RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

policycoreutils: newrole retain CAP_SETPCAP 

We retain CAP_SETPCAP so that we can drop the additional capabilities
we held onto to set up namespaces.

While we are at it, just add some console whine in case things fail.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This commit is contained in:
Eric Paris 2011-06-29 02:56:56 -04:00
parent 802369fbe2
commit e3ffa8c31f
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
policycoreutils/newrole/newrole.c
View File

@ -586,7 +586,7 @@ static int drop_capabilities(int full)
return -1;
}
if (! full)
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE | CAP_SETPCAP);
return capng_apply(CAPNG_SELECT_BOTH);
}
@ -1030,8 +1030,10 @@ int main(int argc, char *argv[])
* if it makes sense to continue to run newrole, and setting up
* a scrubbed environment.
*/
if (drop_capabilities(FALSE))
if (drop_capabilities(FALSE)) {
perror(_("Sorry, newrole failed to drop capabilities\n"));
return -1;
}
if (set_signal_handles())
return -1;