Hello!
The CAP_* constants should not be or'ed, it is the bit numbers.
And grant the access to the audit system too.
P.S. May be someone can look at the commit messages, I'm not sure
about my English.
--
WBR, Mikhail Efremov
>From 1b3869f11fcc93b7ab667c56a9ff7b7597c19147 Mon Sep 17 00:00:00 2001
From: Mikhail Efremov <sem@xxxxxxxxxxxx>
Date: Fri, 16 Mar 2012 16:19:56 +0400
Subject: [PATCH 1/2] policycoreutils: newrole: Fix drop_capabilities().
The CAP_* constants should not be or'ed, it is the bit
numbers.
And call capng_setpid() before dropping capabilities,
otherwise child will try to drop capabilities of the parent
process.
---
policycoreutils/newrole/newrole.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 99d0ed7..0554d58 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -543,6 +543,7 @@ static int restore_environment(int preserve_environment,
#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
static int drop_capabilities(int full)
{
+ capng_setpid(getpid());
capng_clear(CAPNG_SELECT_BOTH);
if (capng_lock() < 0)
return -1;
@@ -575,6 +576,7 @@ static int drop_capabilities(int full)
*/
static int drop_capabilities(int full)
{
+ capng_setpid(getpid());
capng_clear(CAPNG_SELECT_BOTH);
if (capng_lock() < 0)
return -1;
@@ -585,8 +587,13 @@ static int drop_capabilities(int full)
fprintf(stderr, _("Error changing uid, aborting.\n"));
return -1;
}
- if (! full)
- capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE | CAP_SETPCAP);
+ if (! full) {
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_FOWNER);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_CHOWN);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_DAC_OVERRIDE);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SETPCAP);
+ }
return capng_apply(CAPNG_SELECT_BOTH);
}
--
1.7.9.3
>From ef57299e153aaaaba962d47750e4ac80c12d9dd6 Mon Sep 17 00:00:00 2001
From: Mikhail Efremov <sem@xxxxxxxxxxxx>
Date: Fri, 16 Mar 2012 16:21:38 +0400
Subject: [PATCH 2/2] policycoreutils: newrole retain CAP_AUDIT_WRITE.
Grant access to the audit system.
---
policycoreutils/newrole/newrole.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 0554d58..bc7fbe3 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -593,6 +593,7 @@ static int drop_capabilities(int full)
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_CHOWN);
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_DAC_OVERRIDE);
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SETPCAP);
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
}
return capng_apply(CAPNG_SELECT_BOTH);
}
--
1.7.9.3
