Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package adcli for openSUSE:Factory checked in at 2026-03-11 20:49:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/adcli (Old) and /work/SRC/openSUSE:Factory/.adcli.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "adcli" Wed Mar 11 20:49:37 2026 rev:8 rq:1337893 version:0.9.3.1 Changes: -------- --- /work/SRC/openSUSE:Factory/adcli/adcli.changes 2026-02-24 15:38:39.462561294 +0100 +++ /work/SRC/openSUSE:Factory/.adcli.new.8177/adcli.changes 2026-03-11 20:49:45.636248342 +0100 @@ -1,0 +2,10 @@ +Tue Feb 24 12:25:23 UTC 2026 - Samuel Cabrero <[email protected]> + +- Split selinux policy to its own package +- Fix issues if default keytab is used, strip 'FILE:' prefix before + calling libselinux functions; Add patch + 0001-enroll-fix-issues-if-default-keytab-is-used.patch +- Fix build with glibc 2.43; (bsc#1258705); Add patch + 0002-Fix-build-with-glibc-2.43.patch + +------------------------------------------------------------------- New: ---- 0001-enroll-fix-issues-if-default-keytab-is-used.patch 0002-Fix-build-with-glibc-2.43.patch ----------(New B)---------- New: calling libselinux functions; Add patch 0001-enroll-fix-issues-if-default-keytab-is-used.patch - Fix build with glibc 2.43; (bsc#1258705); Add patch New:- Fix build with glibc 2.43; (bsc#1258705); Add patch 0002-Fix-build-with-glibc-2.43.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ adcli.spec ++++++ --- /var/tmp/diff_new_pack.RO5FXN/_old 2026-03-11 20:49:46.432280615 +0100 +++ /var/tmp/diff_new_pack.RO5FXN/_new 2026-03-11 20:49:46.432280615 +0100 @@ -16,6 +16,14 @@ # +%global selinuxtype targeted +%global modulename adcli +%if 0%{?suse_version} >= 1600 +%bcond_without selinux +%else +%bcond_with selinux +%endif + %define filehash 5a1c55410c0965835b81fbd28d820d46 %define sighash b680d6103309863ce62e9acae98fd5bf Name: adcli @@ -29,14 +37,19 @@ Source1: https://gitlab.freedesktop.org/-/project/1196/uploads/%{sighash}/%{name}-%{version}.tar.gz.sig # https://keys.openpgp.org/vks/v1/by-fingerprint/287939DF062AD8C53876A535C2D7B98A934EEC17 Source3: %{name}.keyring +Patch1: 0001-enroll-fix-issues-if-default-keytab-is-used.patch +Patch2: 0002-Fix-build-with-glibc-2.43.patch BuildRequires: automake BuildRequires: libxslt-tools BuildRequires: openldap2-devel BuildRequires: pkgconfig -BuildRequires: selinux-policy-devel BuildRequires: xmlto BuildRequires: pkgconfig(libsasl2) +%if %{with selinux} +BuildRequires: selinux-policy-devel BuildRequires: pkgconfig(libselinux) +BuildRequires: pkgconfig(systemd) +%endif BuildRequires: pkgconfig(mit-krb5) BuildRequires: pkgconfig(netapi) @@ -44,6 +57,19 @@ A command line tool that can perform actions in an Active Directory domain. Among other things it can be used to join a computer to a domain. +%if %{with selinux} +%package selinux +Summary: SELinux module for adcli +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +%{selinux_requires} + +%description selinux +This package provides the SELinux policy module to ensure adcli +runs properly under an environment with SELinux enabled. +%endif + %package doc Summary: Documentation for adcli Group: Documentation/Other @@ -60,6 +86,9 @@ %build %configure \ +%if %{without selinux} + --disable-selinux-support \ +%endif --disable-static \ --disable-silent-rules \ --enable-strict @@ -73,13 +102,34 @@ %check %make_build check +%if %{with selinux} +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} +%endif + %files %license COPYING %doc AUTHORS ChangeLog NEWS README %{_sbindir}/%{name} %{_mandir}/man8/adcli.8%{?ext_man} + +%if %{with selinux} +%files selinux %dir %{_datadir}/selinux/packages/targeted -%{_datadir}/selinux/packages/targeted/adcli.pp +%{_datadir}/selinux/packages/targeted/%{modulename}.pp +%ghost %verify(not md5 size mtime) %{_selinux_store_path}/%{selinuxtype}/active/modules/200/%{modulename} +%endif %files doc %license COPYING ++++++ 0001-enroll-fix-issues-if-default-keytab-is-used.patch ++++++ >From 9c31bb06590f2d96a2d6d8ce87dc3273c283a671 Mon Sep 17 00:00:00 2001 From: Sumit Bose <[email protected]> Date: Fri, 19 Dec 2025 14:48:13 +0100 Subject: [PATCH] enroll: fix issues if default keytab is used librkb5 returns the default keytab with a 'FILE:' prefix which must be removed before calling libselinux functions to operate on the keytab file. Resolves: https://issues.redhat.com/browse/RHEL-78631 --- library/adenroll.c | 32 ++++++++++++++++++++------------ library/adenroll.h | 3 +-- tools/computer.c | 6 +++--- 3 files changed, 24 insertions(+), 17 deletions(-) diff --git a/library/adenroll.c b/library/adenroll.c index 20ad198..9484cbf 100644 --- a/library/adenroll.c +++ b/library/adenroll.c @@ -2116,30 +2116,38 @@ ensure_host_keytab (adcli_result res, return ADCLI_SUCCESS; } -adcli_result -ensure_host_keytab_selinux_context (adcli_result res, - adcli_enroll *enroll) +void +restore_host_keytab_selinux_context (adcli_enroll *enroll) { #ifdef BUILD_SELINUX_POLICY int ret; - - if (res != ADCLI_SUCCESS) - return res; + krb5_context k5; + const char *name_start; if (enroll->keytab_name == NULL) { _adcli_info ("No keytab name available, skipping SELinux restorecon."); - return ADCLI_SUCCESS; + return; + } + + name_start = enroll->keytab_name; + if (strncmp (name_start, "FILE:", 5) == 0) { + name_start = enroll->keytab_name + 5; } - ret = selinux_restorecon (adcli_enroll_get_keytab_name (enroll), 0); + if (enroll->keytab != NULL) { + k5 = adcli_conn_get_krb5_context (enroll->conn); + krb5_kt_close (k5, enroll->keytab); + enroll->keytab = NULL; + } + + ret = selinux_restorecon (name_start, 0); if (ret != 0) { - _adcli_err ("Failed to set SELinux context for %s with error %d: %s", - enroll->keytab_name, ret, strerror (ret)); - return ADCLI_ERR_FAIL; + _adcli_err ("Failed to set SELinux context for %s with error %d: %s, ignored", + name_start, ret, strerror (errno)); } #endif - return ADCLI_SUCCESS; + return; } diff --git a/library/adenroll.h b/library/adenroll.h index 79eb7a8..5aba81b 100644 --- a/library/adenroll.h +++ b/library/adenroll.h @@ -192,6 +192,5 @@ void adcli_enroll_set_samba_data_tool (adcli_enroll *enroll, const char * adcli_enroll_get_samba_data_tool (adcli_enroll *enroll); -adcli_result ensure_host_keytab_selinux_context (adcli_result res, - adcli_enroll *enroll); +void restore_host_keytab_selinux_context (adcli_enroll *enroll); #endif /* ADENROLL_H_ */ diff --git a/tools/computer.c b/tools/computer.c index ee027dc..f056366 100644 --- a/tools/computer.c +++ b/tools/computer.c @@ -520,7 +520,7 @@ adcli_tool_computer_join (adcli_conn *conn, else if (show_password) dump_password (conn, enroll); - ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll); + restore_host_keytab_selinux_context (enroll); adcli_enroll_unref (enroll); @@ -655,7 +655,7 @@ adcli_tool_computer_update (adcli_conn *conn, else if (show_password) dump_password (conn, enroll); - ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll); + restore_host_keytab_selinux_context (enroll); adcli_enroll_unref (enroll); @@ -1275,7 +1275,7 @@ adcli_tool_computer_managed_service_account (adcli_conn *conn, else if (show_password) dump_password (conn, enroll); - ensure_host_keytab_selinux_context (ADCLI_SUCCESS, enroll); + restore_host_keytab_selinux_context (enroll); adcli_enroll_unref (enroll); -- 2.53.0 ++++++ 0002-Fix-build-with-glibc-2.43.patch ++++++ >From ab07617e887d572e168300248ca14afa7ae92460 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero <[email protected]> Date: Tue, 24 Feb 2026 10:56:51 +0100 Subject: [PATCH] Fix build with glibc 2.43 >From glibc 2.43 release notes: * For ISO C23, the functions bsearch, memchr, strchr, strpbrk, strrchr, strstr, wcschr, wcspbrk, wcsrchr, wcsstr and wmemchr that return pointers into their input arrays now have definitions as macros that return a pointer to a const-qualified type when the input argument is a pointer to a const-qualified type. Signed-off-by: Samuel Cabrero <[email protected]> --- library/adenroll.c | 8 ++++---- library/adentry.c | 2 +- library/adprivate.h | 5 +++++ library/adutil.c | 18 ++++++++++++++++++ 4 files changed, 28 insertions(+), 5 deletions(-) diff --git a/library/adenroll.c b/library/adenroll.c index 9484cbf..ba1a20f 100644 --- a/library/adenroll.c +++ b/library/adenroll.c @@ -3958,7 +3958,8 @@ static int comp_attr_name (const char *s1, const char *s2) adcli_result adcli_enroll_add_setattr (adcli_enroll *enroll, const char *value) { - char *delim; + const char *delim = NULL; + size_t n = 0; return_val_if_fail (enroll != NULL, ADCLI_ERR_CONFIG); return_val_if_fail (value != NULL, ADCLI_ERR_CONFIG); @@ -3974,12 +3975,11 @@ adcli_enroll_add_setattr (adcli_enroll *enroll, const char *value) return ADCLI_ERR_CONFIG; } - *delim = '\0'; - if (_adcli_strv_has_ex (default_ad_ldap_attrs, value, strcasecmp) == 1) { + n = delim - value; + if (_adcli_strv_has_exn (default_ad_ldap_attrs, value, n, strncasecmp) == 1) { _adcli_err ("Attribute [%s] cannot be set with setattr", value); return ADCLI_ERR_CONFIG; } - *delim = '='; if (_adcli_strv_has_ex (enroll->setattr, value, comp_attr_name) == 1) { _adcli_err ("Attribute [%s] already set", value); diff --git a/library/adentry.c b/library/adentry.c index 8de4454..29ce19b 100644 --- a/library/adentry.c +++ b/library/adentry.c @@ -605,7 +605,7 @@ user_entry_builder (adcli_entry *entry, static bool check_name (const char *name, const char *illegal_characters) { - char *c; + const char *c; if ( (c = strpbrk (name, illegal_characters)) == NULL) { return true; diff --git a/library/adprivate.h b/library/adprivate.h index 71ac9e4..c138664 100644 --- a/library/adprivate.h +++ b/library/adprivate.h @@ -138,6 +138,11 @@ int _adcli_strv_has_ex (char **strv, const char *str, int (* compare) (const char *match, const char*value)); +int _adcli_strv_has_exn (char **strv, + const char *str, + size_t n, + int (* comparen) (const char *match, const char *value, size_t n)); + char ** _adcli_strv_dup (char **strv) GNUC_WARN_UNUSED; char * _adcli_strv_join (char **strv, diff --git a/library/adutil.c b/library/adutil.c index d4a4f4b..6388ead 100644 --- a/library/adutil.c +++ b/library/adutil.c @@ -238,6 +238,24 @@ _adcli_strv_has_ex (char **strv, return 0; } +int +_adcli_strv_has_exn (char **strv, + const char *str, + size_t n, + int (* comparen) (const char *match, const char *value, size_t n)) +{ + int i; + + for (i = 0; strv && strv[i] != NULL; i++) { + if (strlen(strv[i]) == n && + comparen (strv[i], str, n) == 0) { + return 1; + } + } + + return 0; +} + char ** _adcli_strv_add_unique (char **strv, char *string, -- 2.53.0
