Do not drop capabilities if running newrole as root

policycoreutils-rhat.patch

@@ -41,9 +41,26 @@ index e9c80f0..e9d5882 100644
                      print "\t\tUnknown - would be allowed by active policy\n",
                      print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
 diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
-index 99d0ed7..3f08d37 100644
+index 99d0ed7..19e20a8 100644
 --- a/policycoreutils/newrole/newrole.c
 +++ b/policycoreutils/newrole/newrole.c
+@@ -543,13 +543,13 @@ static int restore_environment(int preserve_environment,
+ #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
+ static int drop_capabilities(int full)
+ {
++	uid_t uid = getuid();
++	if (!uid) return 0;
++
+ 	capng_clear(CAPNG_SELECT_BOTH);
+ 	if (capng_lock() < 0) 
+ 		return -1;
+ 
+-	uid_t uid = getuid();
+-	if (!uid) return 0;
+-
+ 	/* Change uid */
+ 	if (setresuid(uid, uid, uid)) {
+ 		fprintf(stderr, _("Error changing uid, aborting.\n"));
 @@ -1030,10 +1030,11 @@ int main(int argc, char *argv[])
  	 * if it makes sense to continue to run newrole, and setting up
  	 * a scrubbed environment.

policycoreutils.spec

@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@@ -352,6 +352,9 @@ fi
 /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
 
 %changelog
+* Tue Oct 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-2
+- Do not drop capabilities if running newrole as root
+
 * Fri Sep 30 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-1
 -Update to upstream
 	* semanage: fix indentation error in seobject