From 2af05336edb5a2f86db22ee2937626a219f090f6 Mon Sep 17 00:00:00 2001

From: Robbie Harwood <rharwood@redhat.com>

Date: Tue, 23 Aug 2016 16:30:53 -0400

Subject: [PATCH] krb5-1.13-selinux-label.patch

SELinux bases access to files on the domain of the requesting process,

the operation being performed, and the context applied to the file.

In many cases, applications needn't be SELinux aware to work properly,

because SELinux can apply a default label to a file based on the label

of the directory in which it's created.

In the case of files such as /etc/krb5.keytab, however, this isn't

sufficient, as /etc/krb5.keytab will almost always need to be given a

label which differs from that of /etc/issue or /etc/resolv.conf.  The

the kdb stash file needs a different label than the database for which

it's holding a master key, even though both typically live in the same

directory.

To give the file the correct label, we can either force a "restorecon"

call to fix a file's label after it's created, or create the file with

the right label, as we attempt to do here.  We lean on THREEPARAMOPEN

and define a similar macro named WRITABLEFOPEN with which we replace

several uses of fopen().

The file creation context that we're manipulating here is a process-wide

attribute.  While for the most part, applications which need to label

files when they're created have tended to be single-threaded, there's

not much we can do to avoid interfering with an application that

manipulates the creation context directly.  Right now we're mediating

access using a library-local mutex, but that can only work for consumers

that are part of this package -- an unsuspecting application will still

stomp all over us.

The selabel APIs for looking up the context should be thread-safe (per

Red Hat #273081), so switching to using them instead of matchpathcon(),

which we used earlier, is some improvement.

---

 src/aclocal.m4                                     |  49 +++

 src/build-tools/krb5-config.in                     |   3 +-

 src/config/pre.in                                  |   3 +-

 src/configure.in                                   |   2 +

 src/include/k5-int.h                               |   1 +

 src/include/k5-label.h                             |  32 ++

 src/include/krb5/krb5.hin                          |   6 +

 src/kadmin/dbutil/dump.c                           |  11 +-

 src/kdc/main.c                                     |   2 +-

 src/lib/kadm5/logger.c                             |   4 +-

 src/lib/kdb/kdb_log.c                              |   2 +-

 src/lib/krb5/ccache/cc_dir.c                       |  26 +-

 src/lib/krb5/keytab/kt_file.c                      |   4 +-

 src/lib/krb5/os/trace.c                            |   2 +-

 src/lib/krb5/rcache/rc_dfl.c                       |  13 +

 src/plugins/kdb/db2/adb_openclose.c                |   2 +-

 src/plugins/kdb/db2/kdb_db2.c                      |   4 +-

 src/plugins/kdb/db2/libdb2/btree/bt_open.c         |   3 +-

 src/plugins/kdb/db2/libdb2/hash/hash.c             |   3 +-

 src/plugins/kdb/db2/libdb2/recno/rec_open.c        |   4 +-

 .../kdb/ldap/ldap_util/kdb5_ldap_services.c        |  11 +-

 src/slave/kpropd.c                                 |   9 +

 src/util/gss-kernel-lib/Makefile.in                |   5 +-

 src/util/profile/prof_file.c                       |   3 +-

 src/util/support/Makefile.in                       |   3 +-

 src/util/support/selinux.c                         | 381 +++++++++++++++++++++

 26 files changed, 566 insertions(+), 22 deletions(-)

 create mode 100644 src/include/k5-label.h

 create mode 100644 src/util/support/selinux.c

diff --git a/src/aclocal.m4 b/src/aclocal.m4

index ce045ab..311f099 100644

--- a/src/aclocal.m4

+++ b/src/aclocal.m4

@@ -87,6 +87,7 @@ AC_SUBST_FILE(libnodeps_frag)

 dnl

 KRB5_AC_PRAGMA_WEAK_REF

 WITH_LDAP

+KRB5_WITH_SELINUX

 KRB5_LIB_PARAMS

 KRB5_AC_INITFINI

 KRB5_AC_ENABLE_THREADS

@@ -1739,3 +1740,51 @@ AC_SUBST(PAM_LIBS)

 AC_SUBST(PAM_MAN)

 AC_SUBST(NON_PAM_MAN)

 ])dnl

+dnl

+dnl Use libselinux to set file contexts on newly-created files.

