[packages/krb5] Up to 1.22.2
arekm
arekm at pld-linux.org
Sun Mar 29 23:35:37 CEST 2026
commit 555c241a16ff71f6d8c62808b3f6263066562fab
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Sun Mar 29 23:33:01 2026 +0200
Up to 1.22.2
krb5-audit.patch | 57 +--
krb5-keyring-test.patch | 13 +
krb5-manpages.patch | 32 +-
krb5-selinux-label.patch | 1065 ----------------------------------------------
krb5-tests.patch | 150 ++++---
krb5.spec | 112 ++---
6 files changed, 210 insertions(+), 1219 deletions(-)
---
diff --git a/krb5.spec b/krb5.spec
index 2fe9aa1..799a751 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -7,22 +7,21 @@
#
# Conditional build:
%bcond_without doc # documentation [requires TeX]
-%bcond_without audit # audit plugin
+%bcond_without audit # audit plugin (simple, requires libaudit)
%bcond_with hesiod # Hesiod support
%bcond_without ldap # OpenLDAP database backend module
-%bcond_with selinux # SELinux support
%bcond_without system_db # system Berkeley DB (via DB 1.85 API)
%bcond_without tests # don't perform make check
#
Summary: Kerberos V5 System
Summary(pl.UTF-8): System Kerberos V5
Name: krb5
-Version: 1.21.3
+Version: 1.22.2
Release: 0.1
License: MIT
Group: Networking
-Source0: http://web.mit.edu/kerberos/dist/krb5/1.21/%{name}-%{version}.tar.gz
-# Source0-md5: beb34d1dfc72ba0571ce72bed03e06eb
+Source0: https://web.mit.edu/kerberos/dist/krb5/1.22/%{name}-%{version}.tar.gz
+# Source0-md5: 42472b11771d074329e0cc776d2eb5fd
Source2: %{name}kdc.init
Source4: kadm5.acl
Source5: kerberos.logrotate
@@ -35,18 +34,22 @@ Source15: propagation
Source16: kpropd.init
Source17: kadmind.init
Source18: kpropd.acl
-Patch0: %{name}-manpages.patch
-Patch1: %{name}-audit.patch
-Patch2: %{name}-db185.patch
-Patch3: %{name}-as-needed.patch
+# Fedora downstream patches (FIPS, 3DES removal, PAM/ksu, SELinux, PKINIT, etc.)
+Patch0: %{name}-fedora.patch
+# Patch0-md5: 7f9ca340e514cf59e472f6845c9e2786
+# PLD patches
+Patch1: %{name}-manpages.patch
+Patch2: %{name}-audit.patch
+Patch3: %{name}-db185.patch
+Patch4: %{name}-as-needed.patch
# http://lite.mit.edu/
-Patch6: %{name}-ktany.patch
-Patch11: %{name}-brokenrev.patch
-Patch12: %{name}-dns.patch
-Patch13: %{name}-enospc.patch
-Patch23: %{name}-tests.patch
-Patch29: %{name}-selinux-label.patch
-URL: http://web.mit.edu/kerberos/www/
+Patch5: %{name}-ktany.patch
+Patch6: %{name}-brokenrev.patch
+Patch7: %{name}-dns.patch
+Patch8: %{name}-enospc.patch
+Patch9: %{name}-tests.patch
+Patch10: %{name}-keyring-test.patch
+URL: https://web.mit.edu/kerberos/www/
BuildRequires: /bin/csh
%{?with_audit:BuildRequires: audit-libs-devel}
BuildRequires: autoconf >= 2.50
@@ -69,6 +72,7 @@ BuildRequires: lmdb-devel
BuildRequires: ncurses-devel
%{?with_ldap:BuildRequires: openldap-devel >= 2.4.6}
BuildRequires: openssl-devel >= 1.0.0
+BuildRequires: pam-devel
BuildRequires: perl-base
BuildRequires: pkgconfig
BuildRequires: rpmbuild(macros) >= 1.268
@@ -87,7 +91,7 @@ BuildRequires: python >= 1:2.5
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
%define _localstatedir /var/lib/kerberos
-# doesn't handle %{__cc} with spaces properly
+# doesn't handle %%{__cc} with spaces properly
%undefine with_ccache
# mungles cflags
%undefine configure_cache
@@ -156,6 +160,7 @@ Summary(pl.UTF-8): Oprogramowanie klienckie dla stacji roboczej kerberosa
Group: Networking
Requires: %{name}-libs = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
+Requires: pam
Conflicts: heimdal
%description client
@@ -387,14 +392,15 @@ Dokumentacja systemu MIT Kerberos V5 w formacie HTML.
%setup -q
%patch -P0 -p1
%patch -P1 -p1
-%{?with_system_db:%patch2 -p1}
-%patch -P3 -p1
+%patch -P2 -p1
+%{?with_system_db:%patch -P3 -p1}
+%patch -P4 -p1
+%patch -P5 -p1
%patch -P6 -p1
-%patch -P11 -p1
-%patch -P12 -p1
-%patch -P13 -p1
-%patch -P23 -p1
-%{?with_selinux:%patch29 -p1}
+%patch -P7 -p1
+%patch -P8 -p1
+%patch -P9 -p1
+%patch -P10 -p1
%build
cd src
@@ -412,12 +418,15 @@ CPPFLAGS="$LFS_CFLAGS -I%{_includedir}/et -I%{_includedir}/ncurses"
--with-crypto-impl=openssl \
%{?with_hesiod:--with-hesiod} \
%{?with_ldap:--with-ldap} \
+ --with-lmdb \
--with-netlib=-lresolv \
- %{?with_selinux:--with-selinux} \
+ --with-pam \
+ --with-selinux \
%{?with_system_db:--with-system-db} \
--with-system-et \
--with-system-ss \
- --with-system-verto
+ --with-system-verto \
+ --with-tls-impl=openssl
%{__make}
@@ -466,6 +475,9 @@ echo '.so man1/kadmin.1' > $RPM_BUILD_ROOT%{_mandir}/man8/kadmin.local.8
find $RPM_BUILD_ROOT -type f -name '*.so*' | xargs chmod +x
%{__rm} $RPM_BUILD_ROOT%{_libdir}/krb5/plugins/preauth/test.so
+%{__rm} -r $RPM_BUILD_ROOT%{_datadir}/examples
+# en_US locale not useful, and find_lang doesn't handle it
+%{__rm} $RPM_BUILD_ROOT%{_localedir}/en_US/LC_MESSAGES/mit-krb5.mo
%find_lang mit-krb5
@@ -600,8 +612,8 @@ fi
%defattr(644,root,root,755)
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/kldap.so
%attr(755,root,root) %{_libdir}/libkdb_ldap.so.*.*
-%attr(755,root,root) %ghost %{_libdir}/libkdb_ldap.so.1
-%attr(755,root,root) %{_libdir}/libkdb_ldap.so
+%ghost %{_libdir}/libkdb_ldap.so.1
+%{_libdir}/libkdb_ldap.so
%attr(755,root,root) %{_sbindir}/kdb5_ldap_util
%{_mandir}/man8/kdb5_ldap_util.8*
@@ -629,6 +641,8 @@ fi
%attr(755,root,root) %{_libdir}/krb5/plugins/preauth/otp.so
%attr(755,root,root) %{_libdir}/krb5/plugins/preauth/pkinit.so
%attr(755,root,root) %{_libdir}/krb5/plugins/preauth/spake.so
+%dir %{_libdir}/krb5/plugins/kdcpolicy
+%attr(755,root,root) %{_libdir}/krb5/plugins/kdcpolicy/xrealmauthz.so
%dir %{_libdir}/krb5/plugins/tls
