[gentoo-commits] gentoo-x86 commit in sys-apps/dbus/files: dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch - gentoo-commits

From:	"Samuli Suominen (ssuominen)" <ssuominen@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in sys-apps/dbus/files: dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch
Date:	Tue, 29 May 2012 15:21:25
Message-Id:	`20120529152115.D5B752004C@flycatcher.gentoo.org`

1

ssuominen    12/05/29 15:21:15

2

3

  Added:               

4

                        dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch

5

  Log:

6

  When dropping capabilities only include AUDIT caps if we have them wrt #405975. This makes audit/selinux enabled D-Bus work in a Linux container. Thanks to Jory A. Pratt and Hinnerk van Bruinehsen.

7

8

  (Portage version: 2.2.0_alpha108/cvs/Linux x86_64)

9

10

Revision  Changes    Path

11

1.1                  sys-apps/dbus/files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch

12

13

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-apps/dbus/files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch?rev=1.1&view=markup

14

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-apps/dbus/files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch?rev=1.1&content-type=text/plain

15

16

Index: dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch

17

===================================================================

18

http://bugs.gentoo.org/405975

19

20

From e1b83fb58eadfd02227673db9a7e2833d29b0c98 Mon Sep 17 00:00:00 2001

21

From: Lennart Poettering <lennart@××××××××××.net>

22

Date: Mon, 23 Apr 2012 00:32:43 +0200

23

Subject: [PATCH] selinux: when dropping capabilities only include AUDIT caps

24

 if we have them

25

26

When we drop capabilities we shouldn't assume we can keep

27

CAP_AUDIT_WRITE unconditionally, since it will not be available when

28

running in containers.

29

30

This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we

31

actually have it in the first place.

32

33

This makes audit/selinux enabled D-Bus work in a Linux container.

34

---

35

 bus/selinux.c |    5 +++--

36

 1 file changed, 3 insertions(+), 2 deletions(-)

37

38

diff --git a/bus/selinux.c b/bus/selinux.c

39

index 36287e9..1bfc791 100644

40

--- a/bus/selinux.c

41

+++ b/bus/selinux.c

42

@@ -1053,8 +1053,9 @@ _dbus_change_to_daemon_user  (const char    *user,

43

       int rc;

44

45

       capng_clear (CAPNG_SELECT_BOTH);

46

-      capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,

47

-                    CAP_AUDIT_WRITE);

48

+      if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))

49

+        capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,

50

+                      CAP_AUDIT_WRITE);

51

       rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);

52

       if (rc)

53

{

54

--

55

1.7.10

1	ssuominen 12/05/29 15:21:15
2
3	Added:
4	dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch
5	Log:
6	When dropping capabilities only include AUDIT caps if we have them wrt #405975. This makes audit/selinux enabled D-Bus work in a Linux container. Thanks to Jory A. Pratt and Hinnerk van Bruinehsen.
7
8	(Portage version: 2.2.0_alpha108/cvs/Linux x86_64)
9
10	Revision Changes Path
11	1.1 sys-apps/dbus/files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch
12
13	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-apps/dbus/files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch?rev=1.1&view=markup
14	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-apps/dbus/files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch?rev=1.1&content-type=text/plain
15
16	Index: dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch
17	===================================================================
18	http://bugs.gentoo.org/405975
19
20	From e1b83fb58eadfd02227673db9a7e2833d29b0c98 Mon Sep 17 00:00:00 2001
21	From: Lennart Poettering <lennart@××××××××××.net>
22	Date: Mon, 23 Apr 2012 00:32:43 +0200
23	Subject: [PATCH] selinux: when dropping capabilities only include AUDIT caps
24	if we have them
25
26	When we drop capabilities we shouldn't assume we can keep
27	CAP_AUDIT_WRITE unconditionally, since it will not be available when
28	running in containers.
29
30	This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we
31	actually have it in the first place.
32
33	This makes audit/selinux enabled D-Bus work in a Linux container.
34	---
35	bus/selinux.c \| 5 +++--
36	1 file changed, 3 insertions(+), 2 deletions(-)
37
38	diff --git a/bus/selinux.c b/bus/selinux.c
39	index 36287e9..1bfc791 100644
40	--- a/bus/selinux.c
41	+++ b/bus/selinux.c
42	@@ -1053,8 +1053,9 @@ _dbus_change_to_daemon_user (const char *user,
43	int rc;
44
45	capng_clear (CAPNG_SELECT_BOTH);
46	- capng_update (CAPNG_ADD, CAPNG_EFFECTIVE \| CAPNG_PERMITTED,
47	- CAP_AUDIT_WRITE);
48	+ if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))
49	+ capng_update (CAPNG_ADD, CAPNG_EFFECTIVE \| CAPNG_PERMITTED,
50	+ CAP_AUDIT_WRITE);
51	rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
52	if (rc)
53	{
54	--
55	1.7.10

Gentoo Archives: gentoo-commits