--- dbus-1.2.16.orig/bus/selinux.c 2009-11-01 09:58:22.000000000 -0500 +++ dbus-1.2.16.orig/bus/selinux.c 2009-11-01 11:30:45.000000000 -0500 @@ -1015,3 +1015,74 @@ bus_selinux_shutdown (void) #endif /* HAVE_SELINUX */ } +/** + * Changes the user and group the bus is running as. + * + * @param user the user to become + * @param error return location for errors + * @returns #FALSE on failure + */ +dbus_bool_t +_dbus_change_to_daemon_user (const char *user, + DBusError *error) +{ + dbus_uid_t uid; + dbus_gid_t gid; + DBusString u; + + _dbus_string_init_const (&u, user); + + if (!_dbus_get_user_id_and_primary_group (&u, &uid, &gid)) + { + dbus_set_error (error, DBUS_ERROR_FAILED, + "User '%s' does not appear to exist?", + user); + return FALSE; + } + +#ifdef HAVE_LIBAUDIT + /* If we were root */ + if (_dbus_geteuid () == 0) + { + int rc; + + capng_clear(CAPNG_SELECT_BOTH); + capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_AUDIT_WRITE); + rc = capng_change_id(uid, gid, 0); + if (rc) + { + switch (rc) { + default: + dbus_set_error (error, DBUS_ERROR_FAILED, + "Failed to drop capabilities: %s\n", + _dbus_strerror (errno)); + break; + case -4: + dbus_set_error (error, _dbus_error_from_errno (errno), + "Failed to set GID to %lu: %s", gid, + _dbus_strerror (errno)); + break; + case -5: + _dbus_warn ("Failed to drop supplementary groups: %s\n", + _dbus_strerror (errno)); + break; + case -6: + dbus_set_error (error, _dbus_error_from_errno (errno), + "Failed to set UID to %lu: %s", uid, + _dbus_strerror (errno)); + break; + case -7: + dbus_set_error (error, _dbus_error_from_errno (errno), + "Failed to unset keep-capabilities: %s\n", + _dbus_strerror (errno)); + break; + } + return FALSE; + } + } +#endif /* HAVE_LIBAUDIT */ + + return TRUE; +} + --- dbus-1.2.16.orig/bus/selinux.h 2009-11-01 09:58:22.000000000 -0500 +++ dbus-1.2.16.orig/bus/selinux.h 2009-11-01 11:33:15.000000000 -0500 @@ -68,5 +68,7 @@ BusSELinuxID* bus_selinux_init_connectio void bus_selinux_audit_init(void); +dbus_bool_t _dbus_change_to_daemon_user (const char *user, + DBusError *error); #endif /* BUS_SELINUX_H */ --- dbus-1.2.16.orig/configure.in 2009-11-01 09:58:22.000000000 -0500 +++ dbus-1.2.16.orig/configure.in 2009-11-01 11:30:45.000000000 -0500 @@ -852,8 +852,7 @@ fi AM_CONDITIONAL(HAVE_LIBAUDIT, test x$have_libaudit = xyes) if test x$have_libaudit = xyes ; then - SELINUX_LIBS="$SELINUX_LIBS -laudit" - LIBS="-lcap-ng $LIBS" + SELINUX_LIBS="$SELINUX_LIBS -laudit -lcap-ng" AC_DEFINE(HAVE_LIBAUDIT,1,[audit daemon SELinux support]) fi --- dbus-1.2.16.orig/dbus/dbus-sysdeps.h 2009-11-01 09:58:22.000000000 -0500 +++ dbus-1.2.16.orig/dbus/dbus-sysdeps.h 2009-11-01 11:33:08.000000000 -0500 @@ -418,8 +418,6 @@ dbus_bool_t _dbus_become_daemon (const dbus_bool_t keep_umask); dbus_bool_t _dbus_verify_daemon_user (const char *user); -dbus_bool_t _dbus_change_to_daemon_user (const char *user, - DBusError *error); dbus_bool_t _dbus_write_pid_to_file_and_pipe (const DBusString *pidfile, DBusPipe *print_pid_pipe, --- dbus-1.2.16.orig/dbus/dbus-sysdeps-util-unix.c 2009-11-01 09:58:22.000000000 -0500 +++ dbus-1.2.16.orig/dbus/dbus-sysdeps-util-unix.c 2009-11-01 11:30:45.000000000 -0500 @@ -45,10 +45,6 @@ #include #include #include -#ifdef HAVE_LIBAUDIT -#include -#include -#endif /* HAVE_LIBAUDIT */ #ifdef HAVE_SYS_SYSLIMITS_H #include @@ -308,77 +304,6 @@ _dbus_verify_daemon_user (const char *us return _dbus_get_user_id_and_primary_group (&u, NULL, NULL); } -/** - * Changes the user and group the bus is running as. - * - * @param user the user to become - * @param error return location for errors - * @returns #FALSE on failure - */ -dbus_bool_t -_dbus_change_to_daemon_user (const char *user, - DBusError *error) -{ - dbus_uid_t uid; - dbus_gid_t gid; - DBusString u; - - _dbus_string_init_const (&u, user); - - if (!_dbus_get_user_id_and_primary_group (&u, &uid, &gid)) - { - dbus_set_error (error, DBUS_ERROR_FAILED, - "User '%s' does not appear to exist?", - user); - return FALSE; - } - -#ifdef HAVE_LIBAUDIT - /* If we were root */ - if (_dbus_geteuid () == 0) - { - int rc; - - capng_clear(CAPNG_SELECT_BOTH); - capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, - CAP_AUDIT_WRITE); - rc = capng_change_id(uid, gid, 0); - if (rc) - { - switch (rc) { - default: - dbus_set_error (error, DBUS_ERROR_FAILED, - "Failed to drop capabilities: %s\n", - _dbus_strerror (errno)); - break; - case -4: - dbus_set_error (error, _dbus_error_from_errno (errno), - "Failed to set GID to %lu: %s", gid, - _dbus_strerror (errno)); - break; - case -5: - _dbus_warn ("Failed to drop supplementary groups: %s\n", - _dbus_strerror (errno)); - break; - case -6: - dbus_set_error (error, _dbus_error_from_errno (errno), - "Failed to set UID to %lu: %s", uid, - _dbus_strerror (errno)); - break; - case -7: - dbus_set_error (error, _dbus_error_from_errno (errno), - "Failed to unset keep-capabilities: %s\n", - _dbus_strerror (errno)); - break; - } - return FALSE; - } - } -#endif /* HAVE_LIBAUDIT */ - - return TRUE; -} - void _dbus_init_system_log (void) {