[policycoreutils] Do not drop capabilities if running newrole as root
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Oct 4 12:36:29 UTC 2011
commit ebadcd67f7fe321075134e4ee6a722ca9ff61bb7
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Oct 4 08:36:06 2011 -0400
Do not drop capabilities if running newrole as root
policycoreutils-rhat.patch | 19 ++++++++++++++++++-
policycoreutils.spec | 5 ++++-
2 files changed, 22 insertions(+), 2 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 277d0d3..54f3e2e 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -41,9 +41,26 @@ index e9c80f0..e9d5882 100644
print "\t\tUnknown - would be allowed by active policy\n",
print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
-index 99d0ed7..3f08d37 100644
+index 99d0ed7..19e20a8 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
+@@ -543,13 +543,13 @@ static int restore_environment(int preserve_environment,
+ #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
+ static int drop_capabilities(int full)
+ {
++ uid_t uid = getuid();
++ if (!uid) return 0;
++
+ capng_clear(CAPNG_SELECT_BOTH);
+ if (capng_lock() < 0)
+ return -1;
+
+- uid_t uid = getuid();
+- if (!uid) return 0;
+-
+ /* Change uid */
+ if (setresuid(uid, uid, uid)) {
+ fprintf(stderr, _("Error changing uid, aborting.\n"));
@@ -1030,10 +1030,11 @@ int main(int argc, char *argv[])
* if it makes sense to continue to run newrole, and setting up
* a scrubbed environment.
diff --git a/policycoreutils.spec b/policycoreutils.spec
index ed55fdb..fb8db3f 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.7
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -352,6 +352,9 @@ fi
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Tue Oct 4 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.7-2
+- Do not drop capabilities if running newrole as root
+
* Fri Sep 30 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.7-1
-Update to upstream
* semanage: fix indentation error in seobject
More information about the scm-commits
mailing list