[dbus] audit: make dbus work in containers
Lennart Poettering
lennart at fedoraproject.org
Sun Apr 22 23:04:44 UTC 2012
commit 1f94ec2bb299f82e02fbc953fb61c94672a191c5
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Apr 23 01:03:06 2012 +0200
audit: make dbus work in containers
...n-dropping-capabilities-only-include-AUDI.patch | 37 ++++++++++++++++++++
dbus.spec | 10 +++++-
2 files changed, 46 insertions(+), 1 deletions(-)
---
diff --git a/0001-selinux-when-dropping-capabilities-only-include-AUDI.patch b/0001-selinux-when-dropping-capabilities-only-include-AUDI.patch
new file mode 100644
index 0000000..e072b4b
--- /dev/null
+++ b/0001-selinux-when-dropping-capabilities-only-include-AUDI.patch
@@ -0,0 +1,37 @@
+From e1b83fb58eadfd02227673db9a7e2833d29b0c98 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart at poettering.net>
+Date: Mon, 23 Apr 2012 00:32:43 +0200
+Subject: [PATCH] selinux: when dropping capabilities only include AUDIT caps
+ if we have them
+
+When we drop capabilities we shouldn't assume we can keep
+CAP_AUDIT_WRITE unconditionally, since it will not be available when
+running in containers.
+
+This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we
+actually have it in the first place.
+
+This makes audit/selinux enabled D-Bus work in a Linux container.
+---
+ bus/selinux.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/bus/selinux.c b/bus/selinux.c
+index 36287e9..1bfc791 100644
+--- a/bus/selinux.c
++++ b/bus/selinux.c
+@@ -1053,8 +1053,9 @@ _dbus_change_to_daemon_user (const char *user,
+ int rc;
+
+ capng_clear (CAPNG_SELECT_BOTH);
+- capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+- CAP_AUDIT_WRITE);
++ if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))
++ capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
++ CAP_AUDIT_WRITE);
+ rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
+ if (rc)
+ {
+--
+1.7.10
+
diff --git a/dbus.spec b/dbus.spec
index 27a1284..44e3034 100644
--- a/dbus.spec
+++ b/dbus.spec
@@ -10,7 +10,7 @@ Summary: D-BUS message bus
Name: dbus
Epoch: 1
Version: 1.4.20
-Release: 1%{?dist}
+Release: 2%{?dist}
URL: http://www.freedesktop.org/software/dbus/
#VCS: git:git://git.freedesktop.org/git/dbus/dbus
Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz
@@ -44,6 +44,10 @@ Conflicts: cups < 1:1.1.20-4
# FIXME this should be upstreamed; need --daemon-bindir=/bin and --bindir=/usr/bin or something?
Patch0: bindir.patch
+# Posted upstream, makes D-Bus work in Linux containers.
+# https://bugs.freedesktop.org/show_bug.cgi?id=49062
+Patch1: 0001-selinux-when-dropping-capabilities-only-include-AUDI.patch
+
%description
D-BUS is a system for sending messages between applications. It is
used both for the system-wide message bus service, and as a
@@ -94,6 +98,7 @@ in this separate package so server systems need not install X.
/bin/chmod 0644 COPYING ChangeLog NEWS
%patch0 -p1 -b .bindir
+%patch1 -p1
autoreconf -f -i
@@ -227,6 +232,9 @@ fi
%{_includedir}/*
%changelog
+* Sun Apr 22 2012 Lennart Poettering <lpoetter at redhat.com> - 1:1.4.20-2
+- Make D-Bus work in containers
+
* Tue Apr 13 2012 Colin Walters <walters at verbum.org>
- Update to 1.4.20; closes #806082
- Ensure /var/lib/dbus exists; this seems to have been
More information about the scm-commits
mailing list