+dnl 

+AC_DEFUN(KRB5_WITH_SELINUX,[

+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])],

+           withselinux="$withval",withselinux=auto)

+old_LIBS="$LIBS"

+if test "$withselinux" != no ; then

+       AC_MSG_RESULT([checking for libselinux...])

+       SELINUX_LIBS=

+       AC_CHECK_HEADERS(selinux/selinux.h selinux/label.h)

+       if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then

+               if test "$withselinux" = auto ; then

+                       AC_MSG_RESULT([Unable to locate selinux/selinux.h.])

+                       withselinux=no

+               else

+                       AC_MSG_ERROR([Unable to locate selinux/selinux.h.])

+               fi

+       fi

+

+       LIBS=

+       unset ac_cv_func_setfscreatecon

+       AC_CHECK_FUNCS(setfscreatecon selabel_open)

+       if test "x$ac_cv_func_setfscreatecon" = xno ; then

+               AC_CHECK_LIB(selinux,setfscreatecon)

+               unset ac_cv_func_setfscreatecon

+               AC_CHECK_FUNCS(setfscreatecon selabel_open)

+               if test "x$ac_cv_func_setfscreatecon" = xyes ; then

+                       SELINUX_LIBS="$LIBS"

+               else

+                       if test "$withselinux" = auto ; then

+                               AC_MSG_RESULT([Unable to locate libselinux.])

+                               withselinux=no

+                       else

+                               AC_MSG_ERROR([Unable to locate libselinux.])

+                       fi

+               fi

+       fi

+       if test "$withselinux" != no ; then

+               AC_MSG_NOTICE([building with SELinux labeling support])

+               AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.])

+               SELINUX_LIBS="$LIBS"

+		EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_labeled_open krb5int_labeled_fopen krb5int_push_fscreatecon_for krb5int_pop_fscreatecon"

+       fi

+fi

+LIBS="$old_LIBS"

+AC_SUBST(SELINUX_LIBS)

+])dnl

diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in

index f6184da..c17cb5e 100755

--- a/src/build-tools/krb5-config.in

+++ b/src/build-tools/krb5-config.in

@@ -41,6 +41,7 @@ DL_LIB='@DL_LIB@'

 DEFCCNAME='@DEFCCNAME@'

 DEFKTNAME='@DEFKTNAME@'

 DEFCKTNAME='@DEFCKTNAME@'

+SELINUX_LIBS='@SELINUX_LIBS@'

 LIBS='@LIBS@'

 GEN_LIB=@GEN_LIB@

@@ -255,7 +256,7 @@ if test -n "$do_libs"; then

     fi

     # If we ever support a flag to generate output suitable for static

-    # linking, we would output "-lkrb5support $GEN_LIB $LIBS $DL_LIB"

+    # linking, we would output "-lkrb5support $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"

     # here.

     echo $lib_flags

diff --git a/src/config/pre.in b/src/config/pre.in

index b0d9015..63271e7 100644

--- a/src/config/pre.in

+++ b/src/config/pre.in

@@ -174,6 +174,7 @@ LD = $(PURE) @LD@

 KRB_INCLUDES = -I$(BUILDTOP)/include -I$(top_srcdir)/include

 LDFLAGS = @LDFLAGS@

 LIBS = @LIBS@

+SELINUX_LIBS=@SELINUX_LIBS@

 INSTALL=@INSTALL@

 INSTALL_STRIP=

@@ -395,7 +396,7 @@ SUPPORT_LIB			= -l$(SUPPORT_LIBNAME)

 # HESIOD_LIBS is -lhesiod...

 HESIOD_LIBS	= @HESIOD_LIBS@

-KRB5_BASE_LIBS	= $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB)

+KRB5_BASE_LIBS	= $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB)

 KDB5_LIBS	= $(KDB5_LIB) $(GSSRPC_LIBS)