%attr(755,root,root) %{_libdir}/krb5/plugins/tls/k5tls.so
%{_mandir}/man5/kdc.conf.5*
@@ -638,7 +652,7 @@ fi
%defattr(644,root,root,755)
%attr(754,root,root) /etc/rc.d/init.d/kadmind
%attr(600,root,root) %config(noreplace) %verify(not md5 mtime size) %{_localstatedir}/krb5kdc/kadm5.acl
-%attr(600,root,root) %config(noreplace) %verify(not md5 mtime size) %{_localstatedir}/krb5kdc/kadm5.dict
+%config(noreplace) %verify(not md5 mtime size) %{_localstatedir}/krb5kdc/kadm5.dict
%attr(755,root,root) %{_sbindir}/kadmind
%{_mandir}/man5/kadm5.acl.5*
%{_mandir}/man8/kadmind.8*
@@ -690,38 +704,38 @@ fi
%defattr(644,root,root,755)
%doc NOTICE README
%attr(755,root,root) %{_libdir}/libgssapi_krb5.so.*.*
-%attr(755,root,root) %ghost %{_libdir}/libgssapi_krb5.so.2
+%ghost %{_libdir}/libgssapi_krb5.so.2
%attr(755,root,root) %{_libdir}/libgssrpc.so.*.*
-%attr(755,root,root) %ghost %{_libdir}/libgssrpc.so.4
+%ghost %{_libdir}/libgssrpc.so.4
%attr(755,root,root) %{_libdir}/libk5crypto.so.*.*
-%attr(755,root,root) %ghost %{_libdir}/libk5crypto.so.3
+%ghost %{_libdir}/libk5crypto.so.3
%attr(755,root,root) %{_libdir}/libkadm5clnt_mit.so.*.*
-%attr(755,root,root) %ghost %{_libdir}/libkadm5clnt_mit.so.12
+%ghost %{_libdir}/libkadm5clnt_mit.so.12
%attr(755,root,root) %{_libdir}/libkadm5srv_mit.so.*.*
-%attr(755,root,root) %ghost %{_libdir}/libkadm5srv_mit.so.12
+%ghost %{_libdir}/libkadm5srv_mit.so.12
%attr(755,root,root) %{_libdir}/libkdb5.so.*.*
-%attr(755,root,root) %ghost %{_libdir}/libkdb5.so.10
+%ghost %{_libdir}/libkdb5.so.10
%attr(755,root,root) %{_libdir}/libkrad.so.*.*
-%attr(755,root,root) %ghost %{_libdir}/libkrad.so.0
+%ghost %{_libdir}/libkrad.so.0
%attr(755,root,root) %{_libdir}/libkrb5.so.*.*
-%attr(755,root,root) %ghost %{_libdir}/libkrb5.so.3
+%ghost %{_libdir}/libkrb5.so.3
%attr(755,root,root) %{_libdir}/libkrb5support.so.*.*
-%attr(755,root,root) %ghost %{_libdir}/libkrb5support.so.0
+%ghost %{_libdir}/libkrb5support.so.0
%files devel
%defattr(644,root,root,755)
%attr(755,root,root) %{_bindir}/krb5-config
-%attr(755,root,root) %{_libdir}/libgssapi_krb5.so
-%attr(755,root,root) %{_libdir}/libgssrpc.so
-%attr(755,root,root) %{_libdir}/libk5crypto.so
-%attr(755,root,root) %{_libdir}/libkadm5clnt_mit.so
-%attr(755,root,root) %{_libdir}/libkadm5clnt.so
-%attr(755,root,root) %{_libdir}/libkadm5srv_mit.so
-%attr(755,root,root) %{_libdir}/libkadm5srv.so
-%attr(755,root,root) %{_libdir}/libkdb5.so
-%attr(755,root,root) %{_libdir}/libkrad.so
-%attr(755,root,root) %{_libdir}/libkrb5.so
-%attr(755,root,root) %{_libdir}/libkrb5support.so
+%{_libdir}/libgssapi_krb5.so
+%{_libdir}/libgssrpc.so
+%{_libdir}/libk5crypto.so
+%{_libdir}/libkadm5clnt_mit.so
+%{_libdir}/libkadm5clnt.so
+%{_libdir}/libkadm5srv_mit.so
+%{_libdir}/libkadm5srv.so
+%{_libdir}/libkdb5.so
+%{_libdir}/libkrad.so
+%{_libdir}/libkrb5.so
+%{_libdir}/libkrb5support.so
%{_includedir}/gssapi
%{_includedir}/gssrpc
%{_includedir}/kadm5
diff --git a/krb5-audit.patch b/krb5-audit.patch
index 4b3a483..72872f0 100644
--- a/krb5-audit.patch
+++ b/krb5-audit.patch
@@ -1,25 +1,7 @@
---- krb5-1.15/src/plugins/audit/simple/Makefile.in.orig 2017-02-18 20:40:33.750668806 +0100
-+++ krb5-1.15/src/plugins/audit/simple/Makefile.in 2017-02-18 20:40:37.277335431 +0100
-@@ -1,5 +1,6 @@
- mydir=plugins$(S)audit$(S)simple
- BUILDTOP=$(REL)..$(S)..$(S)..
-+MODULE_INSTALL_DIR = $(KRB5_AUDIT_MODULE_DIR)
-
- LIBBASE=k5audit
- LIBMAJOR=1
-@@ -8,7 +8,7 @@
-
- #Depends on libkrb5 and libkrb5support.
- SHLIB_EXPDEPS= $(KRB5_BASE_DEPLIBS)
--SHLIB_EXPLIBS= $(KRB5_BASE_LIBS)
-+SHLIB_EXPLIBS= $(KRB5_BASE_LIBS) $(AUDIT_IMPL_LIBS)
-
- STOBJLISTS= OBJS.ST ../OBJS.ST
- STLIBOBJS= au_simple_main.o
---- krb5-1.18.5/src/config/pre.in.orig 2022-03-11 07:34:10.000000000 +0100
-+++ krb5-1.18.5/src/config/pre.in 2024-02-09 17:12:29.044891572 +0100
-@@ -220,6 +220,8 @@ KRB5_PA_MODULE_DIR = $(MODULE_DIR)/preau
- KRB5_AD_MODULE_DIR = $(MODULE_DIR)/authdata
+--- a/src/config/pre.in
++++ b/src/config/pre.in
+@@ -223,6 +223,8 @@
+ KRB5_KP_MODULE_DIR = $(MODULE_DIR)/kdcpolicy
KRB5_LIBKRB5_MODULE_DIR = $(MODULE_DIR)/libkrb5
KRB5_TLS_MODULE_DIR = $(MODULE_DIR)/tls
+# TODO: check subdir name
@@ -27,7 +9,7 @@
KRB5_LOCALEDIR = @localedir@
GSS_MODULE_DIR = @libdir@/gss
KRB5_INCSUBDIRS = \
-@@ -447,6 +449,8 @@ TLS_IMPL_LIBS = @TLS_IMPL_LIBS@
+@@ -415,6 +417,8 @@
# SPAKE preauth back-end libraries
SPAKE_OPENSSL_LIBS = @SPAKE_OPENSSL_LIBS@
@@ -35,15 +17,34 @@
+
# Whether we have the SASL header file for the LDAP KDB module
HAVE_SASL = @HAVE_SASL@
-
---- krb5-1.18.5/src/Makefile.in.orig 2024-02-09 17:09:02.332678095 +0100
-+++ krb5-1.18.5/src/Makefile.in 2024-02-09 17:13:51.677777244 +0100
-@@ -70,7 +70,7 @@ INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROO
+
+--- a/src/Makefile.in
++++ b/src/Makefile.in
+@@ -73,7 +73,7 @@
$(KRB5_LIBDIR) $(KRB5_INCDIR) \
$(KRB5_DB_MODULE_DIR) $(KRB5_PA_MODULE_DIR) \
- $(KRB5_AD_MODULE_DIR) \
+ $(KRB5_AD_MODULE_DIR) $(KRB5_KP_MODULE_DIR) \
- $(KRB5_LIBKRB5_MODULE_DIR) $(KRB5_TLS_MODULE_DIR) \
+ $(KRB5_LIBKRB5_MODULE_DIR) $(KRB5_TLS_MODULE_DIR) $(KRB5_AUDIT_MODULE_DIR) \
$(localstatedir) $(localstatedir)/krb5kdc \
$(runstatedir) $(runstatedir)/krb5kdc \
$(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \
+--- a/src/plugins/audit/simple/Makefile.in
++++ b/src/plugins/audit/simple/Makefile.in
+@@ -1,5 +1,6 @@
+ mydir=plugins$(S)audit$(S)simple
+ BUILDTOP=$(REL)..$(S)..$(S)..
++MODULE_INSTALL_DIR = $(KRB5_AUDIT_MODULE_DIR)
+
+ LIBBASE=k5audit
+ LIBMAJOR=1
+@@ -10,7 +11,7 @@
+
+ #Depends on libkrb5 and libkrb5support.
