| http://bugs.gentoo.org/405975 |
| |
| From e1b83fb58eadfd02227673db9a7e2833d29b0c98 Mon Sep 17 00:00:00 2001 |
| From: Lennart Poettering <lennart@poettering.net> |
| Date: Mon, 23 Apr 2012 00:32:43 +0200 |
| Subject: [PATCH] selinux: when dropping capabilities only include AUDIT caps |
| if we have them |
| |
| When we drop capabilities we shouldn't assume we can keep |
| CAP_AUDIT_WRITE unconditionally, since it will not be available when |
| running in containers. |
| |
| This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we |
| actually have it in the first place. |
| |
| This makes audit/selinux enabled D-Bus work in a Linux container. |
| --- |
| bus/selinux.c | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| diff --git a/bus/selinux.c b/bus/selinux.c |
| index 36287e9..1bfc791 100644 |
| --- a/bus/selinux.c |
| +++ b/bus/selinux.c |
| @@ -1053,8 +1053,9 @@ _dbus_change_to_daemon_user (const char *user, |
| int rc; |
| |
| capng_clear (CAPNG_SELECT_BOTH); |
| - capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, |
| - CAP_AUDIT_WRITE); |
| + if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE)) |
| + capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, |
| + CAP_AUDIT_WRITE); |
| rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP); |
| if (rc) |
| { |
| -- |
| 1.7.10 |
| |
