[policycoreutils] Fix newrole to retain cap_audit_write when compiled with namespace, also
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Feb 18 19:14:45 UTC 2013
commit 68cfa786ad60c89bf40320271e47e421c3cd3822
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Feb 18 14:14:39 2013 -0500
Fix newrole to retain cap_audit_write when compiled with namespace, also
do not drop capabilities when run as root.
policycoreutils-rhat.patch | 35 ++++++++++++++++++++++++++++++-----
policycoreutils.spec | 8 ++++++--
2 files changed, 36 insertions(+), 7 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 9c55140..a1d9971 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -338,10 +338,35 @@ new file mode 100644
index 0000000..68ffcb7
Binary files /dev/null and b/policycoreutils/gui/system-config-selinux.png differ
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
-index 8fbf2d0..3753ef4 100644
+index 8fbf2d0..3510f12 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
-@@ -680,7 +680,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
+@@ -576,19 +576,22 @@ static int drop_capabilities(int full)
+ */
+ static int drop_capabilities(int full)
+ {
++ uid_t uid = getuid();
++ if (!uid) return 0;
++
+ capng_setpid(getpid());
+ capng_clear(CAPNG_SELECT_BOTH);
+ if (capng_lock() < 0)
+ return -1;
+
+- uid_t uid = getuid();
+ /* Change uid */
+ if (setresuid(uid, uid, uid)) {
+ fprintf(stderr, _("Error changing uid, aborting.\n"));
+ return -1;
+ }
+ if (! full)
+- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1);
++ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, CAP_AUDIT_WRITE, -1);
++
+ return capng_apply(CAPNG_SELECT_BOTH);
+ }
+
+@@ -680,7 +683,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
security_context_t * tty_context,
security_context_t * new_tty_context)
{
@@ -350,7 +375,7 @@ index 8fbf2d0..3753ef4 100644
int enforcing = security_getenforce();
security_context_t tty_con = NULL;
security_context_t new_tty_con = NULL;
-@@ -699,7 +699,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
+@@ -699,7 +702,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
fprintf(stderr, _("Error! Could not open %s.\n"), ttyn);
return fd;
}
@@ -365,7 +390,7 @@ index 8fbf2d0..3753ef4 100644
if (fgetfilecon(fd, &tty_con) < 0) {
fprintf(stderr, _("%s! Could not get current context "
-@@ -1010,9 +1016,9 @@ int main(int argc, char *argv[])
+@@ -1010,9 +1019,9 @@ int main(int argc, char *argv[])
int fd;
pid_t childPid = 0;
char *shell_argv0 = NULL;
@@ -376,7 +401,7 @@ index 8fbf2d0..3753ef4 100644
int pam_status; /* pam return code */
pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */
-@@ -1226,15 +1232,23 @@ int main(int argc, char *argv[])
+@@ -1226,15 +1235,23 @@ int main(int argc, char *argv[])
fd = open(ttyn, O_RDONLY | O_NONBLOCK);
if (fd != 0)
goto err_close_pam;
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 6c062a7..a5f197c 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.14
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -209,7 +209,7 @@ or level of a logged in user.
%files newrole
%defattr(-,root,root)
-%attr(0755,root,root) %caps(cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
+%attr(0755,root,root) %caps(cap_dac_read_search,cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
%{_mandir}/man1/newrole.1.gz
%config(noreplace) %{_sysconfdir}/pam.d/newrole
@@ -326,6 +326,10 @@ The policycoreutils-restorecond package contains the restorecond service.
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Mon Feb 18 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-6
+- Fix newrole to retain cap_audit_write when compiled with namespace, also
+do not drop capabilities when run as root.
+
* Thu Feb 14 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-5
- Fix man page generation and public_content description
More information about the scm-commits
mailing list