+ SHLIB_EXPDEPS= $(KRB5_BASE_DEPLIBS)
+-SHLIB_EXPLIBS= $(KRB5_BASE_LIBS)
++SHLIB_EXPLIBS= $(KRB5_BASE_LIBS) $(AUDIT_IMPL_LIBS)
+
+ STOBJLISTS= OBJS.ST ../OBJS.ST
+ STLIBOBJS= au_simple_main.o
+
diff --git a/krb5-keyring-test.patch b/krb5-keyring-test.patch
new file mode 100644
index 0000000..f8ae667
--- /dev/null
+++ b/krb5-keyring-test.patch
@@ -0,0 +1,13 @@
+--- a/src/lib/krb5/ccache/t_cc.c
++++ b/src/lib/krb5/ccache/t_cc.c
+@@ -644,10 +644,7 @@ main(void)
+ do_test(context, "");
+
+- if (check_registered(context, "KEYRING:process:"))
+- do_test(context, "KEYRING:process:");
+- else
+- printf("Skipping KEYRING: test - unregistered type\n");
++ printf("Skipping KEYRING: test - unreliable in build environments\n");
+
+ do_test(context, "MEMORY:");
+ do_test(context, "FILE:");
diff --git a/krb5-manpages.patch b/krb5-manpages.patch
index 0d1cd4e..9aa6861 100644
--- a/krb5-manpages.patch
+++ b/krb5-manpages.patch
@@ -1,31 +1,31 @@
---- krb5-1.12.1/src/man/sserver.man.orig 2014-01-16 01:44:15.000000000 +0100
-+++ krb5-1.12.1/src/man/sserver.man 2014-03-13 16:34:04.903857332 +0100
-@@ -59,7 +59,7 @@
+--- krb5-1.22.2/src/man/sserver.man.orig 2024-09-18 21:42:21.000000000 +0200
++++ krb5-1.22.2/src/man/sserver.man 2024-09-18 21:42:21.000000000 +0200
+@@ -58,7 +58,7 @@
+ .INDENT 3.5
.sp
- .nf
- .ft C
+ .EX
-sample stream tcp nowait root /usr/local/sbin/sserver sserver
+sample stream tcp nowait root /usr/sbin/sserver sserver
- .ft P
- .fi
+ .EE
.UNINDENT
---- krb5-1.18.5/src/man/kpropd.man.orig 2022-03-11 07:34:10.000000000 +0100
-+++ krb5-1.18.5/src/man/kpropd.man 2024-02-09 17:07:52.703055311 +0100
-@@ -67,7 +67,7 @@ the \fB/etc/inetd.conf\fP file which loo
+ .UNINDENT
+--- krb5-1.22.2/src/man/kpropd.man.orig 2024-09-18 21:42:21.000000000 +0200
++++ krb5-1.22.2/src/man/kpropd.man 2024-09-18 21:42:21.000000000 +0200
+@@ -67,7 +67,7 @@
+ .INDENT 3.5
.sp
- .nf
- .ft C
+ .EX
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root /usr/sbin/kpropd kpropd
- .ft P
- .fi
+ .EE
+ .UNINDENT
.UNINDENT
-@@ -152,7 +152,7 @@ kpropd uses the following environment va
+@@ -149,7 +149,7 @@
.TP
.B kpropd.acl
Access file for kpropd; the default location is
-\fB/usr/local/var/krb5kdc/kpropd.acl\fP\&. Each entry is a line
+\fB/var/lib/kerberos/krb5kdc/kpropd.acl\fP\&. Each entry is a line
containing the principal of a host from which the local machine
- will allow Kerberos database propagation via kprop(8)\&.
+ will allow Kerberos database propagation via \fI\%kprop\fP\&.
.UNINDENT
diff --git a/krb5-selinux-label.patch b/krb5-selinux-label.patch
deleted file mode 100644
index 03e7770..0000000
--- a/krb5-selinux-label.patch
+++ /dev/null
@@ -1,1065 +0,0 @@
-From a2e0aed3d390ded3a7724fa223a3dc1102ec6221 Mon Sep 17 00:00:00 2001
-From: Robbie Harwood <rharwood at redhat.com>
-Date: Tue, 23 Aug 2016 16:30:53 -0400
-Subject: [PATCH] krb5-1.15-beta1-selinux-label.patch
-
-SELinux bases access to files on the domain of the requesting process,
-the operation being performed, and the context applied to the file.
-
-In many cases, applications needn't be SELinux aware to work properly,
-because SELinux can apply a default label to a file based on the label
-of the directory in which it's created.
-
-In the case of files such as /etc/krb5.keytab, however, this isn't
-sufficient, as /etc/krb5.keytab will almost always need to be given a
-label which differs from that of /etc/issue or /etc/resolv.conf. The
-the kdb stash file needs a different label than the database for which
-it's holding a master key, even though both typically live in the same
-directory.
-
-To give the file the correct label, we can either force a "restorecon"
-call to fix a file's label after it's created, or create the file with
-the right label, as we attempt to do here. We lean on THREEPARAMOPEN
-and define a similar macro named WRITABLEFOPEN with which we replace
-several uses of fopen().
-
-The file creation context that we're manipulating here is a process-wide
-attribute. While for the most part, applications which need to label
-files when they're created have tended to be single-threaded, there's
-not much we can do to avoid interfering with an application that
-manipulates the creation context directly. Right now we're mediating
-access using a library-local mutex, but that can only work for consumers
-that are part of this package -- an unsuspecting application will still
-stomp all over us.
-
-The selabel APIs for looking up the context should be thread-safe (per
-Red Hat #273081), so switching to using them instead of matchpathcon(),
-which we used earlier, is some improvement.
----
- src/aclocal.m4 | 49 +++
- src/build-tools/krb5-config.in | 3 +-
- src/config/pre.in | 3 +-
- src/configure.in | 2 +
- src/include/k5-int.h | 1 +
- src/include/k5-label.h | 32 ++
- src/include/krb5/krb5.hin | 6 +
- src/kadmin/dbutil/dump.c | 11 +-
- src/kdc/main.c | 2 +-
- src/lib/kadm5/logger.c | 4 +-
- src/lib/kdb/kdb_log.c | 2 +-
- src/lib/krb5/ccache/cc_dir.c | 26 +-
- src/lib/krb5/keytab/kt_file.c | 4 +-
- src/lib/krb5/os/trace.c | 2 +-
- src/lib/krb5/rcache/rc_dfl.c | 13 +
- src/plugins/kdb/db2/adb_openclose.c | 2 +-
- src/plugins/kdb/db2/kdb_db2.c | 4 +-
- src/plugins/kdb/db2/libdb2/btree/bt_open.c | 3 +-
- src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +-
- src/plugins/kdb/db2/libdb2/recno/rec_open.c | 4 +-
- .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 11 +-
- src/slave/kpropd.c | 9 +
- src/util/profile/prof_file.c | 3 +-
- src/util/support/Makefile.in | 3 +-
- src/util/support/selinux.c | 406 +++++++++++++++++++++
- 25 files changed, 587 insertions(+), 21 deletions(-)
- create mode 100644 src/include/k5-label.h
- create mode 100644 src/util/support/selinux.c
-
-diff --git a/src/aclocal.m4 b/src/aclocal.m4
-index 508e5fe90..607859f17 100644
---- a/src/aclocal.m4
-+++ b/src/aclocal.m4
-@@ -89,6 +89,7 @@ AC_SUBST_FILE(libnodeps_frag)
- dnl
- KRB5_AC_PRAGMA_WEAK_REF
- WITH_LDAP
-+KRB5_WITH_SELINUX
- KRB5_LIB_PARAMS
- KRB5_AC_INITFINI
- KRB5_AC_ENABLE_THREADS
-@@ -1742,3 +1743,51 @@ AC_SUBST(PAM_LIBS)
- AC_SUBST(PAM_MAN)
- AC_SUBST(NON_PAM_MAN)
- ])dnl
-+dnl
-+dnl Use libselinux to set file contexts on newly-created files.
-+dnl
-+AC_DEFUN(KRB5_WITH_SELINUX,[
-+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])],
-+ withselinux="$withval",withselinux=auto)
-+old_LIBS="$LIBS"
-+if test "$withselinux" != no ; then
-+ AC_MSG_RESULT([checking for libselinux...])
-+ SELINUX_LIBS=
-+ AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h)
-+ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then
-+ if test "$withselinux" = auto ; then
-+ AC_MSG_RESULT([Unable to locate selinux/selinux.h.])
-+ withselinux=no
-+ else
-+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.])
-+ fi
-+ fi
-+
-+ LIBS=
-+ unset ac_cv_func_setfscreatecon
-+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
-+ if test "x$ac_cv_func_setfscreatecon" = xno ; then
-+ AC_CHECK_LIB(selinux,setfscreatecon)
-+ unset ac_cv_func_setfscreatecon
-+ AC_CHECK_FUNCS(setfscreatecon selabel_open)
-+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then
-+ SELINUX_LIBS="$LIBS"
-+ else
-+ if test "$withselinux" = auto ; then
-+ AC_MSG_RESULT([Unable to locate libselinux.])
