[policycoreutils] Fix newrole to retain cap_audit_write when compiled with namespace, also

Daniel J Walsh dwalsh at fedoraproject.org
Mon Feb 18 19:14:45 UTC 2013 

commit 68cfa786ad60c89bf40320271e47e421c3cd3822
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Mon Feb 18 14:14:39 2013 -0500

    Fix newrole to retain cap_audit_write when compiled with namespace, also
    
    do not drop capabilities when run as root.

 policycoreutils-rhat.patch |   35 ++++++++++++++++++++++++++++++-----
 policycoreutils.spec       |    8 ++++++--
 2 files changed, 36 insertions(+), 7 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 9c55140..a1d9971 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -338,10 +338,35 @@ new file mode 100644
 index 0000000..68ffcb7
 Binary files /dev/null and b/policycoreutils/gui/system-config-selinux.png differ
 diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
-index 8fbf2d0..3753ef4 100644
+index 8fbf2d0..3510f12 100644
 --- a/policycoreutils/newrole/newrole.c
 +++ b/policycoreutils/newrole/newrole.c
-@@ -680,7 +680,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
+@@ -576,19 +576,22 @@ static int drop_capabilities(int full)
+  */
+ static int drop_capabilities(int full)
+ {
++	uid_t uid = getuid();
++	if (!uid) return 0;
++
+ 	capng_setpid(getpid());
+ 	capng_clear(CAPNG_SELECT_BOTH);
+ 	if (capng_lock() < 0) 
+ 		return -1;
+ 
+-	uid_t uid = getuid();
+ 	/* Change uid */
+ 	if (setresuid(uid, uid, uid)) {
+ 		fprintf(stderr, _("Error changing uid, aborting.\n"));
+ 		return -1;
+ 	}
+ 	if (! full) 
+-		capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1);
++		capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, CAP_AUDIT_WRITE, -1);
++	
+ 	return capng_apply(CAPNG_SELECT_BOTH);
+ }
+ 
+@@ -680,7 +683,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
  		       security_context_t * tty_context,
  		       security_context_t * new_tty_context)
  {
@@ -350,7 +375,7 @@ index 8fbf2d0..3753ef4 100644
  	int enforcing = security_getenforce();
  	security_context_t tty_con = NULL;
  	security_context_t new_tty_con = NULL;
-@@ -699,7 +699,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
+@@ -699,7 +702,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
  		fprintf(stderr, _("Error!  Could not open %s.\n"), ttyn);
  		return fd;
  	}
@@ -365,7 +390,7 @@ index 8fbf2d0..3753ef4 100644
  
  	if (fgetfilecon(fd, &tty_con) < 0) {
  		fprintf(stderr, _("%s!  Could not get current context "
-@@ -1010,9 +1016,9 @@ int main(int argc, char *argv[])
+@@ -1010,9 +1019,9 @@ int main(int argc, char *argv[])
  	int fd;
  	pid_t childPid = 0;
  	char *shell_argv0 = NULL;
@@ -376,7 +401,7 @@ index 8fbf2d0..3753ef4 100644
  	int pam_status;		/* pam return code */
  	pam_handle_t *pam_handle;	/* opaque handle used by all PAM functions */
  
-@@ -1226,15 +1232,23 @@ int main(int argc, char *argv[])
+@@ -1226,15 +1235,23 @@ int main(int argc, char *argv[])
  		fd = open(ttyn, O_RDONLY | O_NONBLOCK);
  		if (fd != 0)
  			goto err_close_pam;
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 6c062a7..a5f197c 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.14
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@@ -209,7 +209,7 @@ or level of a logged in user.
 
 %files newrole
 %defattr(-,root,root)
-%attr(0755,root,root) %caps(cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
+%attr(0755,root,root) %caps(cap_dac_read_search,cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
 
 %{_mandir}/man1/newrole.1.gz
 %config(noreplace) %{_sysconfdir}/pam.d/newrole
@@ -326,6 +326,10 @@ The policycoreutils-restorecond package contains the restorecond service.
 %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
 
 %changelog
+* Mon Feb 18 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-6
+- Fix newrole to retain cap_audit_write when compiled with namespace, also
+do not drop capabilities when run as root.
+
 * Thu Feb 14 2013 Dan Walsh <dwalsh at redhat.com> - 2.1.14-5
 - Fix man page generation and public_content description

More information about the scm-commits mailing list