[policycoreutils] Do not drop capabilities if running newrole as root

[Daniel J Walsh]

commit ebadcd67f7fe321075134e4ee6a722ca9ff61bb7
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Tue Oct 4 08:36:06 2011 -0400

    Do not drop capabilities if running newrole as root

 policycoreutils-rhat.patch |   19 ++++++++++++++++++-
 policycoreutils.spec       |    5 ++++-
 2 files changed, 22 insertions(+), 2 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 277d0d3..54f3e2e 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -41,9 +41,26 @@ index e9c80f0..e9d5882 100644
                      print "\t\tUnknown - would be allowed by active policy\n",
                      print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
 diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
-index 99d0ed7..3f08d37 100644
+index 99d0ed7..19e20a8 100644
 --- a/policycoreutils/newrole/newrole.c
 +++ b/policycoreutils/newrole/newrole.c
+@@ -543,13 +543,13 @@ static int restore_environment(int preserve_environment,
+ #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
+ static int drop_capabilities(int full)
+ {
++	uid_t uid = getuid();
++	if (!uid) return 0;
++
+ 	capng_clear(CAPNG_SELECT_BOTH);
+ 	if (capng_lock() < 0) 
+ 		return -1;
+ 
+-	uid_t uid = getuid();
+-	if (!uid) return 0;
+-
+ 	/* Change uid */
+ 	if (setresuid(uid, uid, uid)) {
+ 		fprintf(stderr, _("Error changing uid, aborting.\n"));
 @@ -1030,10 +1030,11 @@ int main(int argc, char *argv[])
  	 * if it makes sense to continue to run newrole, and setting up
  	 * a scrubbed environment.
diff --git a/policycoreutils.spec b/policycoreutils.spec
index ed55fdb..fb8db3f 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@@ -352,6 +352,9 @@ fi
 /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
 
 %changelog
+* Tue Oct 4 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.7-2
+- Do not drop capabilities if running newrole as root
+
 * Fri Sep 30 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.7-1
 -Update to upstream
 	* semanage: fix indentation error in seobject