 GSS_LIBS	= $(GSS_KRB5_LIB)

 # needs fixing if ever used on Mac OS X!

diff --git a/src/configure.in b/src/configure.in

index 8846ca0..9ec8d84 100644

--- a/src/configure.in

+++ b/src/configure.in

@@ -1329,6 +1329,8 @@ AC_PATH_PROG(GROFF, groff)

 KRB5_WITH_PAM

+KRB5_WITH_SELINUX

+

 # Make localedir work in autoconf 2.5x.

 if test "${localedir+set}" != set; then

     localedir='$(datadir)/locale'

diff --git a/src/include/k5-int.h b/src/include/k5-int.h

index 41c3d1b..6b7b2e3 100644

--- a/src/include/k5-int.h

+++ b/src/include/k5-int.h

@@ -129,6 +129,7 @@ typedef unsigned char   u_char;

 #include "k5-platform.h"

+#include "k5-label.h"

 #define KRB5_KDB_MAX_LIFE       (60*60*24) /* one day */

 #define KRB5_KDB_MAX_RLIFE      (60*60*24*7) /* one week */

diff --git a/src/include/k5-label.h b/src/include/k5-label.h

new file mode 100644

index 0000000..dfaaa84

--- /dev/null

+++ b/src/include/k5-label.h

@@ -0,0 +1,32 @@

+#ifndef _KRB5_LABEL_H

+#define _KRB5_LABEL_H

+

+#ifdef THREEPARAMOPEN

+#undef THREEPARAMOPEN

+#endif

+#ifdef WRITABLEFOPEN

+#undef WRITABLEFOPEN

+#endif

+

+/* Wrapper functions which help us create files and directories with the right

+ * context labels. */

+#ifdef USE_SELINUX

+#include <sys/types.h>

+#include <sys/stat.h>

+#include <fcntl.h>

+#include <stdio.h>

+#include <unistd.h>

+FILE *krb5int_labeled_fopen(const char *path, const char *mode);

+int krb5int_labeled_creat(const char *path, mode_t mode);

+int krb5int_labeled_open(const char *path, int flags, ...);

+int krb5int_labeled_mkdir(const char *path, mode_t mode);

+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device);

+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)

+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)

+void *krb5int_push_fscreatecon_for(const char *pathname);

+void krb5int_pop_fscreatecon(void *previous);

+#else

+#define WRITABLEFOPEN(x,y) fopen(x,y)

+#define THREEPARAMOPEN(x,y,z) open(x,y,z)

+#endif

+#endif

diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin

index e2c08ae..c93a0f2 100644

--- a/src/include/krb5/krb5.hin

+++ b/src/include/krb5/krb5.hin

@@ -87,6 +87,12 @@

 #define THREEPARAMOPEN(x,y,z) open(x,y,z)

 #endif

+#if KRB5_PRIVATE

+#ifndef WRITABLEFOPEN

+#define WRITABLEFOPEN(x,y) fopen(x,y)

+#endif

+#endif

+

 #define KRB5_OLD_CRYPTO

 #include <stdlib.h>

diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c

index 253bf3f..9c8c3dc 100644

--- a/src/kadmin/dbutil/dump.c

+++ b/src/kadmin/dbutil/dump.c

@@ -148,12 +148,21 @@ create_ofile(char *ofile, char **tmpname)

 {

     int fd = -1;

     FILE *f;

+#ifdef USE_SELINUX

+    void *selabel;

+#endif

     *tmpname = NULL;

     if (asprintf(tmpname, "%s-XXXXXX", ofile) < 0)

         goto error;

+#ifdef USE_SELINUX

+    selabel = krb5int_push_fscreatecon_for(ofile);

+#endif

     fd = mkstemp(*tmpname);

+#ifdef USE_SELINUX

+    krb5int_pop_fscreatecon(selabel);

+#endif

     if (fd == -1)

         goto error;

@@ -194,7 +203,7 @@ prep_ok_file(krb5_context context, char *file_name, int *fd)

         return 0;

     }

-    *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);