-+ withselinux=no
-+ else
-+ AC_MSG_ERROR([Unable to locate libselinux.])
-+ fi
-+ fi
-+ fi
-+ if test "$withselinux" != no ; then
-+ AC_MSG_NOTICE([building with SELinux labeling support])
-+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.])
-+ SELINUX_LIBS="$LIBS"
-+ EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon"
-+ fi
-+fi
-+LIBS="$old_LIBS"
-+AC_SUBST(SELINUX_LIBS)
-+])dnl
-diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
-index f6184da3f..c17cb5eb5 100755
---- a/src/build-tools/krb5-config.in
-+++ b/src/build-tools/krb5-config.in
-@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'
- DEFCCNAME='@DEFCCNAME@'
- DEFKTNAME='@DEFKTNAME@'
- DEFCKTNAME='@DEFCKTNAME@'
-+SELINUX_LIBS='@SELINUX_LIBS@'
-
- LIBS='@LIBS@'
- GEN_LIB=@GEN_LIB@
-@@ -255,7 +256,7 @@ if test -n "$do_libs"; then
- fi
-
- # If we ever support a flag to generate output suitable for static
-- # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"
-+ # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
- # here.
-
- echo $lib_flags
-diff --git a/src/config/pre.in b/src/config/pre.in
-index e0626320c..fcea229bd 100644
---- a/src/config/pre.in
-+++ b/src/config/pre.in
-@@ -177,6 +177,7 @@ LD = $(PURE) @LD@
- KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include
- LDFLAGS = @LDFLAGS@
- LIBS = @LIBS@
-+SELINUX_LIBS=@SELINUX_LIBS@
-
- INSTALL=@INSTALL@
- INSTALL_STRIP=
-@@ -399,7 +400,7 @@ SUPPORT_LIB = -l$(SUPPORT_LIBNAME)
- # HESIOD_LIBS is -lhesiod...
- HESIOD_LIBS = @HESIOD_LIBS@
-
--KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB)
-+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
- KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS)
- GSS_LIBS = $(GSS_KRB5_LIB)
- # needs fixing if ever used on Mac OS X!
-diff --git a/src/configure.in b/src/configure.in
-index daabd12c8..acf3a458b 100644
---- a/src/configure.in
-+++ b/src/configure.in
-@@ -1338,6 +1338,8 @@ AC_PATH_PROG(GROFF, groff)
-
- KRB5_WITH_PAM
-
-+KRB5_WITH_SELINUX
-+
- # Make localedir work in autoconf 2.5x.
- if test "${localedir+set}" != set; then
- localedir='$(datadir)/locale'
-diff --git a/src/include/k5-int.h b/src/include/k5-int.h
-index 64991738a..173cb0264 100644
---- a/src/include/k5-int.h
-+++ b/src/include/k5-int.h
-@@ -128,6 +128,7 @@ typedef unsigned char u_char;
-
-
- #include "k5-platform.h"
-+#include "k5-label.h"
-
- #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
- #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
-diff --git a/src/include/k5-label.h b/src/include/k5-label.h
-new file mode 100644
-index 000000000..dfaaa847c
---- /dev/null
-+++ b/src/include/k5-label.h
-@@ -0,0 +1,32 @@
-+#ifndef _KRB5_LABEL_H
-+#define _KRB5_LABEL_H
-+
-+#ifdef THREEPARAMOPEN
-+#undef THREEPARAMOPEN
-+#endif
-+#ifdef WRITABLEFOPEN
-+#undef WRITABLEFOPEN
-+#endif
-+
-+/* Wrapper functions which help us create files and directories with the right
-+ * context labels. */
-+#ifdef USE_SELINUX
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <fcntl.h>
-+#include <stdio.h>
-+#include <unistd.h>
-+FILE *krb5int_labeled_fopen(const char *path, const char *mode);
-+int krb5int_labeled_creat(const char *path, mode_t mode);
-+int krb5int_labeled_open(const char *path, int flags, ...);
-+int krb5int_labeled_mkdir(const char *path, mode_t mode);
-+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device);
-+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)
-+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)
-+void *krb5int_push_fscreatecon_for(const char *pathname);
-+void krb5int_pop_fscreatecon(void *previous);
-+#else
-+#define WRITABLEFOPEN(x,y) fopen(x,y)
-+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
-+#endif
-+#endif
-diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
-index ac22f4c55..cf60d6c41 100644
---- a/src/include/krb5/krb5.hin
-+++ b/src/include/krb5/krb5.hin
-@@ -87,6 +87,12 @@
- #define THREEPARAMOPEN(x,y,z) open(x,y,z)
- #endif
-
-+#if KRB5_PRIVATE
-+#ifndef WRITABLEFOPEN
-+#define WRITABLEFOPEN(x,y) fopen(x,y)
-+#endif
-+#endif
-+
- #define KRB5_OLD_CRYPTO
-
- #include <stdlib.h>
-diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
-index f7889bd23..cad53cfbf 100644
---- a/src/kadmin/dbutil/dump.c
-+++ b/src/kadmin/dbutil/dump.c
-@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)
- {
- int fd = -1;
- FILE *f;
-+#ifdef USE_SELINUX
-+ void *selabel;
-+#endif
-
- *tmpname = NULL;
- if (asprintf(tmpname, "%s-XXXXXX", ofile) < 0)
- goto error;
-
-+#ifdef USE_SELINUX
-+ selabel = krb5int_push_fscreatecon_for(ofile);
-+#endif
- fd = mkstemp(*tmpname);
-+#ifdef USE_SELINUX
-+ krb5int_pop_fscreatecon(selabel);
-+#endif
- if (fd == -1)
- goto error;
-
-@@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd)
- return 0;
- }
-
-- *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
-+ *fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);
- if (*fd == -1) {
- com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);
- exit_status++;
-diff --git a/src/kdc/main.c b/src/kdc/main.c
-index ebc852bba..a4dffb29a 100644
---- a/src/kdc/main.c
-+++ b/src/kdc/main.c
-@@ -872,7 +872,7 @@ write_pid_file(const char *path)
- FILE *file;
- unsigned long pid;
-
-- file = fopen(path, "w");
-+ file = WRITABLEFOPEN(path, "w");
- if (file == NULL)
- return errno;
- pid = (unsigned long) getpid();
-diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
-index ce79fabf7..c53a5743f 100644
---- a/src/lib/kadm5/logger.c
-+++ b/src/lib/kadm5/logger.c
-@@ -414,7 +414,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do
- */
- append = (cp[4] == ':') ? O_APPEND : 0;
- if (append || cp[4] == '=') {
-- fd = open(&cp[5], O_CREAT | O_WRONLY | append,
-+ fd = THREEPARAMOPEN(&cp[5], O_CREAT | O_WRONLY | append,
- S_IRUSR | S_IWUSR | S_IRGRP);
- if (fd != -1)
- f = fdopen(fd, append ? "a" : "w");
-@@ -918,7 +918,7 @@ krb5_klog_reopen(krb5_context kcontext)
- * In case the old logfile did not get moved out of the
- * way, open for append to prevent squashing the old logs.
