb5_cc_resolve(context, tkstring, &ccache);
- if (retval) {
-- com_err(progname, retval, _("while opening credential cache %s"), buf);
-+ com_err(progname, retval, _("while opening credential cache %s"), tkstring);
- exit(1);
- }
-
- retval = krb5_cc_initialize(context, ccache, my_principal);
- if (retval) {
-- com_err(progname, retval, _("when initializing cache %s"), buf);
-+ com_err(progname, retval, _("when initializing cache %s"), tkstring);
- exit(1);
- }
-
diff --git a/krb5-ksu-access.patch b/krb5-ksu-access.patch
deleted file mode 100644
index dcfadae..0000000
--- a/krb5-ksu-access.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-The idea is to not complain about problems in the default ticket file if we
-couldn't read it, because the client would be able to tell if it's there or
-not. Still needs work, I think.
---- krb5-1.3/src/clients/ksu/ccache.c
-+++ krb5-1.3/src/clients/ksu/ccache.c
-@@ -77,7 +77,7 @@
- cc_def_name = krb5_cc_get_name(context, cc_def);
- cc_other_name = krb5_cc_get_name(context, *cc_other);
-
-- if ( ! stat(cc_def_name, &st_temp)){
-+ if ( ! access(cc_def_name, R_OK) && ! stat(cc_def_name, &st_temp)){
- if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
- return retval;
- }
---- krb5-1.3/src/clients/ksu/heuristic.c
-+++ krb5-1.3/src/clients/ksu/heuristic.c
-@@ -412,7 +412,7 @@
-
- cc_source_name = krb5_cc_get_name(context, cc);
-
-- if ( ! stat(cc_source_name, &st_temp)){
-+ if ( ! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)){
-
- retval = find_ticket(context, cc, client, end_server, &temp_found);
- if (retval)
-@@ -572,7 +572,7 @@
- cc_source_name = krb5_cc_get_name(context, cc_source);
-
-
-- if (! stat(cc_source_name, &st_temp)) {
-+ if (! access(cc_source_name, F_OK | R_OK) && ! stat(cc_source_name, &st_temp)) {
- retval = krb5_cc_get_principal(context, cc_source, &cc_def_princ);
- if (retval)
- return retval;
---- krb5-1.12.1/src/clients/ksu/main.c.orig 2014-03-13 16:45:48.897161122 +0100
-+++ krb5-1.12.1/src/clients/ksu/main.c 2014-03-13 16:46:56.597158281 +0100
-@@ -265,7 +265,7 @@
- if ( strchr(cc_source_tag, ':')){
- cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
-
-- if( stat( cc_source_tag_tmp, &st_temp)){
-+ if( access( cc_source_tag_tmp, F_OK | R_OK) || stat( cc_source_tag_tmp, &st_temp)){
- com_err(prog_name, errno,
- _("while looking for credentials file %s"),
- cc_source_tag_tmp);
diff --git a/krb5-manpages.patch b/krb5-manpages.patch
index 2a24d61..7ab533a 100644
--- a/krb5-manpages.patch
+++ b/krb5-manpages.patch
@@ -9,9 +9,9 @@
.ft P
.fi
.UNINDENT
---- krb5-1.12.1/src/man/kpropd.man.orig 2014-01-16 01:44:15.000000000 +0100
-+++ krb5-1.12.1/src/man/kpropd.man 2014-03-13 16:45:10.723829391 +0100
-@@ -63,7 +63,7 @@
+--- krb5-1.15/src/man/kpropd.man.orig 2016-12-01 23:31:25.000000000 +0100
++++ krb5-1.15/src/man/kpropd.man 2017-02-01 21:32:44.744070801 +0100
+@@ -65,7 +65,7 @@
.sp
.nf
.ft C
@@ -20,12 +20,12 @@
.ft P
.fi
.UNINDENT
-@@ -134,7 +134,7 @@
+@@ -146,7 +146,7 @@
.TP
.B kpropd.acl
Access file for kpropd; the default location is
--\fB/usr/local/var/krb5kdc/kpropd.acl\fP. Each entry is a line
-+\fB/var/lib/kerberos/krb5kdc/kpropd.acl\fP. Each entry is a line
+-\fB/usr/local/var/krb5kdc/kpropd.acl\fP\&. Each entry is a line
++\fB/var/lib/kerberos/krb5kdc/kpropd.acl\fP\&. Each entry is a line
containing the principal of a host from which the local machine
- will allow Kerberos database propagation via \fIkprop(8)\fP.
+ will allow Kerberos database propagation via \fIkprop(8)\fP\&.
.UNINDENT
diff --git a/krb5-selinux-label.patch b/krb5-selinux-label.patch
index f15cc7a..03e7770 100644
--- a/krb5-selinux-label.patch
+++ b/krb5-selinux-label.patch
@@ -1,24 +1,75 @@
-SELinux bases access to files mainly on the domain of the requesting
-process and the context applied to the file.
+From a2e0aed3d390ded3a7724fa223a3dc1102ec6221 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood at redhat.com>
+Date: Tue, 23 Aug 2016 16:30:53 -0400
+Subject: [PATCH] krb5-1.15-beta1-selinux-label.patch
+
+SELinux bases access to files on the domain of the requesting process,
+the operation being performed, and the context applied to the file.
In many cases, applications needn't be SELinux aware to work properly,
because SELinux can apply a default label to a file based on the label
of the directory in which it's created.
In the case of files such as /etc/krb5.keytab, however, this isn't
-sufficient, as /etc/krb5.keytab will almost always need given a label
-which differs from that of /etc/issue or /etc/resolv.conf.
+sufficient, as /etc/krb5.keytab will almost always need to be given a
+label which differs from that of /etc/issue or /etc/resolv.conf. The
+the kdb stash file needs a different label than the database for which
+it's holding a master key, even though both typically live in the same
+directory.
To give the file the correct label, we can either force a "restorecon"
call to fix a file's label after it's created, or create the file with
-the right label, as we do here. We lean on THREEPARAMOPEN and define a
-similar macro named WRITABLEFOPEN with which we replace several uses of
-fopen().
+the right label, as we attempt to do here. We lean on THREEPARAMOPEN
+and define a similar macro named WRITABLEFOPEN with which we replace
+several uses of fopen().
+
+The file creation context that we're manipulating here is a process-wide
+attribute. While for the most part, applications which need to label
+files when they're created have tended to be single-threaded, there's
+not much we can do to avoid interfering with an application that
+manipulates the creation context directly. Right now we're mediating
+access using a library-local mutex, but that can only work for consumers
+that are part of this package -- an unsuspecting application will still
+stomp all over us.
-diff -ur krb5-1.6.3/src/aclocal.m4 krb5-1.6.3/src/aclocal.m4
---- krb5-1.6.3/src/aclocal.m4 2008-03-06 19:04:59.000000000 -0500
-+++ krb5-1.6.3/src/aclocal.m4 2008-03-06 17:31:21.000000000 -0500
-@@ -102,6 +102,7 @@
+The selabel APIs for looking up the context should be thread-safe (per
+Red Hat #273081), so switching to using them instead of matchpathcon(),
+which we used earlier, is some improvement.
+---
+ src/aclocal.m4 | 49 +++
+ src/build-tools/krb5-config.in | 3 +-
+ src/config/pre.in | 3 +-
+ src/configure.in | 2 +
+ src/include/k5-int.h | 1 +
+ src/include/k5-label.h | 32 ++
+ src/include/krb5/krb5.hin | 6 +
+ src/kadmin/dbutil/dump.c | 11 +-
+ src/kdc/main.c | 2 +-
+ src/lib/kadm5/logger.c | 4 +-
+ src/lib/kdb/kdb_log.c | 2 +-
+ src/lib/krb5/ccache/cc_dir.c | 26 +-
+ src/lib/krb5/keytab/kt_file.c | 4 +-
+ src/lib/krb5/os/trace.c | 2 +-
+ src/lib/krb5/rcache/rc_dfl.c | 13 +
+ src/plugins/kdb/db2/adb_openclose.c | 2 +-
+ src/plugins/kdb/db2/kdb_db2.c | 4 +-
+ src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +-
+ src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +-
+ src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +-
+ .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +-
+ src/slave/kpropd.c | 9 +
+ src/util/profile/prof_file.c | 3 +-
+ src/util/support/Makefile.in | 3 +-
+ src/util/support/selinux.c | 406 +++++++++++++++++++++
+ 25 files changed, 587 insertions(+), 21 deletions(-)
+ create mode 100644 src/include/k5-label.h
+ create mode 100644 src/util/support/selinux.c
+
+diff --git a/src/aclocal.m4 b/src/aclocal.m4
+index 508e5fe90..607859f17 100644
+--- a/src/aclocal.m4
++++ b/src/aclocal.m4
+@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag)
dnl
KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP
@@ -26,13 +77,13 @@ diff -ur krb5-1.6.3/src/aclocal.m4 krb5-1.6.3/src/aclocal.m4
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
-@@ -1902,3 +1903,50 @@
+@@ -1742,3 +1743,51 @@ AC_SUBST(PAM_LIBS)
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+dnl
+dnl Use libselinux to set file contexts on newly-created files.
-+dnl
++dnl
+AC_DEFUN(KRB5_WITH_SELINUX,[
+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])],
+ withselinux="$withval",withselinux=auto)
@@ -40,7 +91,7 @@ diff -ur krb5-1.6.3/src/aclocal.m4 krb5-1.6.3/src/aclocal.m4
+if test "$withselinux" != no ; then
+ AC_MSG_RESULT([checking for libselinux...])
+ SELINUX_LIBS=
-+ AC_CHECK_HEADERS(selinux/selinux.h)
++ AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h)
+ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate selinux/selinux.h.])
@@ -52,11 +103,11 @@ diff -ur krb5-1.6.3/src/aclocal.m4 krb5-1.6.3/src/aclocal.m4
+
+ LIBS=
+ unset ac_cv_func_setfscreatecon
-+ AC_CHECK_FUNCS(setfscreatecon)
++ AC_CHECK_FUNCS(setfscreatecon selabel_open)
+ if test "x$ac_cv_func_setfscreatecon" = xno ; then
+ AC_CHECK_LIB(selinux,setfscreatecon)
+ unset ac_cv_func_setfscreatecon
-+ AC_CHECK_FUNCS(setfscreatecon)
++ AC_CHECK_FUNCS(setfscreatecon selabel_open)
+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then
+ SELINUX_LIBS="$LIBS"
+ else
@@ -69,128 +120,125 @@ diff -ur krb5-1.6.3/src/aclocal.m4 krb5-1.6.3/src/aclocal.m4
+ fi
+ fi
+ if test "$withselinux" != no ; then
-+ AC_MSG_RESULT([Using SELinux.])