+    *fd = THREEPARAMOPEN(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600);

     if (*fd == -1) {

         com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok);

         exit_status++;

diff --git a/src/kdc/main.c b/src/kdc/main.c

index 82dfc0e..936f46b 100644

--- a/src/kdc/main.c

+++ b/src/kdc/main.c

@@ -847,7 +847,7 @@ write_pid_file(const char *path)

     FILE *file;

     unsigned long pid;

-    file = fopen(path, "w");

+    file = WRITABLEFOPEN(path, "w");

     if (file == NULL)

         return errno;

     pid = (unsigned long) getpid();

diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c

index 19c4355..64f9641 100644

--- a/src/lib/kadm5/logger.c

+++ b/src/lib/kadm5/logger.c

@@ -423,7 +423,7 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do

                      * Check for append/overwrite, then open the file.

                      */

                     if (cp[4] == ':' || cp[4] == '=') {

-                        f = fopen(&cp[5], (cp[4] == ':') ? "a" : "w");

+                        f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a" : "w");

                         if (f) {

                             set_cloexec_file(f);

                             log_control.log_entries[i].lfu_filep = f;

@@ -959,7 +959,7 @@ krb5_klog_reopen(krb5_context kcontext)

              * In case the old logfile did not get moved out of the

              * way, open for append to prevent squashing the old logs.

              */

-            f = fopen(log_control.log_entries[lindex].lfu_fname, "a+");

+            f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+");

             if (f) {

                 set_cloexec_file(f);

                 log_control.log_entries[lindex].lfu_filep = f;

diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c

index 99cda59..523b99a 100644

--- a/src/lib/kdb/kdb_log.c

+++ b/src/lib/kdb/kdb_log.c

@@ -476,7 +476,7 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries)

     int ulogfd = -1;

     if (stat(logname, &st) == -1) {

-        ulogfd = open(logname, O_RDWR | O_CREAT, 0600);

+        ulogfd = THREEPARAMOPEN(logname, O_RDWR | O_CREAT, 0600);

         if (ulogfd == -1)

             return errno;

diff --git a/src/lib/krb5/ccache/cc_dir.c b/src/lib/krb5/ccache/cc_dir.c

index bba64e5..73f0fe6 100644

--- a/src/lib/krb5/ccache/cc_dir.c

+++ b/src/lib/krb5/ccache/cc_dir.c

@@ -183,10 +183,19 @@ write_primary_file(const char *primary_path, const char *contents)

     char *newpath = NULL;

     FILE *fp = NULL;

     int fd = -1, status;

+#ifdef USE_SELINUX

+    void *selabel;

+#endif

     if (asprintf(&newpath, "%s.XXXXXX", primary_path) < 0)

         return ENOMEM;

+#ifdef USE_SELINUX

+    selabel = krb5int_push_fscreatecon_for(primary_path);

+#endif

     fd = mkstemp(newpath);

+#ifdef USE_SELINUX

+    krb5int_pop_fscreatecon(selabel);

+#endif

     if (fd < 0)

         goto cleanup;

 #ifdef HAVE_CHMOD

@@ -221,10 +230,23 @@ static krb5_error_code

 verify_dir(krb5_context context, const char *dirname)

 {

     struct stat st;

+    int status;

+#ifdef USE_SELINUX

+    void *selabel;

+#endif

     if (stat(dirname, &st) < 0) {

-        if (errno == ENOENT && mkdir(dirname, S_IRWXU) == 0)

-            return 0;

+        if (errno == ENOENT) {

+#ifdef USE_SELINUX

+            selabel = krb5int_push_fscreatecon_for(dirname);

+#endif

+            status = mkdir(dirname, S_IRWXU);

+#ifdef USE_SELINUX

+            krb5int_pop_fscreatecon(selabel);

+#endif

+            if (status == 0)

+                return 0;

+        }

         k5_setmsg(context, KRB5_FCC_NOFILE,

                   _("Credential cache directory %s does not exist"),

                   dirname);

diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c

index e105a51..ff1fc54 100644

--- a/src/lib/krb5/keytab/kt_file.c

+++ b/src/lib/krb5/keytab/kt_file.c

@@ -1030,7 +1030,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)

     KTCHECKLOCK(id);

     errno = 0;

-    KTFILEP(id) = fopen(KTFILENAME(id),

+    KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id),

                         (mode == KRB5_LOCKMODE_EXCLUSIVE) ?