- */
-- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+");
-+ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+");
- if (f) {
- set_cloexec_file(f);
- log_control.log_entries[lindex].lfu_filep = f;
-diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c
-index 766d3002a..6466417b7 100644
---- a/src/lib/kdb/kdb_log.c
-+++ b/src/lib/kdb/kdb_log.c
-@@ -476,7 +476,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)
- int ulogfd = -1;
-
- if (stat(logname, &st) == -1) {
-- ulogfd = open(logname, O_RDWR | O_CREAT, 0600);
-+ ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);
- if (ulogfd == -1)
- return errno;
-
-diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c
-index bba64e516..73f0fe62d 100644
---- a/src/lib/krb5/ccache/cc_dir.c
-+++ b/src/lib/krb5/ccache/cc_dir.c
-@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents)
- char *newpath = NULL;
- FILE *fp = NULL;
- int fd = -1, status;
-+#ifdef USE_SELINUX
-+ void *selabel;
-+#endif
-
- if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)
- return ENOMEM;
-+#ifdef USE_SELINUX
-+ selabel = krb5int_push_fscreatecon_for(primary_path);
-+#endif
- fd = mkstemp(newpath);
-+#ifdef USE_SELINUX
-+ krb5int_pop_fscreatecon(selabel);
-+#endif
- if (fd < 0)
- goto cleanup;
- #ifdef HAVE_CHMOD
-@@ -221,10 +230,23 @@ static krb5_error_code
- verify_dir(krb5_context context, const char *dirname)
- {
- struct stat st;
-+ int status;
-+#ifdef USE_SELINUX
-+ void *selabel;
-+#endif
-
- if (stat(dirname, &st) < 0) {
-- if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)
-- return 0;
-+ if (errno == ENOENT) {
-+#ifdef USE_SELINUX
-+ selabel = krb5int_push_fscreatecon_for(dirname);
-+#endif
-+ status = mkdir(dirname, S_IRWXU);
-+#ifdef USE_SELINUX
-+ krb5int_pop_fscreatecon(selabel);
-+#endif
-+ if (status == 0)
-+ return 0;
-+ }
- k5_setmsg(context, KRB5_FCC_NOFILE,
- _("Credential cache directory %s does not exist"),
- dirname);
-diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
-index 6a42f267d..674d88bab 100644
---- a/src/lib/krb5/keytab/kt_file.c
-+++ b/src/lib/krb5/keytab/kt_file.c
-@@ -1022,14 +1022,14 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)
-
- KTCHECKLOCK(id);
- errno = 0;
-- KTFILEP(id) = fopen(KTFILENAME(id),
-+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id),
- (mode == KRB5_LOCKMODE_EXCLUSIVE) ? "rb+" : "rb");
- if (!KTFILEP(id)) {
- if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) {
- /* try making it first time around */
- k5_create_secure_file(context, KTFILENAME(id));
- errno = 0;
-- KTFILEP(id) = fopen(KTFILENAME(id), "rb+");
-+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), "rb+");
- if (!KTFILEP(id))
- goto report_errno;
- writevno = 1;
-diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
-index 83c8d4db8..a19246128 100644
---- a/src/lib/krb5/os/trace.c
-+++ b/src/lib/krb5/os/trace.c
-@@ -397,7 +397,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)
- fd = malloc(sizeof(*fd));
- if (fd == NULL)
- return ENOMEM;
-- *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
-+ *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);
- if (*fd == -1) {
- free(fd);
- return errno;
-diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
-index c4d2c744d..c0f12ed9d 100644
---- a/src/lib/krb5/rcache/rc_dfl.c
-+++ b/src/lib/krb5/rcache/rc_dfl.c
-@@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
- krb5_error_code retval = 0;
- krb5_rcache tmp;
- krb5_deltat lifespan = t->lifespan; /* save original lifespan */
-+#ifdef USE_SELINUX
-+ void *selabel;
-+#endif
-
- if (! t->recovering) {
- name = t->name;
-@@ -815,7 +818,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)
- retval = krb5_rc_resolve(context, tmp, 0);
- if (retval)
- goto cleanup;
-+#ifdef USE_SELINUX
-+ if (t->d.fn != NULL)
-+ selabel = krb5int_push_fscreatecon_for(t->d.fn);
-+ else
-+ selabel = NULL;
-+#endif
- retval = krb5_rc_initialize(context, tmp, lifespan);
-+#ifdef USE_SELINUX
-+ if (selabel != NULL)
-+ krb5int_pop_fscreatecon(selabel);
-+#endif
- if (retval)
- goto cleanup;
- for (q = t->a; q; q = q->na) {
-diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c
-index 7db30a33b..2b9d01921 100644
---- a/src/plugins/kdb/db2/adb_openclose.c
-+++ b/src/plugins/kdb/db2/adb_openclose.c
-@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,
- * needs be open read/write so that write locking can work with
- * POSIX systems
- */
-- if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {
-+ if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) {
- /*
- * maybe someone took away write permission so we could only
- * get shared locks?
-diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c
-index 4c4036eb4..d90bdeaba 100644
---- a/src/plugins/kdb/db2/kdb_db2.c
-+++ b/src/plugins/kdb/db2/kdb_db2.c
-@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)
- if (retval)
- return retval;
-
-- dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,
-- 0600);
-+ dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,
-+ O_CREAT | O_RDWR | O_TRUNC, 0600);
- if (dbc->db_lf_file < 0) {
- retval = errno;
- goto cleanup;
-diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
-index 2977b17f3..d5809a5a9 100644
---- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c
-+++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c
-@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c 8.11 (Berkeley) 11/2/95";
- #include <string.h>
- #include <unistd.h>
-
-+#include "k5-int.h"
- #include "db-int.h"
- #include "btree.h"
-
-@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags)
- goto einval;
- }
-
-- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0)
-+ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
- goto err;
-
- } else {
-diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
-index 76f5d4709..1fa8b8389 100644
---- a/src/plugins/kdb/db2/libdb2/hash/hash.c
-+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
-@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c 8.12 (Berkeley) 11/7/95";
- #include <assert.h>
- #endif
-
-+#include "k5-int.h"
- #include "db-int.h"
- #include "hash.h"
- #include "page.h"
-@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags)
- new_table = 1;
- }
- if (file) {
-- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1)
-+ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1)
- RETURN_ERROR(errno, error0);
- (void)fcntl(hashp->fp, F_SETFD, 1);
- }
-diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
-index d8b26e701..b0daa7c02 100644
---- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c
-+++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c
-@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c 8.12 (Berkeley) 11/18/94";
- #include <stdio.h>
- #include <unistd.h>
-
-+#include "k5-int.h"
- #include "db-int.h"
- #include "recno.h"
-
-@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags)
- int rfd = -1, sverrno;
-
- /* Open the user's file -- if this fails, we're done. */
-- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
-+ if (fname != NULL &&
-+ (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
- return (NULL);
-
- if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {
-diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
-index 022156a5e..3d6994c67 100644
---- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
-+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c
-@@ -203,7 +203,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
-
- /* set password in the file */
- old_mode = umask(0177);
-- pfile = fopen(file_name, "a+");
-+ pfile = WRITABLEFOPEN(file_name, "a+");
- if (pfile == NULL) {
- com_err(me, errno, _("Failed to open file %s: %s"), file_name,
- strerror (errno));
-@@ -244,6 +244,9 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
- * Delete the existing entry and add the new entry
- */
- FILE *newfile;
-+#ifdef USE_SELINUX
-+ void *selabel;
-+#endif
-
- mode_t omask;
-
-@@ -255,7 +258,13 @@ kdb5_ldap_stash_service_password(int argc, char **argv)
- }
-
- omask = umask(077);
-+#ifdef USE_SELINUX
-+ selabel = krb5int_push_fscreatecon_for(file_name);
-+#endif
- newfile = fopen(tmp_file, "w");
-+#ifdef USE_SELINUX
-+ krb5int_pop_fscreatecon(selabel);
-+#endif
- umask (omask);
- if (newfile == NULL) {
- com_err(me, errno, _("Error creating file %s"), tmp_file);
-diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
-index 056c31a42..b78c3d9e5 100644
---- a/src/slave/kpropd.c
-+++ b/src/slave/kpropd.c
-@@ -464,6 +464,9 @@ doit(int fd)
- krb5_enctype etype;
- int database_fd;
- char host[INET6_ADDRSTRLEN + 1];
-+#ifdef USE_SELINUX
-+ void *selabel;
-+#endif
-
- signal_wrapper(SIGALRM, alarm_handler);
- alarm(params.iprop_resync_timeout);
-@@ -520,9 +523,15 @@ doit(int fd)
- free(name);
- exit(1);
- }
-+#ifdef USE_SELINUX
-+ selabel = krb5int_push_fscreatecon_for(file);
-+#endif
- omask = umask(077);
- lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600);
- (void)umask(omask);
-+#ifdef USE_SELINUX
-+ krb5int_pop_fscreatecon(selabel);
-+#endif
- retval = krb5_lock_file(kpropd_context, lock_fd,
- KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);
- if (retval) {
-diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c
-index 907c119bb..0f5462aea 100644
---- a/src/util/profile/prof_file.c
-+++ b/src/util/profile/prof_file.c
-@@ -33,6 +33,7 @@
- #endif
-
- #include "k5-platform.h"
-+#include "k5-label.h"
-
- struct global_shared_profile_data {
- /* This is the head of the global list of shared trees */
-@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile,
-
- errno = 0;
-
-- f = fopen(new_file, "w");
-+ f = WRITABLEFOPEN(new_file, "w");
- if (!f) {
- retval = errno;
- if (retval == 0)
-diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in
-index 6239e4176..17bcd2a67 100644
---- a/src/util/support/Makefile.in
-+++ b/src/util/support/Makefile.in
-@@ -69,6 +69,7 @@ IPC_SYMS= \
-
- STLIBOBJS= \
- threads.o \
-+ selinux.o \
- init-addrinfo.o \
- plugins.o \
- errors.o \
-@@ -148,7 +149,7 @@ SRCS=\
-
- SHLIB_EXPDEPS =
- # Add -lm if dumping thread stats, for sqrt.