++ AC_MSG_NOTICE([building with SELinux labeling support])
+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.])
+ SELINUX_LIBS="$LIBS"
++ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon"
+ fi
+fi
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
-diff -ur krb5-1.6.3/src/appl/bsd/configure.in krb5-1.6.3/src/appl/bsd/configure.in
---- krb5-1.6.3/src/appl/bsd/configure.in 2008-03-06 19:04:59.000000000 -0500
-+++ krb5-1.6.3/src/appl/bsd/configure.in 2008-03-06 18:05:45.000000000 -0500
-@@ -25,6 +25,7 @@
- LOGINLIBS="$LOGINLIBS -lodm -ls -lcfg"
- )))
- KRB5_WITH_PAM
-+KRB5_WITH_SELINUX
- dnl
- dnl Make our operating system-specific security checks and definitions for
- dnl login.
-diff -ur krb5-1.6.3/src/appl/gssftp/configure.in krb5-1.6.3/src/appl/gssftp/configure.in
---- krb5-1.6.3/src/appl/gssftp/configure.in 2008-03-06 19:04:59.000000000 -0500
-+++ krb5-1.6.3/src/appl/gssftp/configure.in 2008-03-06 18:08:03.000000000 -0500
-@@ -18,6 +18,7 @@
- AC_CHECK_FUNCS(getcwd getdtablesize getusershell seteuid setreuid setresuid strerror getenv)
- AC_CHECK_LIB(crypt,crypt) dnl
- KRB5_WITH_PAM
-+KRB5_WITH_SELINUX
- KRB5_AC_LIBUTIL
- dnl
- dnl copied from appl/bsd/configure.in
-diff -ur krb5-1.6.3/src/appl/telnet/configure.in krb5-1.6.3/src/appl/telnet/configure.in
---- krb5-1.6.3/src/appl/telnet/configure.in 2006-03-27 23:35:02.000000000 -0500
-+++ krb5-1.6.3/src/appl/telnet/configure.in 2008-03-06 18:08:49.000000000 -0500
-@@ -163,6 +163,7 @@
- if test $krb5_cv_sys_setpgrp_two = yes; then
- AC_DEFINE(SETPGRP_TWOARG,1,[Define if setpgrp takes two arguments])
- fi
-+KRB5_USE_SELINUX
- dnl
- KRB5_NEED_PROTO([#include <stdlib.h>],unsetenv,1)
- dnl KRB5_NEED_PROTO([#include <stdlib.h>],setenv,1)
-diff -ur krb5-1.6.3/src/config/pre.in krb5-1.6.3/src/config/pre.in
---- krb5-1.6.3/src/config/pre.in 2008-03-06 19:04:59.000000000 -0500
-+++ krb5-1.6.3/src/config/pre.in 2008-03-06 17:53:07.000000000 -0500
-@@ -181,6 +181,7 @@
- CLNTLIBS = @CLNTLIBS@
- CLNTDEPLIBS = @CLNTDEPLIBS@
- PAM_LIBS = @PAM_LIBS@
+diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
+index f6184da3f..c17cb5eb5 100755
+--- a/src/build-tools/krb5-config.in
++++ b/src/build-tools/krb5-config.in
+@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
+ DEFCCNAME='@DEFCCNAME@'
+ DEFKTNAME='@DEFKTNAME@'
+ DEFCKTNAME='@DEFCKTNAME@'
++SELINUX_LIBS='@SELINUX_LIBS@'
+
+ LIBS='@LIBS@'
+ GEN_LIB=@GEN_LIB@
+@@ -255,7 +256,7 @@ if test -n "$do_libs"; then
+ fi
+
+ # If we ever support a flag to generate output suitable for static
+- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
++ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
+ # here.
+
+ echo $lib_flags
+diff --git a/src/config/pre.in b/src/config/pre.in
+index e0626320c..fcea229bd 100644
+--- a/src/config/pre.in
++++ b/src/config/pre.in
+@@ -177,6 +177,7 @@ LD = $(PURE) @LD@
+ KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
+ LDFLAGS = @LDFLAGS@
+ LIBS = @LIBS@
+SELINUX_LIBS=@SELINUX_LIBS@
INSTALL=@INSTALL@
INSTALL_STRIP=
-@@ -391,7 +392,7 @@
+@@ -399,7 +400,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB)
+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
- KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS)
- KDB5_LIBS = $(KDB5_LIB)
+ KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
GSS_LIBS = $(GSS_KRB5_LIB)
-diff -ur krb5-1.6.3/src/configure.in krb5-1.6.3/src/configure.in
---- krb5-1.6.3/src/configure.in 2008-03-06 19:04:59.000000000 -0500
-+++ krb5-1.6.3/src/configure.in 2008-03-06 17:39:53.000000000 -0500
-@@ -945,6 +945,8 @@
+ # needs fixing if ever used on Mac OS X!
+diff --git a/src/configure.in b/src/configure.in
+index daabd12c8..acf3a458b 100644
+--- a/src/configure.in
++++ b/src/configure.in
+@@ -1338,6 +1338,8 @@ AC_PATH_PROG(GROFF, groff)
KRB5_WITH_PAM
+KRB5_WITH_SELINUX
+
- AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+ # Make localedir work in autoconf 2.5x.
+ if test "${localedir+set}" != set; then
+ localedir='$(datadir)/locale'
+diff --git a/src/include/k5-int.h b/src/include/k5-int.h
+index 64991738a..173cb0264 100644
+--- a/src/include/k5-int.h
++++ b/src/include/k5-int.h
+@@ -128,6 +128,7 @@ typedef unsigned char u_char;
- mansysconfdir=$sysconfdir
-diff -ur krb5-1.6.3/src/include/autoconf.h.in krb5-1.6.3/src/include/autoconf.h.in
---- krb5-1.6.3/src/include/autoconf.h.in 2007-10-21 23:35:17.000000000 -0400
-+++ krb5-1.6.3/src/include/autoconf.h.in 2008-03-06 17:39:13.000000000 -0500
-@@ -358,6 +358,9 @@
- /* Define to 1 if you have the `sched_yield' function. */
- #undef HAVE_SCHED_YIELD
-
-+/* Define to 1 if you have the <selinux/selinux.h> header file. */
-+#undef HAVE_SELINUX_SELINUX_H
-+
- /* Define to 1 if you have the <semaphore.h> header file. */
- #undef HAVE_SEMAPHORE_H
-@@ -370,6 +373,9 @@
- /* Define to 1 if you have the `setegid' function. */
- #undef HAVE_SETEGID
+ #include "k5-platform.h"
++#include "k5-label.h"
-+/* Define to 1 if you have the `setfscreatecon' function. */
-+#undef HAVE_SETFSCREATECON
+ #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
+ #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
+diff --git a/src/include/k5-label.h b/src/include/k5-label.h
+new file mode 100644
+index 000000000..dfaaa847c
+--- /dev/null
++++ b/src/include/k5-label.h
+@@ -0,0 +1,32 @@
++#ifndef _KRB5_LABEL_H
++#define _KRB5_LABEL_H
+
- /* Define to 1 if you have the `setenv' function. */
- #undef HAVE_SETENV
-
-@@ -695,6 +701,10 @@
- /* Define if the KDC should use a replay cache */
- #undef USE_RCACHE
-
-+/* Define if Kerberos-aware tools should set SELinux file contexts when
-+ creating files. */
-+#undef USE_SELINUX
++#ifdef THREEPARAMOPEN
++#undef THREEPARAMOPEN
++#endif
++#ifdef WRITABLEFOPEN
++#undef WRITABLEFOPEN
++#endif
+
- /* Define if sigprocmask should be used */
- #undef USE_SIGPROCMASK
-
-diff -ur krb5-1.6.3/src/include/k5-int.h krb5-1.6.3/src/include/k5-int.h
---- krb5-1.6.3/src/include/k5-int.h 2007-10-04 16:17:48.000000000 -0400
-+++ krb5-1.6.3/src/include/k5-int.h 2008-03-06 18:51:29.000000000 -0500
-@@ -128,6 +128,7 @@
- typedef UINT64_TYPE krb5_ui_8;
- typedef INT64_TYPE krb5_int64;
-
-+#include "k5-label.h"
-
- #define DEFAULT_PWD_STRING1 "Enter password"
- #define DEFAULT_PWD_STRING2 "Re-enter password for verification"
-diff -ur krb5-1.6.3/src/include/krb5/krb5.hin krb5-1.6.3/src/include/krb5/krb5.hin
---- krb5-1.6.3/src/include/krb5/krb5.hin 2007-09-17 23:36:09.000000000 -0400
-+++ krb5-1.6.3/src/include/krb5/krb5.hin 2008-03-06 18:17:29.000000000 -0500
-@@ -91,6 +91,12 @@
++/* Wrapper functions which help us create files and directories with the right
++ * context labels. */
++#ifdef USE_SELINUX
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <stdio.h>
++#include <unistd.h>
++FILE *krb5int_labeled_fopen(const char *path, const char *mode);
++int krb5int_labeled_creat(const char *path, mode_t mode);
++int krb5int_labeled_open(const char *path, int flags, ...);
++int krb5int_labeled_mkdir(const char *path, mode_t mode);
++int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device);
++#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)
++#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)
++void *krb5int_push_fscreatecon_for(const char *pathname);
++void krb5int_pop_fscreatecon(void *previous);
++#else
++#define WRITABLEFOPEN(x,y) fopen(x,y)
++#define THREEPARAMOPEN(x,y,z) open(x,y,z)
++#endif
++#endif
+diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
+index ac22f4c55..cf60d6c41 100644
+--- a/src/include/krb5/krb5.hin
++++ b/src/include/krb5/krb5.hin
+@@ -87,6 +87,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
@@ -203,175 +251,238 @@ diff -ur krb5-1.6.3/src/include/krb5/krb5.hin krb5-1.6.3/src/include/krb5/krb5.h
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
-diff -ur krb5-1.6.3/src/kadmin/dbutil/dump.c krb5-1.6.3/src/kadmin/dbutil/dump.c
---- krb5-1.6.3/src/kadmin/dbutil/dump.c 2006-12-18 18:11:15.000000000 -0500
-+++ krb5-1.6.3/src/kadmin/dbutil/dump.c 2008-03-06 18:33:44.000000000 -0500
-@@ -1148,7 +1148,7 @@
- * want to get into.
