Hi, Running newrole executable compiled with LSPP_PRIV=y I get the following error while it's trying to switch role: Error sending audit message. It seems that the CAP_AUDIT_WRITE capability is not set [0]. Adding this capability to the list doesn't seems enough, I then get the following error: failed to exec shell: Operation not permitted Looking at the fedora tree, I've found this patch[1] (which is not merged upstream) that seems to fix both issues. The patch seems to break an other thing, it Fedora the newrole executable is not setuid root, but it is granted a bunch of capabilities explicitly, if I setuid this executable instead of granting these capabilities, I get yet an other error: Sorry, newrole failed to drop capabilities: Operation not permitted So I guess something need to be fixed here. Cheers, Laurent Bigonville [0] https://github.com/SELinuxProject/selinux/blob/master/policycoreutils/newrole/newrole.c#L590 [1] https://github.com/fedora-selinux/selinux/commit/339a6fed0b37f8b82e4382bc6a5c9367119ed92b _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