--SHLIB_EXPLIBS= $(LIBS) $(DL_LIB)
-+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
-
- DEPLIBS=
-
-diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c
-new file mode 100644
-index 000000000..230263421
---- /dev/null
-+++ b/src/util/support/selinux.c
-@@ -0,0 +1,406 @@
-+/*
-+ * Copyright 2007,2008,2009,2011,2012,2013,2016 Red Hat, Inc. All Rights Reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions are met:
-+ *
-+ * Redistributions of source code must retain the above copyright notice, this
-+ * list of conditions and the following disclaimer.
-+ *
-+ * Redistributions in binary form must reproduce the above copyright notice,
-+ * this list of conditions and the following disclaimer in the documentation
-+ * and/or other materials provided with the distribution.
-+ *
-+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
-+ * used to endorse or promote products derived from this software without
-+ * specific prior written permission.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-+ * POSSIBILITY OF SUCH DAMAGE.
-+ *
-+ * File-opening wrappers for creating correctly-labeled files. So far, we can
-+ * assume that this is Linux-specific, so we make many simplifying assumptions.
-+ */
-+
-+#include "../../include/autoconf.h"
-+
-+#ifdef USE_SELINUX
-+
-+#include <k5-label.h>
-+#include <k5-platform.h>
-+
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+
-+#include <errno.h>
-+#include <fcntl.h>
-+#include <limits.h>
-+#include <pthread.h>
-+#include <stdarg.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <unistd.h>
-+
-+#include <selinux/selinux.h>
-+#include <selinux/context.h>
-+#include <selinux/label.h>
-+
-+/* #define DEBUG 1 */
-+static void
-+debug_log(const char *fmt, ...)
-+{
-+#ifdef DEBUG
-+ va_list ap;
-+ va_start(ap, str);
-+ if (isatty(fileno(stderr))) {
-+ vfprintf(stderr, fmt, ap);
-+ }
-+ va_end(ap);
-+#endif
-+
-+ return;
-+}
-+
-+/* Mutex used to serialize use of the process-global file creation context. */
-+k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
-+
-+/* Make sure we finish initializing that mutex before attempting to use it. */
-+k5_once_t labeled_once = K5_ONCE_INIT;
-+static void
-+label_mutex_init(void)
-+{
-+ k5_mutex_finish_init(&labeled_mutex);
-+}
-+
-+static struct selabel_handle *selabel_ctx;
-+static time_t selabel_last_changed;
-+
-+MAKE_FINI_FUNCTION(cleanup_fscreatecon);
-+
-+static void
-+cleanup_fscreatecon(void)
-+{
-+ if (selabel_ctx != NULL) {
-+ selabel_close(selabel_ctx);
-+ selabel_ctx = NULL;
-+ }
-+}
-+
-+static security_context_t
-+push_fscreatecon(const char *pathname, mode_t mode)
-+{
-+ security_context_t previous, configuredsc, currentsc, derivedsc;
-+ context_t current, derived;
-+ const char *fullpath, *currentuser;
-+ char *genpath;
-+
-+ previous = configuredsc = currentsc = derivedsc = NULL;
-+ current = derived = NULL;
-+ genpath = NULL;
-+
-+ fullpath = pathname;
-+
-+ if (!is_selinux_enabled()) {
-+ goto fail;
-+ }
-+
-+ if (getfscreatecon(&previous) != 0) {
-+ goto fail;
-+ }
-+
-+ /* Canonicalize pathname */
-+ if (pathname[0] != '/') {
-+ char *wd;
-+ size_t len;
-+ len = 0;
-+
-+ wd = getcwd(NULL, len);
-+ if (wd == NULL) {
-+ goto fail;
-+ }
-+
-+ len = strlen(wd) + 1 + strlen(pathname) + 1;
-+ genpath = malloc(len);
-+ if (genpath == NULL) {
-+ free(wd);
-+ goto fail;
-+ }
-+
-+ sprintf(genpath, "%s/%s", wd, pathname);
-+ free(wd);
-+ fullpath = genpath;
-+ }
-+
-+ debug_log("Looking up context for \"%s\"(%05o).\n", fullpath, mode);
-+
-+ /* Check whether context file has changed under us */
-+ if (selabel_ctx != NULL || selabel_last_changed == 0) {
-+ const char *cpath;
-+ struct stat st;
-+ int i = -1;
-+
-+ cpath = selinux_file_context_path();
-+ if (cpath == NULL || (i = stat(cpath, &st)) != 0 ||
-+ st.st_mtime != selabel_last_changed) {
-+ cleanup_fscreatecon();
-+
-+ selabel_last_changed = i ? time(NULL) : st.st_mtime;
-+ }
-+ }
-+
-+ if (selabel_ctx == NULL) {
-+ selabel_ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
-+ }
-+
-+ if (selabel_ctx != NULL &&
-+ selabel_lookup(selabel_ctx, &configuredsc, fullpath, mode) != 0) {
-+ goto fail;
-+ }
-+
-+ if (genpath != NULL) {
-+ free(genpath);
-+ genpath = NULL;
-+ }
-+
-+ if (configuredsc == NULL) {
-+ goto fail;
-+ }
-+
-+ getcon(¤tsc);
-+
-+ /* AAAAAAAA */
-+ if (currentsc != NULL) {
-+ derived = context_new(configuredsc);
-+
-+ if (derived != NULL) {
-+ current = context_new(currentsc);
-+
-+ if (current != NULL) {
-+ currentuser = context_user_get(current);
-+
-+ if (currentuser != NULL) {
-+ if (context_user_set(derived,
-+ currentuser) == 0) {
-+ derivedsc = context_str(derived);
-+
-+ if (derivedsc != NULL) {
-+ freecon(configuredsc);
-+ configuredsc = strdup(derivedsc);
-+ }
-+ }
-+ }
-+
-+ context_free(current);
-+ }
-+
-+ context_free(derived);
-+ }
-+
-+ freecon(currentsc);
-+ }
-+
-+ debug_log("Setting file creation context to \"%s\".\n", configuredsc);
-+ if (setfscreatecon(configuredsc) != 0) {
-+ debug_log("Unable to determine current context.\n");
-+ goto fail;
-+ }
-+
-+ freecon(configuredsc);
-+ return previous;
-+
-+fail:
-+ if (previous != NULL) {
-+ freecon(previous);
-+ }
-+ if (genpath != NULL) {
-+ free(genpath);
-+ }
-+ if (configuredsc != NULL) {
-+ freecon(configuredsc);
-+ }
-+
-+ cleanup_fscreatecon();
-+ return NULL;
-+}
-+
-+static void
-+pop_fscreatecon(security_context_t previous)
-+{
-+ if (!is_selinux_enabled()) {
-+ return;
-+ }
-+
-+ if (previous != NULL) {
-+ debug_log("Resetting file creation context to \"%s\".\n", previous);
-+ } else {
-+ debug_log("Resetting file creation context to default.\n");
-+ }
-+
-+ /* NULL resets to default */
-+ setfscreatecon(previous);
-+
-+ if (previous != NULL) {
-+ freecon(previous);
-+ }
-+
-+ /* Need to clean this up here otherwise it leaks */
-+ cleanup_fscreatecon();
-+}
-+
-+void *
-+krb5int_push_fscreatecon_for(const char *pathname)
-+{
-+ struct stat st;
-+ void *retval;
-+
-+ k5_once(&labeled_once, label_mutex_init);
-+ k5_mutex_lock(&labeled_mutex);
-+
-+ if (stat(pathname, &st) != 0) {
-+ st.st_mode = S_IRUSR | S_IWUSR;
-+ }
-+
-+ retval = push_fscreatecon(pathname, st.st_mode);
-+ return retval ? retval : (void *) -1;
-+}
-+
-+void
-+krb5int_pop_fscreatecon(void *con)
-+{
-+ if (con != NULL) {
-+ pop_fscreatecon((con == (void *) -1) ? NULL : con);
-+ k5_mutex_unlock(&labeled_mutex);
-+ }
-+}
-+
-+FILE *
-+krb5int_labeled_fopen(const char *path, const char *mode)
-+{
-+ FILE *fp;
-+ int errno_save;
-+ security_context_t ctx;
-+
-+ if ((strcmp(mode, "r") == 0) ||
-+ (strcmp(mode, "rb") == 0)) {
-+ return fopen(path, mode);
-+ }
-+
-+ k5_once(&labeled_once, label_mutex_init);
-+ k5_mutex_lock(&labeled_mutex);
-+ ctx = push_fscreatecon(path, 0);
-+
-+ fp = fopen(path, mode);
-+ errno_save = errno;
-+
-+ pop_fscreatecon(ctx);
-+ k5_mutex_unlock(&labeled_mutex);
-+
-+ errno = errno_save;
-+ return fp;
-+}
-+
-+int
-+krb5int_labeled_creat(const char *path, mode_t mode)
-+{
-+ int fd;
-+ int errno_save;
-+ security_context_t ctx;
-+
-+ k5_once(&labeled_once, label_mutex_init);
-+ k5_mutex_lock(&labeled_mutex);
-+ ctx = push_fscreatecon(path, 0);
-+
-+ fd = creat(path, mode);
-+ errno_save = errno;
-+
-+ pop_fscreatecon(ctx);
-+ k5_mutex_unlock(&labeled_mutex);
-+
-+ errno = errno_save;
-+ return fd;
-+}
-+
-+int
-+krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev)
-+{
-+ int ret;
-+ int errno_save;
-+ security_context_t ctx;
-+
-+ k5_once(&labeled_once, label_mutex_init);
-+ k5_mutex_lock(&labeled_mutex);
-+ ctx = push_fscreatecon(path, mode);
-+
-+ ret = mknod(path, mode, dev);
-+ errno_save = errno;
-+
-+ pop_fscreatecon(ctx);
-+ k5_mutex_unlock(&labeled_mutex);
-+
-+ errno = errno_save;
-+ return ret;
-+}
-+
-+int
-+krb5int_labeled_mkdir(const char *path, mode_t mode)
-+{
-+ int ret;
-+ int errno_save;
-+ security_context_t ctx;
-+
-+ k5_once(&labeled_once, label_mutex_init);
-+ k5_mutex_lock(&labeled_mutex);
-+ ctx = push_fscreatecon(path, S_IFDIR);
-+
-+ ret = mkdir(path, mode);
-+ errno_save = errno;
-+
-+ pop_fscreatecon(ctx);
-+ k5_mutex_unlock(&labeled_mutex);
-+
-+ errno = errno_save;
-+ return ret;
-+}
-+
-+int
-+krb5int_labeled_open(const char *path, int flags, ...)