- */
- unlink(ofile);
-- if (!(f = fopen(ofile, "w"))) {
-+ if (!(f = WRITABLEFOPEN(ofile, "w"))) {
- fprintf(stderr, ofopen_error,
- programname, ofile, error_message(errno));
- exit_status++;
-diff -ur krb5-1.6.3/src/kadmin/dbutil/dumpv4.c krb5-1.6.3/src/kadmin/dbutil/dumpv4.c
---- krb5-1.6.3/src/kadmin/dbutil/dumpv4.c 2002-11-05 19:42:57.000000000 -0500
-+++ krb5-1.6.3/src/kadmin/dbutil/dumpv4.c 2008-03-06 18:33:50.000000000 -0500
-@@ -324,7 +324,7 @@
- * want to get into.
- */
- unlink(outname);
-- if (!(f = fopen(outname, "w"))) {
-+ if (!(f = WRITABLEFOPEN(outname, "w"))) {
- com_err(argv[0], errno,
- "While opening file %s for writing", outname);
- exit_status++;
-diff -ur krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c
---- krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c 2005-10-12 16:48:36.000000000 -0400
-+++ krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c 2008-03-06 18:34:19.000000000 -0500
-@@ -520,7 +520,7 @@
- umask(0077); /*Changing umask for all of ktutil is OK
- * We don't ever write out anything that should use
- * default umask.*/
-- fp = fopen(name, "w");
-+ fp = WRITABLEFOPEN(name, "w");
- if (!fp) {
- retval = EIO;
- goto free_pruned;
-diff -ur krb5-1.6.3/src/krb5-config.in krb5-1.6.3/src/krb5-config.in
---- krb5-1.6.3/src/krb5-config.in 2006-06-15 20:26:49.000000000 -0400
-+++ krb5-1.6.3/src/krb5-config.in 2008-03-06 17:29:57.000000000 -0500
-@@ -39,6 +39,7 @@
- RPATH_FLAG='@RPATH_FLAG@'
- PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
- DL_LIB='@DL_LIB@'
-+SELINUX_LIBS='@SELINUX_LIBS@'
+diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
+index f7889bd23..cad53cfbf 100644
+--- a/src/kadmin/dbutil/dump.c
++++ b/src/kadmin/dbutil/dump.c
+@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
+ {
+ int fd = -1;
+ FILE *f;
++#ifdef USE_SELINUX
++ void *selabel;
++#endif
- LIBS='@LIBS@'
- GEN_LIB=@GEN_LIB@
-@@ -217,7 +218,7 @@
- fi
+ *tmpname = NULL;
+ if (asprintf(tmpname, "%s-XXXXXX", ofile) < 0)
+ goto error;
- if test $library = 'krb5'; then
-- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB"
-+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
- fi
++#ifdef USE_SELINUX
++ selabel = krb5int_push_fscreatecon_for(ofile);
++#endif
+ fd = mkstemp(*tmpname);
++#ifdef USE_SELINUX
++ krb5int_pop_fscreatecon(selabel);
++#endif
+ if (fd == -1)
+ goto error;
- echo $lib_flags
-diff -ur krb5-1.6.3/src/lib/kadm5/logger.c krb5-1.6.3/src/lib/kadm5/logger.c
---- krb5-1.6.3/src/lib/kadm5/logger.c 2007-04-04 17:08:05.000000000 -0400
-+++ krb5-1.6.3/src/lib/kadm5/logger.c 2008-03-06 18:30:32.000000000 -0500
-@@ -425,7 +425,7 @@
- * Check for append/overwrite, then open the file.
- */
- if (cp[4] == ':' || cp[4] == '=') {
-- f = fopen(&cp[5], (cp[4] == ':') ? "a+" : "w");
-+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a+" : "w");
- if (f) {
- log_control.log_entries[i].lfu_filep = f;
- log_control.log_entries[i].log_type = K_LOG_FILE;
-@@ -959,7 +959,7 @@
- * In case the old logfile did not get moved out of the
- * way, open for append to prevent squashing the old logs.
- */
-- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+");
-+ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+");
- if (f) {
- log_control.log_entries[lindex].lfu_filep = f;
- } else {
-diff -ur krb5-1.6.3/src/lib/kdb/kdb_default.c krb5-1.6.3/src/lib/kdb/kdb_default.c
---- krb5-1.6.3/src/lib/kdb/kdb_default.c 2006-10-11 22:39:14.000000000 -0400
-+++ krb5-1.6.3/src/lib/kdb/kdb_default.c 2008-03-06 18:31:18.000000000 -0500
-@@ -161,9 +161,9 @@
- oumask = umask(077);
- #endif
- #ifdef ANSI_STDIO
-- if (!(kf = fopen(keyfile, "wb")))
-+ if (!(kf = WRITABLEFOPEN(keyfile, "wb")))
- #else
-- if (!(kf = fopen(keyfile, "w")))
-+ if (!(kf = WRITABLEFOPEN(keyfile, "w")))
- #endif
- {
- int e = errno;
-diff -ur krb5-1.6.3/src/lib/krb4/klog.c krb5-1.6.3/src/lib/krb4/klog.c
---- krb5-1.6.3/src/lib/krb4/klog.c 2006-03-11 17:23:28.000000000 -0500
-+++ krb5-1.6.3/src/lib/krb4/klog.c 2008-03-06 18:48:01.000000000 -0500
-@@ -24,6 +24,7 @@
- * or implied warranty.
- */
+@@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd)
+ return 0;
+ }
-+#include "k5-int.h"
- #include "krb.h"
- #include "autoconf.h"
- #ifdef HAVE_TIME_H
-@@ -96,7 +97,7 @@
- if (!logtype_array[type])
- return(logtxt);
-
-- if ((logfile = fopen(log_name,"a")) == NULL)
-+ if ((logfile = WRITABLEFOPEN(log_name,"a")) == NULL)
- return(logtxt);
-
- (void) time(&now);
-diff -ur krb5-1.6.3/src/lib/krb4/kparse.c krb5-1.6.3/src/lib/krb4/kparse.c
---- krb5-1.6.3/src/lib/krb4/kparse.c 2006-06-16 02:58:42.000000000 -0400
-+++ krb5-1.6.3/src/lib/krb4/kparse.c 2008-03-06 18:35:18.000000000 -0500
-@@ -583,7 +583,7 @@
- FILE *fp;
-
- if (--argc) {
-- fp = fopen(*++argv,"ra");
-+ fp = WRITABLEOPEN(*++argv,"ra");
- if (fp == (FILE *)NULL) {
- fprintf(stderr,"can\'t open \"%s\"\n",*argv);
- }
-diff -ur krb5-1.6.3/src/lib/krb4/log.c krb5-1.6.3/src/lib/krb4/log.c
---- krb5-1.6.3/src/lib/krb4/log.c 2006-03-11 17:23:28.000000000 -0500
-+++ krb5-1.6.3/src/lib/krb4/log.c 2008-03-06 18:47:49.000000000 -0500
-@@ -30,6 +30,7 @@
- krb_set_logfile, or change all the invokers. */
- #endif
+- *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
++ *fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+ if (*fd == -1) {
+ com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
+ exit_status++;
+diff --git a/src/kdc/main.c b/src/kdc/main.c
+index ebc852bba..a4dffb29a 100644
+--- a/src/kdc/main.c
++++ b/src/kdc/main.c
+@@ -872,7 +872,7 @@ write_pid_file(const char *path)
+ FILE *file;
+ unsigned long pid;
-+#include "k5-int.h"
- #include "krb.h"
- #include "autoconf.h"
- #ifdef HAVE_TIME_H
-@@ -79,7 +80,7 @@
+- file = fopen(path, "w");
++ file = WRITABLEFOPEN(path, "w");
+ if (file == NULL)
+ return errno;
+ pid = (unsigned long) getpid();
+diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
+index ce79fabf7..c53a5743f 100644
+--- a/src/lib/kadm5/logger.c
++++ b/src/lib/kadm5/logger.c
+@@ -414,7 +414,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
+ */
+ append = (cp[4] == ':') ? O_APPEND : 0;
+ if (append || cp[4] == '=') {
+- fd = open(&cp[5], O_CREAT | O_WRONLY | append,
++ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append,
+ S_IRUSR | S_IWUSR | S_IRGRP);
+ if (fd != -1)
+ f = fdopen(fd, append ? "a" : "w");
+@@ -918,7 +918,7 @@ krb5_klog_reopen(krb5_context kcontext)
+ * In case the old logfile did not get moved out of the
+ * way, open for append to prevent squashing the old logs.
+ */
+- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+");
++ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+");
+ if (f) {
+ set_cloexec_file(f);
+ log_control.log_entries[lindex].lfu_filep = f;
+diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
+index 766d3002a..6466417b7 100644
+--- a/src/lib/kdb/kdb_log.c
++++ b/src/lib/kdb/kdb_log.c
+@@ -476,7 +476,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
+ int ulogfd = -1;
- va_start(args, format);
+ if (stat(logname, &st) == -1) {
+- ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
++ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
+ if (ulogfd == -1)
+ return errno;
-- if ((logfile = fopen(log_name,"a")) != NULL) {
-+ if ((logfile = WRITABLEFOPEN(log_name,"a")) != NULL) {
- (void) time(&now);
- tm = localtime(&now);
+diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
+index bba64e516..73f0fe62d 100644
+--- a/src/lib/krb5/ccache/cc_dir.c
++++ b/src/lib/krb5/ccache/cc_dir.c
+@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents)
+ char *newpath = NULL;
+ FILE *fp = NULL;
+ int fd = -1, status;
++#ifdef USE_SELINUX
++ void *selabel;
++#endif
-diff -ur krb5-1.6.3/src/lib/krb5/keytab/kt_file.c krb5-1.6.3/src/lib/krb5/keytab/kt_file.c
---- krb5-1.6.3/src/lib/krb5/keytab/kt_file.c 2007-08-31 17:38:41.000000000 -0400
-+++ krb5-1.6.3/src/lib/krb5/keytab/kt_file.c 2008-03-06 18:19:56.000000000 -0500
-@@ -1062,7 +1062,7 @@
+ if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
+ return ENOMEM;
++#ifdef USE_SELINUX
++ selabel = krb5int_push_fscreatecon_for(primary_path);
++#endif
+ fd = mkstemp(newpath);
++#ifdef USE_SELINUX
++ krb5int_pop_fscreatecon(selabel);
++#endif
+ if (fd < 0)
+ goto cleanup;
+ #ifdef HAVE_CHMOD
+@@ -221,10 +230,23 @@ static krb5_error_code
+ verify_dir(krb5_context context, const char *dirname)
+ {
+ struct stat st;
++ int status;
++#ifdef USE_SELINUX
++ void *selabel;
++#endif
+
+ if (stat(dirname, &st) < 0) {
+- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
+- return 0;
++ if (errno == ENOENT) {
++#ifdef USE_SELINUX
++ selabel = krb5int_push_fscreatecon_for(dirname);
++#endif
++ status = mkdir(dirname, S_IRWXU);
++#ifdef USE_SELINUX
++ krb5int_pop_fscreatecon(selabel);
++#endif
++ if (status == 0)
++ return 0;
++ }
+ k5_setmsg(context, KRB5_FCC_NOFILE,
+ _("Credential cache directory %s does not exist"),
+ dirname);
+diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
+index 6a42f267d..674d88bab 100644
+--- a/src/lib/krb5/keytab/kt_file.c
++++ b/src/lib/krb5/keytab/kt_file.c
+@@ -1022,14 +1022,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
KTCHECKLOCK(id);
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id),
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id),
- (mode == KRB5_LOCKMODE_EXCLUSIVE) ?
