From ebadcd67f7fe321075134e4ee6a722ca9ff61bb7 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 4 Oct 2011 08:36:06 -0400 Subject: [PATCH] Do not drop capabilities if running newrole as root --- policycoreutils-rhat.patch | 19 ++++++++++++++++++- policycoreutils.spec | 5 ++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 277d0d3..54f3e2e 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -41,9 +41,26 @@ index e9c80f0..e9d5882 100644 print "\t\tUnknown - would be allowed by active policy\n", print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n" diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c -index 99d0ed7..3f08d37 100644 +index 99d0ed7..19e20a8 100644 --- a/policycoreutils/newrole/newrole.c +++ b/policycoreutils/newrole/newrole.c +@@ -543,13 +543,13 @@ static int restore_environment(int preserve_environment, + #if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV) + static int drop_capabilities(int full) + { ++ uid_t uid = getuid(); ++ if (!uid) return 0; ++ + capng_clear(CAPNG_SELECT_BOTH); + if (capng_lock() < 0) + return -1; + +- uid_t uid = getuid(); +- if (!uid) return 0; +- + /* Change uid */ + if (setresuid(uid, uid, uid)) { + fprintf(stderr, _("Error changing uid, aborting.\n")); @@ -1030,10 +1030,11 @@ int main(int argc, char *argv[]) * if it makes sense to continue to run newrole, and setting up * a scrubbed environment. diff --git a/policycoreutils.spec b/policycoreutils.spec index ed55fdb..fb8db3f 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.7 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -352,6 +352,9 @@ fi /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Tue Oct 4 2011 Dan Walsh - 2.1.7-2 +- Do not drop capabilities if running newrole as root + * Fri Sep 30 2011 Dan Walsh - 2.1.7-1 -Update to upstream * semanage: fix indentation error in seobject