-+{
-+ int fd;
-+ int errno_save;
-+ security_context_t ctx;
-+ mode_t mode;
-+ va_list ap;
-+
-+ if ((flags & O_CREAT) == 0) {
-+ return open(path, flags);
-+ }
-+
-+ k5_once(&labeled_once, label_mutex_init);
-+ k5_mutex_lock(&labeled_mutex);
-+ ctx = push_fscreatecon(path, 0);
-+
-+ va_start(ap, flags);
-+ mode = va_arg(ap, mode_t);
-+ fd = open(path, flags, mode);
-+ va_end(ap);
-+
-+ errno_save = errno;
-+
-+ pop_fscreatecon(ctx);
-+ k5_mutex_unlock(&labeled_mutex);
-+
-+ errno = errno_save;
-+ return fd;
-+}
-+
-+#endif /* USE_SELINUX */
diff --git a/krb5-tests.patch b/krb5-tests.patch
index 8e6f9d4..1533795 100644
--- a/krb5-tests.patch
+++ b/krb5-tests.patch
@@ -1,76 +1,97 @@
---- krb5-1.18.5/src/plugins/kdb/db2/libdb2/test/run.test.orig 2024-02-09 17:15:55.150441669 +0100
-+++ krb5-1.18.5/src/plugins/kdb/db2/libdb2/test/run.test 2024-02-09 18:29:53.379731052 +0100
-@@ -15,17 +15,7 @@ main()
- TMP3=${TMPDIR-.}/t3
- BINFILES=${TMPDIR-.}/binfiles
-
-- if [ \! -z "$WORDLIST" -a -f "$WORDLIST" ]; then
-- DICT=$WORDLIST
-- elif [ -f /usr/local/lib/dict/words ]; then
-- DICT=/usr/local/lib/dict/words
-- elif [ -f /usr/share/dict/words ]; then
-- DICT=/usr/share/dict/words
-- elif [ -f /usr/dict/words ]; then
-- DICT=/usr/dict/words
-- elif [ -f /usr/share/lib/dict/words ]; then
-- DICT=/usr/share/lib/dict/words
-- elif [ -f $srcdir/../test/dictionary ]; then
-+ if [ -f $srcdir/../test/dictionary ]; then
- DICT=`cd $srcdir/../test && pwd`/dictionary
- else
- echo 'run.test: no dictionary'
---- krb5-1.18/src/lib/krb5/krb/Makefile.in.orig 2020-02-28 17:33:18.936117176 +0100
-+++ krb5-1.18/src/lib/krb5/krb/Makefile.in 2020-02-28 18:30:32.414183097 +0100
-@@ -513,10 +513,12 @@
- $(RUN_TEST) ./t_valid_times
+diff -ruN '--exclude=*.orig' '--exclude=*.rej' '--exclude=*.fedora' krb5-1.22.2.orig/src/appl/gss-sample/Makefile.in krb5-1.22.2/src/appl/gss-sample/Makefile.in
+--- krb5-1.22.2.orig/src/appl/gss-sample/Makefile.in 2026-01-30 00:18:10.000000000 +0100
++++ krb5-1.22.2/src/appl/gss-sample/Makefile.in 2026-03-29 22:54:58.299741822 +0200
+@@ -43,7 +43,9 @@
+ $(RM) gss-server gss-client
- check-pytests: t_expire_warn t_get_etype_info t_vfy_increds
-- $(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS)
-- $(RUNPYTEST) $(srcdir)/t_vfy_increds.py $(PYTESTFLAGS)
-- $(RUNPYTEST) $(srcdir)/t_in_ccache_patypes.py $(PYTESTFLAGS)
-- $(RUNPYTEST) $(srcdir)/t_get_etype_info.py $(PYTESTFLAGS)
+ check-pytests:
+- $(RUNPYTEST) $(srcdir)/t_gss_sample.py $(PYTESTFLAGS)
+ if [ "$(OFFLINE)" = no ]; then \
-+ $(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS) && \
-+ $(RUNPYTEST) $(srcdir)/t_vfy_increds.py $(PYTESTFLAGS) && \
-+ $(RUNPYTEST) $(srcdir)/t_in_ccache_patypes.py $(PYTESTFLAGS) && \
-+ $(RUNPYTEST) $(srcdir)/t_get_etype_info.py $(PYTESTFLAGS) ; \
++ $(RUNPYTEST) $(srcdir)/t_gss_sample.py $(PYTESTFLAGS) ; \
+ fi
- check-cmocka: t_parse_host_string
- $(RUN_TEST) ./t_parse_host_string > /dev/null
---- krb5-1.18/src/kdc/Makefile.in.orig 2020-02-28 17:33:18.936117176 +0100
-+++ krb5-1.18/src/kdc/Makefile.in 2020-02-28 18:31:26.797221812 +0100
-@@ -83,9 +83,11 @@
+ install-unix:
+ $(INSTALL_PROGRAM) gss-client $(DESTDIR)$(CLIENT_BINDIR)/gss-client
+diff -ruN '--exclude=*.orig' '--exclude=*.rej' '--exclude=*.fedora' krb5-1.22.2.orig/src/kdc/Makefile.in krb5-1.22.2/src/kdc/Makefile.in
+--- krb5-1.22.2.orig/src/kdc/Makefile.in 2026-01-30 00:18:10.000000000 +0100
++++ krb5-1.22.2/src/kdc/Makefile.in 2026-03-29 22:54:58.299896058 +0200
+@@ -86,10 +86,12 @@
$(RUN_TEST) ./t_replay > /dev/null
- check-pytests:
+ check-pytests: t_sockact
- $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_bigreply.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_sockact.py $(PYTESTFLAGS)
+ if [ "$(OFFLINE)" = no ]; then \
+ $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS) && \
-+ $(RUNPYTEST) $(srcdir)/t_bigreply.py $(PYTESTFLAGS) ; \
++ $(RUNPYTEST) $(srcdir)/t_bigreply.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_sockact.py $(PYTESTFLAGS) ; \
+ fi
install:
$(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
---- krb5-1.15/src/appl/gss-sample/Makefile.in.orig 2017-02-18 08:24:33.754506368 +0100
-+++ krb5-1.15/src/appl/gss-sample/Makefile.in 2017-02-18 08:35:02.454499191 +0100
-@@ -43,7 +43,9 @@
- $(RM) gss-server gss-client
+diff -ruN '--exclude=*.orig' '--exclude=*.rej' '--exclude=*.fedora' krb5-1.22.2.orig/src/lib/krb5/ccache/Makefile.in krb5-1.22.2/src/lib/krb5/ccache/Makefile.in
+--- krb5-1.22.2.orig/src/lib/krb5/ccache/Makefile.in 2026-01-30 00:18:10.000000000 +0100
++++ krb5-1.22.2/src/lib/krb5/ccache/Makefile.in 2026-03-29 22:54:58.300032993 +0200
+@@ -149,7 +149,9 @@
+ $(RUN_TEST) ./t_marshal testcache
- check-pytests:
-- $(RUNPYTEST) $(srcdir)/t_gss_sample.py $(PYTESTFLAGS)
+ check-pytests: t_cccursor t_cccol
+- $(RUNPYTEST) $(srcdir)/t_cccol.py $(PYTESTFLAGS)
+ if [ "$(OFFLINE)" = no ]; then \
-+ $(RUNPYTEST) $(srcdir)/t_gss_sample.py $(PYTESTFLAGS) ; \
++ $(RUNPYTEST) $(srcdir)/t_cccol.py $(PYTESTFLAGS) ; \
+ fi
- install-unix:
- $(INSTALL_PROGRAM) gss-client $(DESTDIR)$(CLIENT_BINDIR)/gss-client
---- krb5-1.20.2/src/tests/gssapi/Makefile.in.orig 2024-02-10 08:09:57.599835601 +0100
-+++ krb5-1.20.2/src/tests/gssapi/Makefile.in 2024-02-10 08:13:56.875206002 +0100