- fopen_mode_rbplus : fopen_mode_rb);
+ (mode == KRB5_LOCKMODE_EXCLUSIVE) ? "rb+" : "rb");
if (!KTFILEP(id)) {
-@@ -1070,7 +1070,7 @@
- /* try making it first time around */
- krb5_create_secure_file(context, KTFILENAME(id));
- errno = 0;
-- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
-+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus);
- if (!KTFILEP(id))
- return errno ? errno : EMFILE;
- writevno = 1;
-diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c
---- krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2000-07-02 23:43:42.000000000 -0400
-+++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2008-03-06 18:27:37.000000000 -0500
-@@ -58,6 +58,7 @@
+ if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) {
+ /* try making it first time around */
+ k5_create_secure_file(context, KTFILENAME(id));
+ errno = 0;
+- KTFILEP(id) = fopen(KTFILENAME(id), "rb+");
++ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), "rb+");
+ if (!KTFILEP(id))
+ goto report_errno;
+ writevno = 1;
+diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
+index 83c8d4db8..a19246128 100644
+--- a/src/lib/krb5/os/trace.c
++++ b/src/lib/krb5/os/trace.c
+@@ -397,7 +397,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
+ fd = malloc(sizeof(*fd));
+ if (fd == NULL)
+ return ENOMEM;
+- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
++ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
+ if (*fd == -1) {
+ free(fd);
+ return errno;
+diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
+index c4d2c744d..c0f12ed9d 100644
+--- a/src/lib/krb5/rcache/rc_dfl.c
++++ b/src/lib/krb5/rcache/rc_dfl.c
+@@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
+ krb5_error_code retval = 0;
+ krb5_rcache tmp;
+ krb5_deltat lifespan = t->lifespan; /* save original lifespan */
++#ifdef USE_SELINUX
++ void *selabel;
++#endif
+
+ if (! t->recovering) {
+ name = t->name;
+@@ -815,7 +818,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
+ retval = krb5_rc_resolve(context, tmp, 0);
+ if (retval)
+ goto cleanup;
++#ifdef USE_SELINUX
++ if (t->d.fn != NULL)
++ selabel = krb5int_push_fscreatecon_for(t->d.fn);
++ else
++ selabel = NULL;
++#endif
+ retval = krb5_rc_initialize(context, tmp, lifespan);
++#ifdef USE_SELINUX
++ if (selabel != NULL)
++ krb5int_pop_fscreatecon(selabel);
++#endif
+ if (retval)
+ goto cleanup;
+ for (q = t->a; q; q = q->na) {
+diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
+index 7db30a33b..2b9d01921 100644
+--- a/src/plugins/kdb/db2/adb_openclose.c
++++ b/src/plugins/kdb/db2/adb_openclose.c
+@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
+ * needs be open read/write so that write locking can work with
+ * POSIX systems
+ */
+- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {
++ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) {
+ /*
+ * maybe someone took away write permission so we could only
+ * get shared locks?
+diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
+index 4c4036eb4..d90bdeaba 100644
+--- a/src/plugins/kdb/db2/kdb_db2.c
++++ b/src/plugins/kdb/db2/kdb_db2.c
+@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
+ if (retval)
+ return retval;
+
+- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
+- 0600);
++ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
++ O_CREAT | O_RDWR | O_TRUNC, 0600);
+ if (dbc->db_lf_file < 0) {
+ retval = errno;
+ goto cleanup;
+diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+index 2977b17f3..d5809a5a9 100644
+--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c
++++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
+@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95";
#include <string.h>
#include <unistd.h>
@@ -379,19 +490,20 @@ diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c krb5-1.6.3/src/pl
#include "db-int.h"
#include "btree.h"
-@@ -201,7 +202,7 @@
+@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags)
goto einval;
}
-
+
- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0)
+ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
goto err;
} else {
-diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c
---- krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c 2006-06-14 22:35:44.000000000 -0400
-+++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c 2008-03-06 18:29:17.000000000 -0500
-@@ -51,6 +51,7 @@
+diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
+index 76f5d4709..1fa8b8389 100644
+--- a/src/plugins/kdb/db2/libdb2/hash/hash.c
++++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
+@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95";
#include <assert.h>
#endif
@@ -399,7 +511,7 @@ diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c krb5-1.6.3/src/plugin
#include "db-int.h"
#include "hash.h"
#include "page.h"
-@@ -140,7 +141,7 @@
+@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
new_table = 1;
}
if (file) {
@@ -408,10 +520,11 @@ diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c krb5-1.6.3/src/plugin
RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1);
}
-diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c
---- krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c 1998-01-21 11:33:31.000000000 -0500
-+++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2008-03-06 18:27:01.000000000 -0500
-@@ -51,6 +51,7 @@
+diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+index d8b26e701..b0daa7c02 100644
+--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c
++++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
+@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94";
#include <stdio.h>
#include <unistd.h>
@@ -419,62 +532,109 @@ diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c krb5-1.6.3/src/p
#include "db-int.h"
#include "recno.h"
-@@ -68,7 +69,7 @@
- int rfd, sverrno;
+@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags)
+ int rfd = -1, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
-+ if (fname != NULL && (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
++ if (fname != NULL &&
++ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
- /* Create a btree in memory (backed by disk). */
---- krb5-1.6.3/src/plugins/kdb/db2/kdb_db2.c 2008-07-11 11:10:41.000000000 -0400
-+++ krb5-1.6.3/src/plugins/kdb/db2/kdb_db2.c 2008-07-11 11:10:45.000000000 -0400
-@@ -326,8 +326,8 @@
- * should be opened read/write so that write locking can work with
- * POSIX systems
- */
-- if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) {
-- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) {
-+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) {
-+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) {
- retval = errno;
- goto err_out;
- }
-diff -ur krb5-1.6.3/src/util/profile/prof_file.c krb5-1.6.3/src/util/profile/prof_file.c
---- krb5-1.6.3/src/util/profile/prof_file.c 2005-10-21 16:03:44.000000000 -0400
-+++ krb5-1.6.3/src/util/profile/prof_file.c 2008-03-06 19:02:44.000000000 -0500
-@@ -29,6 +29,7 @@
+ if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
+diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+index 022156a5e..3d6994c67 100644
+--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
++++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
+@@ -203,7 +203,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
+
+ /* set password in the file */
+ old_mode = umask(0177);
+- pfile = fopen(file_name, "a+");
++ pfile = WRITABLEFOPEN(file_name, "a+");
+ if (pfile == NULL) {
+ com_err(me, errno, _("Failed to open file %s: %s"), file_name,
+ strerror (errno));
+@@ -244,6 +244,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
+ * Delete the existing entry and add the new entry
+ */
+ FILE *newfile;
++#ifdef USE_SELINUX
++ void *selabel;
++#endif
+
+ mode_t omask;
+
+@@ -255,7 +258,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
+ }
+
+ omask = umask(077);
++#ifdef USE_SELINUX
++ selabel = krb5int_push_fscreatecon_for(file_name);
++#endif
+ newfile = fopen(tmp_file, "w");
++#ifdef USE_SELINUX
++ krb5int_pop_fscreatecon(selabel);
++#endif
+ umask (omask);
+ if (newfile == NULL) {
+ com_err(me, errno, _("Error creating file %s"), tmp_file);
+diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
+index 056c31a42..b78c3d9e5 100644
+--- a/src/slave/kpropd.c
++++ b/src/slave/kpropd.c
+@@ -464,6 +464,9 @@ doit(int fd)
+ krb5_enctype etype;
+ int database_fd;
+ char host[INET6_ADDRSTRLEN + 1];
++#ifdef USE_SELINUX
++ void *selabel;
++#endif
+
+ signal_wrapper(SIGALRM, alarm_handler);
+ alarm(params.iprop_resync_timeout);
+@@ -520,9 +523,15 @@ doit(int fd)
+ free(name);
+ exit(1);
+ }
++#ifdef USE_SELINUX
++ selabel = krb5int_push_fscreatecon_for(file);
++#endif
+ omask = umask(077);
+ lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600);
+ (void)umask(omask);
++#ifdef USE_SELINUX
++ krb5int_pop_fscreatecon(selabel);
++#endif
+ retval = krb5_lock_file(kpropd_context, lock_fd,
+ KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
+ if (retval) {
+diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
+index 907c119bb..0f5462aea 100644
+--- a/src/util/profile/prof_file.c
++++ b/src/util/profile/prof_file.c
+@@ -33,6 +33,7 @@
#endif
#include "k5-platform.h"
+#include "k5-label.h"
struct global_shared_profile_data {
- /* This is the head of the global list of shared trees */
-@@ -419,7 +420,7 @@
-
- errno = 0;
-
-- f = fopen(new_file, "w");
-+ f = WRITABLEFOPEN(new_file, "w");
- if (!f) {
- retval = errno;
- if (retval == 0)
-diff -ur krb5-1.6.3/src/util/support/libkrb5support.exports krb5-1.6.3/src/util/support/libkrb5support.exports
---- krb5-1.6.3/src/util/support/libkrb5support.exports 2006-05-04 14:35:01.000000000 -0400
-+++ krb5-1.6.3/src/util/support/libkrb5support.exports 2008-03-06 17:33:30.000000000 -0500
-@@ -32,3 +32,6 @@
- krb5int_clear_error
- krb5int_set_error_info_callout_fn
- krb5int_gmt_mktime
-+krb5int_labeled_open
-+krb5int_labeled_fopen
-+krb5int_labeled_creat
-diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Makefile.in
---- krb5-1.6.3/src/util/support/Makefile.in 2006-10-17 23:15:24.000000000 -0400
-+++ krb5-1.6.3/src/util/support/Makefile.in 2008-03-06 17:33:30.000000000 -0500
-@@ -27,6 +27,7 @@
+ /* This is the head of the global list of shared trees */
+@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile,
+
+ errno = 0;
+
+- f = fopen(new_file, "w");
++ f = WRITABLEFOPEN(new_file, "w");
+ if (!f) {
+ retval = errno;
+ if (retval == 0)
+diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
+index 6239e4176..17bcd2a67 100644
+--- a/src/util/support/Makefile.in
++++ b/src/util/support/Makefile.in
+@@ -69,6 +69,7 @@ IPC_SYMS= \
STLIBOBJS= \
threads.o \
@@ -482,67 +642,23 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
init-addrinfo.o \
plugins.o \
errors.o \
-@@ -55,7 +56,7 @@
- $(srcdir)/fake-addrinfo.c
+@@ -148,7 +149,7 @@ SRCS=\
+
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB)
+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
- SHLIB_DIRS=
- SHLIB_RDIRS=$(KRB5_LIBDIR)
---- krb5-1.6.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2008-03-06 19:20:37.000000000 -0500
-+++ krb5-1.6.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2008-03-06 19:20:28.000000000 -0500
-@@ -1083,7 +1083,7 @@
+ DEPLIBS=
- /* Create a temporary file which contains all the entries except the
- entry for the given service dn */
-- pfile = fopen(file_name, "r+");
-+ pfile = WRITABLEFOPEN(file_name, "r+");
- if (pfile == NULL) {
- com_err(me, errno, "while deleting entry from file %s", file_name);
- goto cleanup;
-@@ -1764,7 +1764,7 @@
-
- /* TODO: file lock for the service password file */
- /* set password in the file */
-- pfile = fopen(file_name, "r+");
-+ pfile = WRITABLEFOPEN(file_name, "r+");
- if (pfile == NULL) {
- com_err(me, errno, "Failed to open file %s", file_name);
- goto cleanup;
-@@ -1806,7 +1806,7 @@
- sprintf(tmp_file,"%s.%s",file_name,"tmp");
-
- omask = umask(077);
-- newfile = fopen(tmp_file, "w+");
-+ newfile = WRITABLEFOPEN(tmp_file, "w+");
- umask(omask);
- if (newfile == NULL) {
- com_err(me, errno, "Error creating file %s", tmp_file);
-@@ -2031,7 +2031,7 @@
-
- /* set password in the file */
- old_mode = umask(0177);
-- pfile = fopen(file_name, "a+");
-+ pfile = WRITABLEFOPEN(file_name, "a+");
- if (pfile == NULL) {
- com_err(me, errno, "Failed to open file %s: %s", file_name,
- strerror (errno));
-@@ -2082,7 +2082,7 @@
- sprintf(tmp_file,"%s.%s",file_name,"tmp");
-
- omask = umask(077);
-- newfile = fopen(tmp_file, "w");
-+ newfile = WRITABLEFOPEN(tmp_file, "w");
- umask (omask);
- if (newfile == NULL) {
- com_err(me, errno, "Error creating file %s", tmp_file);
---- krb5-1.6.3/src/util/support/selinux.c 2007-08-25 03:19:00.000000000 -0400
-+++ krb5-1.6.3/src/util/support/selinux.c 2007-08-24 23:38:39.000000000 -0400
-@@ -0,0 +1,275 @@
+diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c
+new file mode 100644
+index 000000000..230263421
+--- /dev/null
++++ b/src/util/support/selinux.c
+@@ -0,0 +1,406 @@
+/*
-+ * Copyright 2007,2008 Red Hat, Inc. All Rights Reserved.
++ * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
@@ -569,7 +685,7 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
-+ *
++ *
+ * File-opening wrappers for creating correctly-labeled files. So far, we can
+ * assume that this is Linux-specific, so we make many simplifying assumptions.
+ */
@@ -579,9 +695,11 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
+#ifdef USE_SELINUX
+
+#include <k5-label.h>
-+#include <k5-thread.h>
++#include <k5-platform.h>
++
+#include <sys/types.h>
+#include <sys/stat.h>
++
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
@@ -591,9 +709,26 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
++
+#include <selinux/selinux.h>
++#include <selinux/context.h>
++#include <selinux/label.h>
+
+/* #define DEBUG 1 */
++static void
++debug_log(const char *fmt, ...)
++{
++#ifdef DEBUG
++ va_list ap;
++ va_start(ap, str);
++ if (isatty(fileno(stderr))) {
++ vfprintf(stderr, fmt, ap);
++ }
++ va_end(ap);
++#endif
++
++ return;
++}
+
+/* Mutex used to serialize use of the process-global file creation context. */
+k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
@@ -603,258 +738,328 @@ diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Mak
+static void
+label_mutex_init(void)
+{
-+ k5_mutex_finish_init(&labeled_mutex);
++ k5_mutex_finish_init(&labeled_mutex);
++}
++
++static struct selabel_handle *selabel_ctx;
++static time_t selabel_last_changed;
++
++MAKE_FINI_FUNCTION(cleanup_fscreatecon);
++
++static void
++cleanup_fscreatecon(void)
++{
++ if (selabel_ctx != NULL) {
++ selabel_close(selabel_ctx);
++ selabel_ctx = NULL;
++ }
+}
+
+static security_context_t
+push_fscreatecon(const char *pathname, mode_t mode)
+{
-+ security_context_t previous, next;
-+ const char *fullpath;
-+
-+ previous = NULL;
-+ if (is_selinux_enabled()) {
-+ if (getfscreatecon(&previous) == 0) {
-+ char *genpath;
-+ genpath = NULL;
-+ if (pathname[0] != '/') {
-+ char *wd;
-+ size_t len;
-+ len = 0;
-+ wd = getcwd(NULL, len);
-+ if (wd == NULL) {
-+ if (previous != NULL) {
-+ freecon(previous);
-+ }
-+ return NULL;
-+ }
-+ len = strlen(wd) + 1 + strlen(pathname) + 1;
-+ genpath = malloc(len);
-+ if (genpath == NULL) {
-+ free(wd);
-+ if (previous != NULL) {
-+ freecon(previous);
-+ }
-+ return NULL;
-+ }
-+ sprintf(genpath, "%s/%s", wd, pathname);
-+ free(wd);
-+ fullpath = genpath;
-+ } else {
-+ fullpath = pathname;
-+ }
-+ next = NULL;
-+#ifdef DEBUG
-+ if (isatty(fileno(stderr))) {
-+ fprintf(stderr, "Looking up context for "
-+ "\"%s\"(%05o).\n", fullpath, mode);
-+ }
-+#endif
-+ if (matchpathcon(fullpath, mode, &next) != 0) {
-+ free(genpath);
-+ if (previous != NULL) {
-+ freecon(previous);
-+ }
-+ return NULL;
-+ }
-+ free(genpath);
-+#ifdef DEBUG
-+ if (isatty(fileno(stderr))) {
-+ fprintf(stderr, "Setting file creation context "
-+ "to \"%s\".\n", next);
-+ }
-+#endif
-+ if (setfscreatecon(next) != 0) {
-+ freecon(next);
-+ if (previous != NULL) {
-+ freecon(previous);
-+ }
-+ return NULL;
-+ }
-+ freecon(next);
-+#ifdef DEBUG
-+ } else {
-+ if (isatty(fileno(stderr))) {
-+ fprintf(stderr, "Unable to determine "
-+ "current context.\n");
-+ }
-+#endif
-+ }
-+ }
-+ return previous;
++ security_context_t previous, configuredsc, currentsc, derivedsc;
++ context_t current, derived;
++ const char *fullpath, *currentuser;
++ char *genpath;
++
++ previous = configuredsc = currentsc = derivedsc = NULL;
++ current = derived = NULL;
++ genpath = NULL;
++
++ fullpath = pathname;
++
++ if (!is_selinux_enabled()) {
++ goto fail;
++ }
++
++ if (getfscreatecon(&previous) != 0) {
++ goto fail;
++ }
++
++ /* Canonicalize pathname */
++ if (pathname[0] != '/') {
++ char *wd;
++ size_t len;
++ len = 0;
++
++ wd = getcwd(NULL, len);
++ if (wd == NULL) {
++ goto fail;
++ }
++
++ len = strlen(wd) + 1 + strlen(pathname) + 1;
++ genpath = malloc(len);
++ if (genpath == NULL) {
++ free(wd);
++ goto fail;
++ }
++
++ sprintf(genpath, "%s/%s", wd, pathname);
++ free(wd);
++ fullpath = genpath;
++ }
++
++ debug_log("Looking up context for \"%s\"(%05o).\n", fullpath, mode);
++
++ /* Check whether context file has changed under us */
++ if (selabel_ctx != NULL || selabel_last_changed == 0) {
++ const char *cpath;
++ struct stat st;
++ int i = -1;
++
++ cpath = selinux_file_context_path();
++ if (cpath == NULL || (i = stat(cpath, &st)) != 0 ||
++ st.st_mtime != selabel_last_changed) {
++ cleanup_fscreatecon();
++
++ selabel_last_changed = i ? time(NULL) : st.st_mtime;
++ }
++ }
++
++ if (selabel_ctx == NULL) {
++ selabel_ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
++ }
++
++ if (selabel_ctx != NULL &&
++ selabel_lookup(selabel_ctx, &configuredsc, fullpath, mode) != 0) {
++ goto fail;
++ }
++
++ if (genpath != NULL) {
++ free(genpath);
++ genpath = NULL;
++ }
++
++ if (configuredsc == NULL) {
++ goto fail;
++ }
++
++ getcon(¤tsc);
++
++ /* AAAAAAAA */
++ if (currentsc != NULL) {
++ derived = context_new(configuredsc);
++
++ if (derived != NULL) {
++ current = context_new(currentsc);
++
++ if (current != NULL) {
++ currentuser = context_user_get(current);
++
++ if (currentuser != NULL) {
++ if (context_user_set(derived,
++ currentuser) == 0) {
++ derivedsc = context_str(derived);
++
++ if (derivedsc != NULL) {
++ freecon(configuredsc);
++ configuredsc = strdup(derivedsc);
++ }
++ }
++ }
++
++ context_free(current);
++ }
++
++ context_free(derived);
++ }
++
++ freecon(currentsc);
++ }
++
++ debug_log("Setting file creation context to \"%s\".\n", configuredsc);
++ if (setfscreatecon(configuredsc) != 0) {
++ debug_log("Unable to determine current context.\n");
++ goto fail;
++ }
++
++ freecon(configuredsc);
++ return previous;
++
++fail:
++ if (previous != NULL) {
++ freecon(previous);
++ }
++ if (genpath != NULL) {
++ free(genpath);
++ }
++ if (configuredsc != NULL) {
++ freecon(configuredsc);
++ }
++
++ cleanup_fscreatecon();
++ return NULL;
+}
+
+static void
+pop_fscreatecon(security_context_t previous)
+{
-+ if (is_selinux_enabled()) {
-+#ifdef DEBUG
-+ if (isatty(fileno(stderr))) {
-+ if (previous != NULL) {
-+ fprintf(stderr, "Resetting file creation "
-+ "context to \"%s\".\n", previous);
-+ } else {
-+ fprintf(stderr, "Resetting file creation "
-+ "context to default.\n");
-+ }
-+ }
-+#endif
-+ setfscreatecon(previous);
-+ if (previous != NULL) {
-+ freecon(previous);
-+ }
-+ }
++ if (!is_selinux_enabled()) {
++ return;
++ }
++
++ if (previous != NULL) {
++ debug_log("Resetting file creation context to \"%s\".\n", previous);
++ } else {
++ debug_log("Resetting file creation context to default.\n");
++ }
++
++ /* NULL resets to default */
++ setfscreatecon(previous);
++
++ if (previous != NULL) {
++ freecon(previous);
++ }
++
++ /* Need to clean this up here otherwise it leaks */
++ cleanup_fscreatecon();
++}
++
++void *
++krb5int_push_fscreatecon_for(const char *pathname)
++{
++ struct stat st;
++ void *retval;
++
++ k5_once(&labeled_once, label_mutex_init);
++ k5_mutex_lock(&labeled_mutex);
++
++ if (stat(pathname, &st) != 0) {
++ st.st_mode = S_IRUSR | S_IWUSR;
++ }
++
++ retval = push_fscreatecon(pathname, st.st_mode);
++ return retval ? retval : (void *) -1;
++}
++
++void
++krb5int_pop_fscreatecon(void *con)
++{
++ if (con != NULL) {
++ pop_fscreatecon((con == (void *) -1) ? NULL : con);
++ k5_mutex_unlock(&labeled_mutex);
++ }
+}