                         fopen_mode_rbplus : fopen_mode_rb);

     if (!KTFILEP(id)) {

@@ -1038,7 +1038,7 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode)

             /* try making it first time around */

             k5_create_secure_file(context, KTFILENAME(id));

             errno = 0;

-            KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);

+            KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus);

             if (!KTFILEP(id))

                 goto report_errno;

             writevno = 1;

diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c

index 83c8d4d..a192461 100644

--- a/src/lib/krb5/os/trace.c

+++ b/src/lib/krb5/os/trace.c

@@ -397,7 +397,7 @@ krb5_set_trace_filename(krb5_context context, const char *filename)

     fd = malloc(sizeof(*fd));

     if (fd == NULL)

         return ENOMEM;

-    *fd = open(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);

+    *fd = THREEPARAMOPEN(filename, O_WRONLY|O_CREAT|O_APPEND, 0600);

     if (*fd == -1) {

         free(fd);

         return errno;

diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c

index 2fb6aa0..c453189 100644

--- a/src/lib/krb5/rcache/rc_dfl.c

+++ b/src/lib/krb5/rcache/rc_dfl.c

@@ -794,6 +794,9 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)

     krb5_error_code retval = 0;

     krb5_rcache tmp;

     krb5_deltat lifespan = t->lifespan;  /* save original lifespan */

+#ifdef USE_SELINUX

+    void *selabel;

+#endif

     if (! t->recovering) {

         name = t->name;

@@ -815,7 +818,17 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id)

     retval = krb5_rc_resolve(context, tmp, 0);

     if (retval)

         goto cleanup;

+#ifdef USE_SELINUX

+    if (t->d.fn != NULL)

+        selabel = krb5int_push_fscreatecon_for(t->d.fn);

+    else

+        selabel = NULL;

+#endif

     retval = krb5_rc_initialize(context, tmp, lifespan);

+#ifdef USE_SELINUX

+    if (selabel != NULL)

+        krb5int_pop_fscreatecon(selabel);

+#endif

     if (retval)

         goto cleanup;

     for (q = t->a; q; q = q->na) {

diff --git a/src/plugins/kdb/db2/adb_openclose.c b/src/plugins/kdb/db2/adb_openclose.c

index 7db30a3..2b9d019 100644

--- a/src/plugins/kdb/db2/adb_openclose.c

+++ b/src/plugins/kdb/db2/adb_openclose.c

@@ -152,7 +152,7 @@ osa_adb_init_db(osa_adb_db_t *dbp, char *filename, char *lockfilename,

          * needs be open read/write so that write locking can work with

          * POSIX systems

          */

-        if ((lockp->lockinfo.lockfile = fopen(lockfilename, "r+")) == NULL) {

+        if ((lockp->lockinfo.lockfile = WRITABLEFOPEN(lockfilename, "r+")) == NULL) {

             /*

              * maybe someone took away write permission so we could only

              * get shared locks?

diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c

index e97b841..5d1cd61 100644

--- a/src/plugins/kdb/db2/kdb_db2.c

+++ b/src/plugins/kdb/db2/kdb_db2.c

@@ -694,8 +694,8 @@ ctx_create_db(krb5_context context, krb5_db2_context *dbc)

     if (retval)

         return retval;

-    dbc->db_lf_file = open(dbc->db_lf_name, O_CREAT | O_RDWR | O_TRUNC,

-                           0600);

+    dbc->db_lf_file = THREEPARAMOPEN(dbc->db_lf_name,

+                                     O_CREAT | O_RDWR | O_TRUNC, 0600);

     if (dbc->db_lf_file < 0) {

         retval = errno;

         goto cleanup;

diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_open.c b/src/plugins/kdb/db2/libdb2/btree/bt_open.c

index 2977b17..d5809a5 100644

--- a/src/plugins/kdb/db2/libdb2/btree/bt_open.c

+++ b/src/plugins/kdb/db2/libdb2/btree/bt_open.c

@@ -60,6 +60,7 @@ static char sccsid[] = "@(#)bt_open.c	8.11 (Berkeley) 11/2/95";