-@@ -50,17 +50,19 @@ check-pytests: ccinit ccrefresh t_accnam
+ clean-unix::
+ $(RM) t_cc t_cc.o t_cccursor t_cccursor.o t_cccol t_cccol.o
+diff -ruN '--exclude=*.orig' '--exclude=*.rej' '--exclude=*.fedora' krb5-1.22.2.orig/src/lib/krb5/krb/Makefile.in krb5-1.22.2/src/lib/krb5/krb/Makefile.in
+--- krb5-1.22.2.orig/src/lib/krb5/krb/Makefile.in 2026-01-30 00:18:10.000000000 +0100
++++ krb5-1.22.2/src/lib/krb5/krb/Makefile.in 2026-03-29 22:54:58.300166095 +0200
+@@ -513,10 +513,12 @@
+ $(RUN_TEST) ./t_valid_times
+
+ check-pytests: t_expire_warn t_get_etype_info t_vfy_increds
+- $(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_vfy_increds.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_in_ccache_patypes.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_get_etype_info.py $(PYTESTFLAGS)
++ if [ "$(OFFLINE)" = no ]; then \
++ $(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_vfy_increds.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_in_ccache_patypes.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_get_etype_info.py $(PYTESTFLAGS) ; \
++ fi
+
+ check-cmocka: t_parse_host_string
+ $(RUN_TEST) ./t_parse_host_string > /dev/null
+diff -ruN '--exclude=*.orig' '--exclude=*.rej' '--exclude=*.fedora' krb5-1.22.2.orig/src/plugins/kdb/db2/libdb2/test/run.test krb5-1.22.2/src/plugins/kdb/db2/libdb2/test/run.test
+--- krb5-1.22.2.orig/src/plugins/kdb/db2/libdb2/test/run.test 2026-01-30 00:18:10.000000000 +0100
++++ krb5-1.22.2/src/plugins/kdb/db2/libdb2/test/run.test 2026-03-29 22:54:58.300355135 +0200
+@@ -15,17 +15,7 @@
+ TMP3=${TMPDIR-.}/t3
+ BINFILES=${TMPDIR-.}/binfiles
+
+- if [ \! -z "$WORDLIST" -a -f "$WORDLIST" ]; then
+- DICT=$WORDLIST
+- elif [ -f /usr/local/lib/dict/words ]; then
+- DICT=/usr/local/lib/dict/words
+- elif [ -f /usr/share/dict/words ]; then
+- DICT=/usr/share/dict/words
+- elif [ -f /usr/dict/words ]; then
+- DICT=/usr/dict/words
+- elif [ -f /usr/share/lib/dict/words ]; then
+- DICT=/usr/share/lib/dict/words
+- elif [ -f $srcdir/../test/dictionary ]; then
++ if [ -f $srcdir/../test/dictionary ]; then
+ DICT=`cd $srcdir/../test && pwd`/dictionary
+ else
+ echo 'run.test: no dictionary'
+diff -ruN '--exclude=*.orig' '--exclude=*.rej' '--exclude=*.fedora' krb5-1.22.2.orig/src/tests/gssapi/Makefile.in krb5-1.22.2/src/tests/gssapi/Makefile.in
+--- krb5-1.22.2.orig/src/tests/gssapi/Makefile.in 2026-01-30 00:18:10.000000000 +0100
++++ krb5-1.22.2/src/tests/gssapi/Makefile.in 2026-03-29 22:54:58.300517091 +0200
+@@ -51,17 +51,19 @@
t_export_name t_imp_cred t_inq_cred t_inq_ctx t_inq_mechs_name t_iov \
t_lifetime t_pcontok t_s4u t_s4u2proxy_krb5 t_spnego t_srcattrs \
t_store_cred
@@ -101,9 +122,10 @@
ccinit: ccinit.o $(KRB5_BASE_DEPLIBS)
$(CC_LINK) -o ccinit ccinit.o $(KRB5_BASE_LIBS)
---- krb5-1.20.2/src/tests/Makefile.in.orig 2024-02-10 08:09:57.603168916 +0100
-+++ krb5-1.20.2/src/tests/Makefile.in 2024-02-10 08:18:52.493604500 +0100
-@@ -108,89 +108,93 @@ krb5.conf: Makefile
+diff -ruN '--exclude=*.orig' '--exclude=*.rej' '--exclude=*.fedora' krb5-1.22.2.orig/src/tests/Makefile.in krb5-1.22.2/src/tests/Makefile.in
+--- krb5-1.22.2.orig/src/tests/Makefile.in 2026-03-29 22:54:58.103715678 +0200
++++ krb5-1.22.2/src/tests/Makefile.in 2026-03-29 22:55:14.196366305 +0200
+@@ -108,92 +108,96 @@
mv krb5.new krb5.conf
kdb_check: kdc.conf krb5.conf
@@ -133,10 +155,10 @@
+ $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS) && \
+ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) dump $(TEST_DB).dump && \
+ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f && \
-+ @echo "====> NOTE!" ; \
-+ @echo "The following 'create' command is needed due to a change" ; \
-+ @echo "in functionality caused by DAL integration. See ticket 3973." ; \
-+ @echo ==== ; \
++ echo "====> NOTE!" && \
++ echo "The following 'create' command is needed due to a change" && \
++ echo "in functionality caused by DAL integration. See ticket 3973." && \
++ echo ==== && \
+ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) create -W && \
+ $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) load $(TEST_DB).dump && \
+ $(RUN_DB_TEST) ../tests/verify/kdb5_verify $(KTEST_OPTS) && \
@@ -253,6 +275,9 @@
- $(RUNPYTEST) $(srcdir)/t_u2u.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_kdcoptions.py $(PYTESTFLAGS)
- $(RUNPYTEST) $(srcdir)/t_replay.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_sendto_kdc.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_alias.py $(PYTESTFLAGS)
+- $(RUNPYTEST) $(srcdir)/t_xrealmauthz.py $(PYTESTFLAGS)
+ -i au.log && \
+ $(RUNPYTEST) $(srcdir)/t_salt.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_etype_info.py $(PYTESTFLAGS) && \
@@ -270,7 +295,10 @@
+ $(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_u2u.py $(PYTESTFLAGS) && \
+ $(RUNPYTEST) $(srcdir)/t_kdcoptions.py $(PYTESTFLAGS) && \
-+ $(RUNPYTEST) $(srcdir)/t_replay.py $(PYTESTFLAGS) ; \
++ $(RUNPYTEST) $(srcdir)/t_replay.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_sendto_kdc.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_alias.py $(PYTESTFLAGS) && \
++ $(RUNPYTEST) $(srcdir)/t_xrealmauthz.py $(PYTESTFLAGS) ; \
+ fi
clean:
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/krb5.git/commitdiff/555c241a16ff71f6d8c62808b3f6263066562fab
More information about the pld-cvs-commit
mailing list