+
+FILE *
+krb5int_labeled_fopen(const char *path, const char *mode)
+{
-+ FILE *fp;
-+ int errno_save;
-+ security_context_t ctx;
-+
-+ if (strcmp(mode, "r") == 0) {
-+ return fopen(path, mode);
-+ }
-+
-+ k5_once(&labeled_once, label_mutex_init);
-+ k5_mutex_lock(&labeled_mutex);
-+ ctx = push_fscreatecon(path, 0);
-+ fp = fopen(path, mode);
-+ errno_save = errno;
-+ pop_fscreatecon(ctx);
-+ k5_mutex_unlock(&labeled_mutex);
-+
-+ errno = errno_save;
-+ return fp;
++ FILE *fp;
++ int errno_save;
++ security_context_t ctx;
++
++ if ((strcmp(mode, "r") == 0) ||
++ (strcmp(mode, "rb") == 0)) {
++ return fopen(path, mode);
++ }
++
++ k5_once(&labeled_once, label_mutex_init);
++ k5_mutex_lock(&labeled_mutex);
++ ctx = push_fscreatecon(path, 0);
++
++ fp = fopen(path, mode);
++ errno_save = errno;
++
++ pop_fscreatecon(ctx);
++ k5_mutex_unlock(&labeled_mutex);
++
++ errno = errno_save;
++ return fp;
+}
+
+int
+krb5int_labeled_creat(const char *path, mode_t mode)
+{
-+ int fd;
-+ int errno_save;
-+ security_context_t ctx;
-+
-+ k5_once(&labeled_once, label_mutex_init);
-+ k5_mutex_lock(&labeled_mutex);
-+ ctx = push_fscreatecon(path, 0);
-+ fd = creat(path, mode);
-+ errno_save = errno;
-+ pop_fscreatecon(ctx);
-+ k5_mutex_unlock(&labeled_mutex);
-+
-+ errno = errno_save;
-+ return fd;
++ int fd;
++ int errno_save;
++ security_context_t ctx;
++
++ k5_once(&labeled_once, label_mutex_init);
++ k5_mutex_lock(&labeled_mutex);
++ ctx = push_fscreatecon(path, 0);
++
++ fd = creat(path, mode);
++ errno_save = errno;
++
++ pop_fscreatecon(ctx);
++ k5_mutex_unlock(&labeled_mutex);
++
++ errno = errno_save;
++ return fd;
+}
+
+int
+krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev)
+{
-+ int ret;
-+ int errno_save;
-+ security_context_t ctx;
-+
-+ k5_once(&labeled_once, label_mutex_init);
-+ k5_mutex_lock(&labeled_mutex);
-+ ctx = push_fscreatecon(path, mode);
-+ ret = mknod(path, mode, dev);
-+ errno_save = errno;
-+ pop_fscreatecon(ctx);
-+ k5_mutex_unlock(&labeled_mutex);
-+
-+ errno = errno_save;
-+ return ret;
++ int ret;
++ int errno_save;
++ security_context_t ctx;
++
++ k5_once(&labeled_once, label_mutex_init);
++ k5_mutex_lock(&labeled_mutex);
++ ctx = push_fscreatecon(path, mode);
++
++ ret = mknod(path, mode, dev);
++ errno_save = errno;
++
++ pop_fscreatecon(ctx);
++ k5_mutex_unlock(&labeled_mutex);
++
++ errno = errno_save;
++ return ret;
+}
+
+int
+krb5int_labeled_mkdir(const char *path, mode_t mode)
+{
-+ int ret;
-+ int errno_save;
-+ security_context_t ctx;
-+
-+ k5_once(&labeled_once, label_mutex_init);
-+ k5_mutex_lock(&labeled_mutex);
-+ ctx = push_fscreatecon(path, S_IFDIR);
-+ ret = mkdir(path, mode);
-+ errno_save = errno;
-+ pop_fscreatecon(ctx);
-+ k5_mutex_unlock(&labeled_mutex);
-+
-+ errno = errno_save;
-+ return ret;
++ int ret;
++ int errno_save;
++ security_context_t ctx;
++
++ k5_once(&labeled_once, label_mutex_init);
++ k5_mutex_lock(&labeled_mutex);
++ ctx = push_fscreatecon(path, S_IFDIR);
++
++ ret = mkdir(path, mode);
++ errno_save = errno;
++
++ pop_fscreatecon(ctx);
++ k5_mutex_unlock(&labeled_mutex);
++
++ errno = errno_save;
++ return ret;
+}
+
+int
+krb5int_labeled_open(const char *path, int flags, ...)
+{
-+ int fd;
-+ int errno_save;
-+ security_context_t ctx;
-+ mode_t mode;
-+ va_list ap;
-+
-+ if ((flags & O_CREAT) == 0) {
-+ return open(path, flags);
-+ }
-+
-+ k5_once(&labeled_once, label_mutex_init);
-+ k5_mutex_lock(&labeled_mutex);
-+ ctx = push_fscreatecon(path, 0);
-+
-+ va_start(ap, flags);
-+ mode = va_arg(ap, mode_t);
-+ fd = open(path, flags, mode);
-+ va_end(ap);
-+
-+ errno_save = errno;
-+
-+ pop_fscreatecon(ctx);
-+ k5_mutex_unlock(&labeled_mutex);
-+ return fd;
-+}
++ int fd;
++ int errno_save;
++ security_context_t ctx;
++ mode_t mode;
++ va_list ap;
+
-+#endif
---- krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:19:00.000000000 -0400
-+++ krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:00:02.000000000 -0400
-@@ -0,0 +1,27 @@
-+#ifndef _KRB5_LABEL_H
-+#define _KRB5_LABEL_H
++ if ((flags & O_CREAT) == 0) {
++ return open(path, flags);
++ }
+
-+#ifdef THREEPARAMOPEN
-+#undef THREEPARAMOPEN
-+#endif
++ k5_once(&labeled_once, label_mutex_init);
++ k5_mutex_lock(&labeled_mutex);
++ ctx = push_fscreatecon(path, 0);
+
-+/* Wrapper functions which help us create files and directories with the right
-+ * context labels. */
-+#ifdef USE_SELINUX
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <fcntl.h>
-+#include <stdio.h>
-+#include <unistd.h>
-+FILE *krb5int_labeled_fopen(const char *path, const char *mode);
-+int krb5int_labeled_creat(const char *path, mode_t mode);
-+int krb5int_labeled_open(const char *path, int flags, ...);
-+int krb5int_labeled_mkdir(const char *path, mode_t mode);
-+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device);
-+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)
-+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)
-+#else
-+#define WRITABLEFOPEN(x,y) fopen(x,y)
-+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
-+#endif
-+#endif
---- krb5-1.6.3/src/plugins/kdb/db2/libdb2/test/Makefile.in 2009-02-19 16:10:41.000000000 -0500
-+++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/test/Makefile.in 2009-02-19 16:10:44.000000000 -0500
-@@ -14,7 +14,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
-
- KRB5_RUN_ENV= @KRB5_RUN_ENV@
-
--DB_LIB = -ldb
-+DB_LIB = -ldb $(SUPPORT_DEPLIB)
++ va_start(ap, flags);
++ mode = va_arg(ap, mode_t);
++ fd = open(path, flags, mode);
++ va_end(ap);
+
- DB_DEPLIB = ../libdb$(DEPLIBEXT)
-
- all::
++ errno_save = errno;
++
++ pop_fscreatecon(ctx);
++ k5_mutex_unlock(&labeled_mutex);
++
++ errno = errno_save;
++ return fd;
++}
++
++#endif /* USE_SELINUX */
diff --git a/krb5-send-pr-tempfile.patch b/krb5-send-pr-tempfile.patch
deleted file mode 100644
index 3bfaaaf..0000000
--- a/krb5-send-pr-tempfile.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff -ur krb5-1.3.4/src/util/send-pr/send-pr.sh krb5-1.3.4/src/util/send-pr/send-pr.sh
---- krb5-1.3.4/src/util/send-pr/send-pr.sh 1997-03-20 01:13:56.000000000 +0100
-+++ krb5-1.3.4/src/util/send-pr/send-pr.sh 2004-09-20 11:28:56.000000000 +0200
-@@ -96,9 +96,9 @@
- fi
- fi
-
--TEMP=$TMPDIR/p$$
--BAD=$TMPDIR/pbad$$
--REF=$TMPDIR/pf$$
-+TEMP=`mktemp "$TMPDIR"/p.XXXXXX` || exit 1
-+BAD=`mktemp "$TMPDIR"/pbad.XXXXXX` || exit 1
-+REF=`mktemp "$TMPDIR"/pf.XXXXXX` || exit 1
-
- # find a user name
- if [ "$LOGNAME" = "" ]; then
-@@ -122,9 +122,10 @@
- else
- # Must use temp file due to incompatibilities in quoting behavior
- # and to protect shell metacharacters in the expansion of $LOGNAME
-- $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP
-- ORIGINATOR="`cat $TEMP`"
-- rm -f $TEMP
-+ TEMP2=`mktemp "$TMPDIR"/plogname.XXXXXX` || exit 1
-+ $PASSWD | grep "^$LOGNAME:" | awk -F: '{print $5}' | sed -e 's/,.*//' > $TEMP2
-+ ORIGINATOR="`cat $TEMP2`"
-+ rm -f $TEMP2
- fi
-
- if [ -n "$ORGANIZATION" ]; then
-@@ -280,7 +281,7 @@
- # Catch some signals. ($xs kludge needed by Sun /bin/sh)
- xs=0
- trap 'rm -f $REF $TEMP; exit $xs' 0
--trap 'echo "$COMMAND: Aborting ..."; rm -f $REF $TEMP; xs=1; exit' 1 2 3 13 15
-+trap 'echo "$COMMAND: Aborting ..."; rm -f "$REF" "$BAD" "$TEMP"; xs=1; exit' 1 2 3 13 15
-
- # If they told us to use a specific file, then do so.