 #include <string.h>

 #include <unistd.h>

+#include "k5-int.h"

 #include "db-int.h"

 #include "btree.h"

@@ -203,7 +204,7 @@ __bt_open(fname, flags, mode, openinfo, dflags)

 			goto einval;

 		}

-		if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0)

+		if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)

 			goto err;

 	} else {

diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c

index 2a5b4f8..7239d03 100644

--- a/src/plugins/kdb/db2/libdb2/hash/hash.c

+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c

@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)hash.c	8.12 (Berkeley) 11/7/95";

 #include <assert.h>

 #endif

+#include "k5-int.h"

 #include "db-int.h"

 #include "hash.h"

 #include "page.h"

@@ -140,7 +141,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags)

 		new_table = 1;

 	}

 	if (file) {

-		if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1)

+		if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1)

 			RETURN_ERROR(errno, error0);

 		(void)fcntl(hashp->fp, F_SETFD, 1);

 	}

diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_open.c b/src/plugins/kdb/db2/libdb2/recno/rec_open.c

index d8b26e7..b0daa7c 100644

--- a/src/plugins/kdb/db2/libdb2/recno/rec_open.c

+++ b/src/plugins/kdb/db2/libdb2/recno/rec_open.c

@@ -51,6 +51,7 @@ static char sccsid[] = "@(#)rec_open.c	8.12 (Berkeley) 11/18/94";

 #include <stdio.h>

 #include <unistd.h>

+#include "k5-int.h"

 #include "db-int.h"

 #include "recno.h"

@@ -68,7 +69,8 @@ __rec_open(fname, flags, mode, openinfo, dflags)

 	int rfd = -1, sverrno;

 	/* Open the user's file -- if this fails, we're done. */

-	if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)

+	if (fname != NULL &&

+            (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)

 		return (NULL);

 	if (fname != NULL && fcntl(rfd, F_SETFD, 1) == -1) {

diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c

index 64d0f91..5d5c0a6 100644

--- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c

+++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c

@@ -178,7 +178,7 @@ done:

     /* set password in the file */

     old_mode = umask(0177);

-    pfile = fopen(file_name, "a+");

+    pfile = WRITABLEFOPEN(file_name, "a+");

     if (pfile == NULL) {

         com_err(me, errno, _("Failed to open file %s: %s"), file_name,

                 strerror (errno));

@@ -219,6 +219,9 @@ done:

          * Delete the existing entry and add the new entry

          */

         FILE *newfile;

+#ifdef USE_SELINUX

+        void *selabel;

+#endif

         mode_t omask;

@@ -230,7 +233,13 @@ done:

         }

         omask = umask(077);

+#ifdef USE_SELINUX

+        selabel = krb5int_push_fscreatecon_for(file_name);

+#endif

         newfile = fopen(tmp_file, "w");

+#ifdef USE_SELINUX

+        krb5int_pop_fscreatecon(selabel);

+#endif

         umask (omask);

         if (newfile == NULL) {

             com_err(me, errno, _("Error creating file %s"), tmp_file);

diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c

index 1383156..a950924 100644

--- a/src/slave/kpropd.c

+++ b/src/slave/kpropd.c

@@ -464,6 +464,9 @@ doit(int fd)

     krb5_enctype etype;

     int database_fd;

     char host[INET6_ADDRSTRLEN + 1];

+#ifdef USE_SELINUX

+    void *selabel;

+#endif

     signal_wrapper(SIGALRM, alarm_handler);

     alarm(params.iprop_resync_timeout);

@@ -520,9 +523,15 @@ doit(int fd)

         free(name);

         exit(1);

     }

+#ifdef USE_SELINUX

+    selabel = krb5int_push_fscreatecon_for(file);

+#endif

     omask = umask(077);

     lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600);

     (void)umask(omask);

