38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
From e1b83fb58eadfd02227673db9a7e2833d29b0c98 Mon Sep 17 00:00:00 2001
|
|
From: Lennart Poettering <lennart@poettering.net>
|
|
Date: Mon, 23 Apr 2012 00:32:43 +0200
|
|
Subject: [PATCH] selinux: when dropping capabilities only include AUDIT caps
|
|
if we have them
|
|
|
|
When we drop capabilities we shouldn't assume we can keep
|
|
CAP_AUDIT_WRITE unconditionally, since it will not be available when
|
|
running in containers.
|
|
|
|
This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we
|
|
actually have it in the first place.
|
|
|
|
This makes audit/selinux enabled D-Bus work in a Linux container.
|
|
---
|
|
bus/selinux.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/bus/selinux.c b/bus/selinux.c
|
|
index 36287e9..1bfc791 100644
|
|
--- a/bus/selinux.c
|
|
+++ b/bus/selinux.c
|
|
@@ -1053,8 +1053,9 @@ _dbus_change_to_daemon_user (const char *user,
|
|
int rc;
|
|
|
|
capng_clear (CAPNG_SELECT_BOTH);
|
|
- capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
|
|
- CAP_AUDIT_WRITE);
|
|
+ if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))
|
|
+ capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
|
|
+ CAP_AUDIT_WRITE);
|
|
rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
|
|
if (rc)
|
|
{
|
|
--
|
|
1.7.10
|
|
|