audit: make dbus work in containers

This commit is contained in:
Lennart Poettering 2012-04-23 01:03:06 +02:00
parent 5a877a05f7
commit 1f94ec2bb2
2 changed files with 46 additions and 1 deletions

View File

@ -0,0 +1,37 @@
From e1b83fb58eadfd02227673db9a7e2833d29b0c98 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 23 Apr 2012 00:32:43 +0200
Subject: [PATCH] selinux: when dropping capabilities only include AUDIT caps
if we have them
When we drop capabilities we shouldn't assume we can keep
CAP_AUDIT_WRITE unconditionally, since it will not be available when
running in containers.
This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we
actually have it in the first place.
This makes audit/selinux enabled D-Bus work in a Linux container.
---
bus/selinux.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/bus/selinux.c b/bus/selinux.c
index 36287e9..1bfc791 100644
--- a/bus/selinux.c
+++ b/bus/selinux.c
@@ -1053,8 +1053,9 @@ _dbus_change_to_daemon_user (const char *user,
int rc;
capng_clear (CAPNG_SELECT_BOTH);
- capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
- CAP_AUDIT_WRITE);
+ if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))
+ capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+ CAP_AUDIT_WRITE);
rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
if (rc)
{
--
1.7.10

View File

@ -10,7 +10,7 @@ Summary: D-BUS message bus
Name: dbus
Epoch: 1
Version: 1.4.20
Release: 1%{?dist}
Release: 2%{?dist}
URL: http://www.freedesktop.org/software/dbus/
#VCS: git:git://git.freedesktop.org/git/dbus/dbus
Source0: http://dbus.freedesktop.org/releases/dbus/%{name}-%{version}.tar.gz
@ -44,6 +44,10 @@ Conflicts: cups < 1:1.1.20-4
# FIXME this should be upstreamed; need --daemon-bindir=/bin and --bindir=/usr/bin or something?
Patch0: bindir.patch
# Posted upstream, makes D-Bus work in Linux containers.
# https://bugs.freedesktop.org/show_bug.cgi?id=49062
Patch1: 0001-selinux-when-dropping-capabilities-only-include-AUDI.patch
%description
D-BUS is a system for sending messages between applications. It is
used both for the system-wide message bus service, and as a
@ -94,6 +98,7 @@ in this separate package so server systems need not install X.
/bin/chmod 0644 COPYING ChangeLog NEWS
%patch0 -p1 -b .bindir
%patch1 -p1
autoreconf -f -i
@ -227,6 +232,9 @@ fi
%{_includedir}/*
%changelog
* Sun Apr 22 2012 Lennart Poettering <lpoetter@redhat.com> - 1:1.4.20-2
- Make D-Bus work in containers
* Tue Apr 13 2012 Colin Walters <walters@verbum.org>
- Update to 1.4.20; closes #806082
- Ensure /var/lib/dbus exists; this seems to have been