From 68cfa786ad60c89bf40320271e47e421c3cd3822 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 18 Feb 2013 14:14:39 -0500 Subject: [PATCH] Fix newrole to retain cap_audit_write when compiled with namespace, also do not drop capabilities when run as root. --- policycoreutils-rhat.patch | 35 ++++++++++++++++++++++++++++++----- policycoreutils.spec | 8 ++++++-- 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 9c55140..a1d9971 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -338,10 +338,35 @@ new file mode 100644 index 0000000..68ffcb7 Binary files /dev/null and b/policycoreutils/gui/system-config-selinux.png differ diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c -index 8fbf2d0..3753ef4 100644 +index 8fbf2d0..3510f12 100644 --- a/policycoreutils/newrole/newrole.c +++ b/policycoreutils/newrole/newrole.c -@@ -680,7 +680,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, +@@ -576,19 +576,22 @@ static int drop_capabilities(int full) + */ + static int drop_capabilities(int full) + { ++ uid_t uid = getuid(); ++ if (!uid) return 0; ++ + capng_setpid(getpid()); + capng_clear(CAPNG_SELECT_BOTH); + if (capng_lock() < 0) + return -1; + +- uid_t uid = getuid(); + /* Change uid */ + if (setresuid(uid, uid, uid)) { + fprintf(stderr, _("Error changing uid, aborting.\n")); + return -1; + } + if (! full) +- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1); ++ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, CAP_AUDIT_WRITE, -1); ++ + return capng_apply(CAPNG_SELECT_BOTH); + } + +@@ -680,7 +683,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, security_context_t * tty_context, security_context_t * new_tty_context) { @@ -350,7 +375,7 @@ index 8fbf2d0..3753ef4 100644 int enforcing = security_getenforce(); security_context_t tty_con = NULL; security_context_t new_tty_con = NULL; -@@ -699,7 +699,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, +@@ -699,7 +702,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, fprintf(stderr, _("Error! Could not open %s.\n"), ttyn); return fd; } @@ -365,7 +390,7 @@ index 8fbf2d0..3753ef4 100644 if (fgetfilecon(fd, &tty_con) < 0) { fprintf(stderr, _("%s! Could not get current context " -@@ -1010,9 +1016,9 @@ int main(int argc, char *argv[]) +@@ -1010,9 +1019,9 @@ int main(int argc, char *argv[]) int fd; pid_t childPid = 0; char *shell_argv0 = NULL; @@ -376,7 +401,7 @@ index 8fbf2d0..3753ef4 100644 int pam_status; /* pam return code */ pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */ -@@ -1226,15 +1232,23 @@ int main(int argc, char *argv[]) +@@ -1226,15 +1235,23 @@ int main(int argc, char *argv[]) fd = open(ttyn, O_RDONLY | O_NONBLOCK); if (fd != 0) goto err_close_pam; diff --git a/policycoreutils.spec b/policycoreutils.spec index 6c062a7..a5f197c 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.14 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -209,7 +209,7 @@ or level of a logged in user. %files newrole %defattr(-,root,root) -%attr(0755,root,root) %caps(cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole +%attr(0755,root,root) %caps(cap_dac_read_search,cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole %{_mandir}/man1/newrole.1.gz %config(noreplace) %{_sysconfdir}/pam.d/newrole @@ -326,6 +326,10 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Mon Feb 18 2013 Dan Walsh - 2.1.14-6 +- Fix newrole to retain cap_audit_write when compiled with namespace, also +do not drop capabilities when run as root. + * Thu Feb 14 2013 Dan Walsh - 2.1.14-5 - Fix man page generation and public_content description