From faf452c2a4bf458193e57e5694cbe09a897e08d7 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@fedoraproject.org>
Date: Dec 03 2009 23:17:28 +0000
Subject: - selinux: set the user part of creation context to match the current

    context instead of what we looked up

---

diff --git a/krb5-1.7-selinux-label.patch b/krb5-1.7-selinux-label.patch
index ae44155..cd4e9dd 100644
--- a/krb5-1.7-selinux-label.patch
+++ b/krb5-1.7-selinux-label.patch
@@ -541,7 +541,7 @@ diff -up krb5-1.7/src/util/support/Makefile.in krb5-1.7/src/util/support/Makefil
 diff -up /dev/null krb5-1.7/src/util/support/selinux.c
 --- /dev/null	2009-06-04 10:34:55.169007373 -0400
 +++ krb5-1.7/src/util/support/selinux.c	2009-06-04 13:47:20.000000000 -0400
-@@ -0,0 +1,314 @@
+@@ -0,0 +1,340 @@
 +/*
 + * Copyright 2007,2008,2009 Red Hat, Inc.  All Rights Reserved.
 + *
@@ -593,6 +593,7 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
 +#include <string.h>
 +#include <unistd.h>
 +#include <selinux/selinux.h>
++#include <selinux/context.h>
 +#ifdef HAVE_SELINUX_LABEL_H
 +#include <selinux/label.h>
 +#endif
@@ -613,8 +614,9 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
 +static security_context_t
 +push_fscreatecon(const char *pathname, mode_t mode)
 +{
-+	security_context_t previous, next;
-+	const char *fullpath;
++	security_context_t previous, configuredsc, currentsc, derivedsc;
++	context_t current, derived;
++	const char *fullpath, *currentuser;
 +#ifdef HAVE_SELINUX_LABEL_H
 +	struct selabel_handle *ctx;
 +#endif
@@ -650,17 +652,17 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
 +			} else {
 +				fullpath = pathname;
 +			}
-+			next = NULL;
 +#ifdef DEBUG
 +			if (isatty(fileno(stderr))) {
 +				fprintf(stderr, "Looking up context for "
 +					"\"%s\"(%05o).\n", fullpath, mode);
 +			}
 +#endif
++			configuredsc = NULL;
 +#ifdef HAVE_SELINUX_LABEL_H
 +			ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
 +			if (ctx != NULL) {
-+				if (selabel_lookup(ctx, &next,
++				if (selabel_lookup(ctx, &configuredsc,
 +						   fullpath, mode) != 0) {
 +					selabel_close(ctx);
 +					free(genpath);
@@ -672,7 +674,7 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
 +				selabel_close(ctx);
 +			}
 +#else
-+			if (matchpathcon(fullpath, mode, &next) != 0) {
++			if (matchpathcon(fullpath, mode, &configuredsc) != 0) {
 +				free(genpath);
 +				if (previous != NULL) {
 +					freecon(previous);
@@ -681,20 +683,44 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
 +			}
 +#endif
 +			free(genpath);
++			currentsc = NULL;
++			getcon(&currentsc);
++			if (currentsc != NULL) {
++				derived = context_new(configuredsc);
++				if (derived != NULL) {
++					current = context_new(currentsc);
++					if (current != NULL) {
++						currentuser = context_user_get(current);
++						if (currentuser != NULL) {
++							if (context_user_set(derived,
++									     currentuser) == 0) {
++								derivedsc = context_str(derived);
++								if (derivedsc != NULL) {
++									freecon(configuredsc);
++									configuredsc = strdup(derivedsc);
++								}
++							}
++						}
++						context_free(current);
++					}
++					context_free(derived);
++				}
++				freecon(currentsc);
++			}
 +#ifdef DEBUG
 +			if (isatty(fileno(stderr))) {
 +				fprintf(stderr, "Setting file creation context "
-+					"to \"%s\".\n", next);
++					"to \"%s\".\n", configured);
 +			}
 +#endif
-+			if (setfscreatecon(next) != 0) {
-+				freecon(next);
++			if (setfscreatecon(configuredsc) != 0) {
++				freecon(configuredsc);
 +				if (previous != NULL) {
 +					freecon(previous);
 +				}
 +				return NULL;
 +			}
-+			freecon(next);
++			freecon(configuredsc);
 +#ifdef DEBUG
 +		} else {
 +			if (isatty(fileno(stderr))) {