- if [ -n "$IN_FILE" ]; then
diff --git a/krb5-tests.patch b/krb5-tests.patch
index b7c95c5..50a6d35 100644
--- a/krb5-tests.patch
+++ b/krb5-tests.patch
@@ -1,17 +1,17 @@
---- krb5-1.6/src/tests/resolve/Makefile.in~ 2006-10-14 01:54:24.000000000 +0200
-+++ krb5-1.6/src/tests/resolve/Makefile.in 2007-03-31 13:19:53.138858011 +0200
-@@ -22,9 +22,9 @@
+--- krb5-1.15/src/tests/resolve/Makefile.in.orig 2017-02-16 22:16:20.209242926 +0100
++++ krb5-1.15/src/tests/resolve/Makefile.in 2017-02-16 22:20:24.069240143 +0100
+@@ -17,9 +17,9 @@
$(CC_LINK) -o $@ fake-addrinfo-test.o $(SUPPORT_LIB) $(LIBS)
- check:: resolve addrinfo-test fake-addrinfo-test
-- $(RUN_SETUP) $(VALGRIND) ./resolve
-- $(RUN_SETUP) $(VALGRIND) ./addrinfo-test -p telnet
-- $(RUN_SETUP) $(VALGRIND) ./fake-addrinfo-test -p telnet
-+ if [ "$(OFFLINE)" = no ]; then $(RUN_SETUP) $(VALGRIND) ./resolve ep09.pld-linux.org ; fi
-+ if [ "$(OFFLINE)" = no ]; then $(RUN_SETUP) $(VALGRIND) ./addrinfo-test -p telnet ; fi
-+ if [ "$(OFFLINE)" = no ]; then $(RUN_SETUP) $(VALGRIND) ./fake-addrinfo-test -p telnet ; fi
+ check: resolve addrinfo-test fake-addrinfo-test
+- $(RUN_TEST) ./resolve
+- $(RUN_TEST) ./addrinfo-test -p telnet
+- $(RUN_TEST) ./fake-addrinfo-test -p telnet
++ if [ "$(OFFLINE)" = no ]; then $(RUN_TEST) ./resolve ; fi
++ if [ "$(OFFLINE)" = no ]; then $(RUN_TEST) ./addrinfo-test -p telnet ; fi
++ if [ "$(OFFLINE)" = no ]; then $(RUN_TEST) ./fake-addrinfo-test -p telnet ; fi
- install::
+ install:
--- krb5-1.6.3/src/plugins/kdb/db2/libdb2/test/run.test~ 2007-11-21 17:52:04.000000000 +0100
+++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/test/run.test 2007-11-21 17:58:16.000000000 +0100
@@ -34,12 +34,12 @@
DICT=`cd $srcdir/../test && pwd`/dictionary
else
echo 'run.test: no dictionary'
---- krb5-1.12.1/src/lib/krb5/krb/Makefile.in.orig 2014-03-13 17:10:07.517099910 +0100
-+++ krb5-1.12.1/src/lib/krb5/krb/Makefile.in 2014-03-13 17:48:55.017002233 +0100
-@@ -481,9 +481,11 @@
- $(RUN_SETUP) $(VALGRIND) ./t_copy_context
+--- krb5-1.15/src/lib/krb5/krb/Makefile.in.orig 2017-02-16 22:21:37.502572637 +0100
++++ krb5-1.15/src/lib/krb5/krb/Makefile.in 2017-02-16 22:22:42.059238568 +0100
+@@ -498,9 +498,11 @@
+ $(RUN_TEST) ./t_sname_match
- check-pytests:: t_expire_warn t_vfy_increds
+ check-pytests: t_expire_warn t_vfy_increds
- $(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_vfy_increds.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_in_ccache_patypes.py $(PYTESTFLAGS)
@@ -49,14 +49,14 @@
+ $(RUNPYTEST) $(srcdir)/t_in_ccache_patypes.py $(PYTESTFLAGS) ; \
+ fi
- clean::
- $(RM) $(OUTPRE)t_walk_rtree$(EXEEXT) $(OUTPRE)t_walk_rtree.$(OBJEXT) \
---- krb5-1.12.1/src/kdc/Makefile.in.orig 2014-03-13 17:10:07.517099910 +0100
-+++ krb5-1.12.1/src/kdc/Makefile.in 2014-03-13 17:52:29.930326550 +0100
-@@ -69,8 +69,10 @@
- $(RM) test.out
+ check-cmocka: t_parse_host_string
+ $(RUN_TEST) ./t_parse_host_string > /dev/null
+--- krb5-1.15/src/kdc/Makefile.in.orig 2017-02-16 22:23:21.009238123 +0100
++++ krb5-1.15/src/kdc/Makefile.in 2017-02-18 08:23:41.544506963 +0100
+@@ -83,8 +83,10 @@
+ $(RUN_TEST) ./t_replay > /dev/null
- check-pytests::
+ check-pytests:
- $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
+ if [ "$(OFFLINE)" = no ]; then \
@@ -64,137 +64,141 @@
+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS) ; \
+ fi
- install::
+ install:
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
---- krb5-1.9.1/src/appl/gss-sample/Makefile.in~ 2010-12-03 01:05:44.000000000 +0100
-+++ krb5-1.9.1/src/appl/gss-sample/Makefile.in 2011-08-03 01:03:37.904570242 +0200
-@@ -45,7 +45,9 @@
+--- krb5-1.15/src/appl/gss-sample/Makefile.in.orig 2017-02-18 08:24:33.754506368 +0100
++++ krb5-1.15/src/appl/gss-sample/Makefile.in 2017-02-18 08:35:02.454499191 +0100
+@@ -43,7 +43,9 @@
$(RM) gss-server gss-client
- check-pytests::
+ check-pytests:
- $(RUNPYTEST) $(srcdir)/t_gss_sample.py $(PYTESTFLAGS)
+ if [ "$(OFFLINE)" = no ]; then \
+ $(RUNPYTEST) $(srcdir)/t_gss_sample.py $(PYTESTFLAGS) ; \
+ fi
- install-unix::
+ install-unix:
$(INSTALL_PROGRAM) gss-client $(DESTDIR)$(CLIENT_BINDIR)/gss-client
---- krb5-1.12.1/src/tests/gssapi/Makefile.in.orig 2014-03-13 18:30:36.910230571 +0100
-+++ krb5-1.12.1/src/tests/gssapi/Makefile.in 2014-03-13 18:43:46.143530790 +0100
-@@ -32,12 +32,14 @@
- check-pytests:: ccinit ccrefresh t_accname t_ccselect t_credstore t_enctypes \
- t_err t_export_cred t_export_name t_imp_cred t_inq_cred \
- t_inq_mechs_name t_iov t_s4u t_s4u2proxy_krb5 t_spnego
+--- krb5-1.15/src/tests/gssapi/Makefile.in.orig 2017-02-18 08:35:55.481165250 +0100
++++ krb5-1.15/src/tests/gssapi/Makefile.in 2017-02-18 08:37:07.877831093 +0100
+@@ -44,13 +44,15 @@
+ t_enctypes t_err t_export_cred t_export_name t_imp_cred t_inq_cred \
+ t_inq_ctx t_inq_mechs_name t_iov t_pcontok t_s4u t_s4u2proxy_krb5 \
+ t_spnego t_srcattrs
- $(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_enctypes.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_export_cred.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_s4u.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_authind.py $(PYTESTFLAGS)
+ if [ "$(OFFLINE)" = no ]; then \
+ $(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_enctypes.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_export_cred.py $(PYTESTFLAGS) && \
-+ $(RUNPYTEST) $(srcdir)/t_s4u.py $(PYTESTFLAGS) ; \
++ $(RUNPYTEST) $(srcdir)/t_s4u.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_authind.py $(PYTESTFLAGS) ; \
+ fi
ccinit: ccinit.o $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o ccinit ccinit.o $(KRB5_BASE_LIBS)
---- krb5-1.9.1/src/tests/mkeystash_compat/Makefile.in~ 2010-12-03 01:05:44.000000000 +0100
-+++ krb5-1.9.1/src/tests/mkeystash_compat/Makefile.in 2011-08-03 12:55:23.507781811 +0200
-@@ -37,14 +37,16 @@
-
- # Verify that the mkey stash code is backward compat with old/non-keytab stashfile format
- mkeystash_check: kdc.conf krb5.conf bigendian
-- $(RM) $(TEST_DB)* stash_file
-- $(RUN_SETUP) $(VALGRIND) ../../kadmin/dbutil/kdb5_util $(KDB_OPTS) create -s -W
-- # overwrite keytab stash file with old format stash, depends on endianness of current test system
-- ./bigendian && cp $(srcdir)/old_stash_bendian stash_file || cp $(srcdir)/old_stash_lendian stash_file
-- # getprinc will fail if old stash file can not be read
-- $(RUN_SETUP) $(VALGRIND) ../../kadmin/cli/kadmin.local $(KADMIN_OPTS) -q 'getprinc K/M'
-- $(RUN_SETUP) $(VALGRIND) ../../kadmin/dbutil/kdb5_util $(KDB_OPTS) destroy -f
-- $(RM) $(TEST_DB)* stash_file
-+ if [ "$(OFFLINE)" = no ]; then \
-+ $(RM) $(TEST_DB)* stash_file && \
-+ $(RUN_SETUP) $(VALGRIND) ../../kadmin/dbutil/kdb5_util $(KDB_OPTS) create -s -W && \
-+ # overwrite keytab stash file with old format stash, depends on endianness of current test system && \
-+ ./bigendian && cp $(srcdir)/old_stash_bendian stash_file || cp $(srcdir)/old_stash_lendian stash_file && \
-+ # getprinc will fail if old stash file can not be read && \
-+ $(RUN_SETUP) $(VALGRIND) ../../kadmin/cli/kadmin.local $(KADMIN_OPTS) -q 'getprinc K/M' && \
-+ $(RUN_SETUP) $(VALGRIND) ../../kadmin/dbutil/kdb5_util $(KDB_OPTS) destroy -f && \
-+ $(RM) $(TEST_DB)* stash_file ; \
-+ fi
-
- clean::
- $(RM) kdc.conf krb5.conf bigendian.$(OBJEXT) bigendian
---- krb5-1.12.1/src/tests/Makefile.in.orig 2014-01-16 01:44:15.000000000 +0100
-+++ krb5-1.12.1/src/tests/Makefile.in 2014-03-13 18:29:22.833567017 +0100
-@@ -61,68 +61,72 @@
+#--- krb5-1.9.1/src/tests/mkeystash_compat/Makefile.in~ 2010-12-03 01:05:44.000000000 +0100
+#+++ krb5-1.9.1/src/tests/mkeystash_compat/Makefile.in 2011-08-03 12:55:23.507781811 +0200
+#@@ -37,14 +37,16 @@
+#
+# # Verify that the mkey stash code is backward compat with old/non-keytab stashfile format
+# mkeystash_check: kdc.conf krb5.conf bigendian
+#- $(RM) $(TEST_DB)* stash_file
+#- $(RUN_SETUP) $(VALGRIND) ../../kadmin/dbutil/kdb5_util $(KDB_OPTS) create -s -W
+#- # overwrite keytab stash file with old format stash, depends on endianness of current test system
+#- ./bigendian && cp $(srcdir)/old_stash_bendian stash_file || cp $(srcdir)/old_stash_lendian stash_file
+#- # getprinc will fail if old stash file can not be read
+#- $(RUN_SETUP) $(VALGRIND) ../../kadmin/cli/kadmin.local $(KADMIN_OPTS) -q 'getprinc K/M'
+#- $(RUN_SETUP) $(VALGRIND) ../../kadmin/dbutil/kdb5_util $(KDB_OPTS) destroy -f
+#- $(RM) $(TEST_DB)* stash_file
+#+ if [ "$(OFFLINE)" = no ]; then \
+#+ $(RM) $(TEST_DB)* stash_file && \
+#+ $(RUN_SETUP) $(VALGRIND) ../../kadmin/dbutil/kdb5_util $(KDB_OPTS) create -s -W && \
+#+ # overwrite keytab stash file with old format stash, depends on endianness of current test system && \
+#+ ./bigendian && cp $(srcdir)/old_stash_bendian stash_file || cp $(srcdir)/old_stash_lendian stash_file && \
+#+ # getprinc will fail if old stash file can not be read && \
+#+ $(RUN_SETUP) $(VALGRIND) ../../kadmin/cli/kadmin.local $(KADMIN_OPTS) -q 'getprinc K/M' && \
+#+ $(RUN_SETUP) $(VALGRIND) ../../kadmin/dbutil/kdb5_util $(KDB_OPTS) destroy -f && \
+#+ $(RM) $(TEST_DB)* stash_file ; \
+#+ fi
+#
+# clean::
+# $(RM) kdc.conf krb5.conf bigendian.$(OBJEXT) bigendian
+--- krb5-1.15/src/tests/Makefile.in.orig 2017-02-18 08:43:08.467826973 +0100
++++ krb5-1.15/src/tests/Makefile.in 2017-02-18 09:09:28.181142270 +0100
+@@ -89,84 +89,88 @@
mv krb5.new krb5.conf
kdb_check: kdc.conf krb5.conf
- $(RM) $(TEST_DB)*
-- $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W
-- $(RUN_SETUP) $(VALGRIND) ../tests/create/kdb5_mkdums $(KTEST_OPTS)
-- $(RUN_SETUP) $(VALGRIND) ../tests/verify/kdb5_verify $(KTEST_OPTS)
-- $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump
-- $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump
-- $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
+- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W
+- $(RUN_DB_TEST) ../tests/create/kdb5_mkdums $(KTEST_OPTS)
+- $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS)
+- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump
+- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump
+- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
- @echo "====> NOTE!"
- @echo "The following 'create' command is needed due to a change"
- @echo "in functionality caused by DAL integration. See ticket 3973."
- @echo ====
-- $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W
-- $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load $(TEST_DB).dump
-- $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load -update -ov $(TEST_DB).ovdump
-- $(RUN_SETUP) $(VALGRIND) ../tests/verify/kdb5_verify $(KTEST_OPTS)
-- $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump2
-- $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump2
+- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W
+- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load $(TEST_DB).dump
+- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load -update -ov $(TEST_DB).ovdump
+- $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS)
+- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump2
+- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump2
- sort $(TEST_DB).dump > $(TEST_DB).sort
- sort $(TEST_DB).dump2 > $(TEST_DB).sort2
- sort $(TEST_DB).ovdump > $(TEST_DB).ovsort
- sort $(TEST_DB).ovdump2 > $(TEST_DB).ovsort2
- cmp $(TEST_DB).sort $(TEST_DB).sort2
- cmp $(TEST_DB).ovsort $(TEST_DB).ovsort2
-- $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
+- $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f
- $(RM) $(TEST_DB)* stash_file
+ if [ "$(OFFLINE)" = no ]; then \
+ $(RM) $(TEST_DB)* && \
-+ $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W && \
-+ $(RUN_SETUP) $(VALGRIND) ../tests/create/kdb5_mkdums $(KTEST_OPTS) && \
-+ $(RUN_SETUP) $(VALGRIND) ../tests/verify/kdb5_verify $(KTEST_OPTS) && \
-+ $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump && \
-+ $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump && \
-+ $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f && \
-+ @echo "====> NOTE!" ;\
-+ @echo "The following 'create' command is needed due to a change" ;\
-+ @echo "in functionality caused by DAL integration. See ticket 3973." ;\
-+ @echo ==== ;\
-+ $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W && \
-+ $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load $(TEST_DB).dump && \
-+ $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load -update -ov $(TEST_DB).ovdump && \
-+ $(RUN_SETUP) $(VALGRIND) ../tests/verify/kdb5_verify $(KTEST_OPTS) && \
-+ $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump2 && \
-+ $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump2 && \
++ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W && \
++ $(RUN_DB_TEST) ../tests/create/kdb5_mkdums $(KTEST_OPTS) && \
++ $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS) && \
++ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump && \
++ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump && \
++ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f && \
++ @echo "====> NOTE!" ; \
++ @echo "The following 'create' command is needed due to a change" ; \
++ @echo "in functionality caused by DAL integration. See ticket 3973." ; \
++ @echo ==== ; \
++ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W && \
++ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load $(TEST_DB).dump && \
++ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load -update -ov $(TEST_DB).ovdump && \
++ $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS) && \
++ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump2 && \
++ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump -ov $(TEST_DB).ovdump2 && \
+ sort $(TEST_DB).dump > $(TEST_DB).sort && \
+ sort $(TEST_DB).dump2 > $(TEST_DB).sort2 && \
+ sort $(TEST_DB).ovdump > $(TEST_DB).ovsort && \
+ sort $(TEST_DB).ovdump2 > $(TEST_DB).ovsort2 && \
+ cmp $(TEST_DB).sort $(TEST_DB).sort2 && \
+ cmp $(TEST_DB).ovsort $(TEST_DB).ovsort2 && \
-+ $(RUN_SETUP) $(VALGRIND) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f && \
-+ $(RM) $(TEST_DB)* stash_file ;\
++ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f && \
++ $(RM) $(TEST_DB)* stash_file ; \
+ fi
- check-pytests:: gcred hist hrealm kdbtest plugorder responder
- check-pytests:: t_init_creds t_localauth
+ check-pytests: adata etinfo forward gcred hist hooks hrealm icred kdbtest
+ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter
- $(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_hooks.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_changepw.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_pkinit.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_otp.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS)
@@ -213,8 +217,12 @@
- $(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_keytab.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kadmin_acl.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_kadmin_parsing.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kdb.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_keydata.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_mkey.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_rdreq.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_sn2princ.py $(PYTESTFLAGS) $(OFFLINE)
- $(RUNPYTEST) $(srcdir)/t_cve-2012-1014.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS)
@@ -223,10 +231,12 @@
- $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS)
+ if [ "$(OFFLINE)" = no ]; then \
+ $(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_hooks.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_iprop.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_kprop.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_policy.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_changepw.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_pkinit.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_otp.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS) && \
@@ -245,8 +255,12 @@
+ $(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_keytab.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_kadmin_acl.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_kadmin_parsing.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_kdb.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_keydata.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_mkey.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_rdreq.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_sn2princ.py $(PYTESTFLAGS) $(OFFLINE) && \
+ $(RUNPYTEST) $(srcdir)/t_cve-2012-1014.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_cve-2012-1015.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_cve-2013-1416.py $(PYTESTFLAGS) && \
@@ -255,10 +269,30 @@
+ $(RUNPYTEST) $(srcdir)/t_audit.py $(PYTESTFLAGS) && \
$(RUNPYTEST) $(srcdir)/jsonwalker.py -d $(srcdir)/au_dict.json \
- -i au.log
+- $(RUNPYTEST) $(srcdir)/t_salt.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_etype_info.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_bogus_kdc_req.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_kdc_log.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_proxy.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_unlockiter.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_errmsg.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_authdata.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_preauth.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS)
+ -i au.log && \
-+ $(RUNPYTEST) $(srcdir)/t_bogus_kdc_req.py $(PYTESTFLAGS) ; \
++ $(RUNPYTEST) $(srcdir)/t_salt.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_etype_info.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_bogus_kdc_req.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_kdc_log.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_proxy.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_unlockiter.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_errmsg.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_authdata.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_preauth.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS) ; \
+ fi
- clean::
- $(RM) gcred hist hrealm kdbtest plugorder responder
+ clean:
+ $(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest
diff --git a/krb5-trunk-doublelog.patch b/krb5-trunk-doublelog.patch
deleted file mode 100644
index 9cfe79f..0000000
--- a/krb5-trunk-doublelog.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Don't double-log (actually, don't process /etc/krb5.conf twice) just
-because we built with --sysconfdir=/etc. RT#3277
-
---- krb5-1.12.1/src/include/Makefile.in.orig 2014-03-13 19:19:48.720106696 +0100
-+++ krb5-1.12.1/src/include/Makefile.in 2014-03-13 19:28:05.226752528 +0100
-@@ -67,7 +67,9 @@
- -e "s+ at GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
- -e 's+ at LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
- -e 's+ at SYSCONFDIR+$(SYSCONFDIR)+' \
-- -e 's+ at DYNOBJEXT+$(DYNOBJEXT)+'
-+ -e 's+ at DYNOBJEXT+$(DYNOBJEXT)+' \
-+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
-+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+'
-
- OSCONFSRC = $(srcdir)/osconf.hin
-
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/krb5.git/commitdiff/b7cf85b107309939af30a1e4d0d83f68cde60869
More information about the pld-cvs-commit
mailing list