+#ifdef USE_SELINUX

+    krb5int_pop_fscreatecon(selabel);

+#endif

     retval = krb5_lock_file(kpropd_context, lock_fd,

                             KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK);

     if (retval) {

diff --git a/src/util/gss-kernel-lib/Makefile.in b/src/util/gss-kernel-lib/Makefile.in

index f70f3c6..7a2f9cc 100644

--- a/src/util/gss-kernel-lib/Makefile.in

+++ b/src/util/gss-kernel-lib/Makefile.in

@@ -61,6 +61,7 @@ HEADERS= \

 	gssapi_err_generic.h \

 	k5-int.h \

 	k5-int-pkinit.h \

+	k5-label.h \

 	k5-thread.h \

 	k5-platform.h \

 	k5-buf.h \

@@ -162,10 +163,12 @@ gssapi_generic.h: $(GSS_GENERIC)/gssapi_generic.h

 	$(CP) $(GSS_GENERIC)/gssapi_generic.h $@

 gssapi_err_generic.h: $(GSS_GENERIC_BUILD)/gssapi_err_generic.h

 	$(CP) $(GSS_GENERIC_BUILD)/gssapi_err_generic.h $@

-k5-int.h: $(INCLUDE)/k5-int.h

+k5-int.h: $(INCLUDE)/k5-int.h k5-label.h

 	$(CP) $(INCLUDE)/k5-int.h $@

 k5-int-pkinit.h: $(INCLUDE)/k5-int-pkinit.h

 	$(CP) $(INCLUDE)/k5-int-pkinit.h $@

+k5-label.h: $(INCLUDE)/k5-label.h

+	$(CP) $(INCLUDE)/k5-label.h $@

 k5-thread.h: $(INCLUDE)/k5-thread.h

 	$(CP) $(INCLUDE)/k5-thread.h $@

 k5-platform.h: $(INCLUDE)/k5-platform.h

diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c

index 907c119..0f5462a 100644

--- a/src/util/profile/prof_file.c

+++ b/src/util/profile/prof_file.c

@@ -33,6 +33,7 @@

 #endif

 #include "k5-platform.h"

+#include "k5-label.h"

 struct global_shared_profile_data {

     /* This is the head of the global list of shared trees */

@@ -423,7 +424,7 @@ static errcode_t write_data_to_file(prf_data_t data, const char *outfile,

     errno = 0;

-    f = fopen(new_file, "w");

+    f = WRITABLEFOPEN(new_file, "w");

     if (!f) {

         retval = errno;

         if (retval == 0)

diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in

index 5181762..f77acd4 100644

--- a/src/util/support/Makefile.in

+++ b/src/util/support/Makefile.in

@@ -59,6 +59,7 @@ IPC_SYMS= \

 STLIBOBJS= \

 	threads.o \

+	selinux.o \

 	init-addrinfo.o \

 	plugins.o \

 	errors.o \

@@ -131,7 +132,7 @@ SRCS=\

 SHLIB_EXPDEPS =

 # Add -lm if dumping thread stats, for sqrt.

-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB)

+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB)

 DEPLIBS=

diff --git a/src/util/support/selinux.c b/src/util/support/selinux.c

new file mode 100644

index 0000000..ffba6a9

--- /dev/null

+++ b/src/util/support/selinux.c

@@ -0,0 +1,381 @@

+/*

+ * Copyright 2007,2008,2009,2011,2012,2013 Red Hat, Inc.  All Rights Reserved.

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions are met:

+ *

+ *  Redistributions of source code must retain the above copyright notice, this

+ *  list of conditions and the following disclaimer.

+ *

+ *  Redistributions in binary form must reproduce the above copyright notice,

+ *  this list of conditions and the following disclaimer in the documentation

+ *  and/or other materials provided with the distribution.

+ *

+ *  Neither the name of Red Hat, Inc. nor the names of its contributors may be

+ *  used to endorse or promote products derived from this software without

+ *  specific prior written permission.

+ *

+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"

+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE

+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

+ * POSSIBILITY OF SUCH DAMAGE.

+ *