From e3ffa8c31fca71eba3c625f1e3ec26fdf8095f0f Mon Sep 17 00:00:00 2001 From: Eric Paris Date: Wed, 29 Jun 2011 02:56:56 -0400 Subject: [PATCH] policycoreutils: newrole retain CAP_SETPCAP We retain CAP_SETPCAP so that we can drop the additional capabilities we held onto to set up namespaces. While we are at it, just add some console whine in case things fail. Signed-off-by: Eric Paris Acked-by: Dan Walsh --- policycoreutils/newrole/newrole.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c index 2d31d645..99d0ed7f 100644 --- a/policycoreutils/newrole/newrole.c +++ b/policycoreutils/newrole/newrole.c @@ -586,7 +586,7 @@ static int drop_capabilities(int full) return -1; } if (! full) - capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE); + capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE | CAP_SETPCAP); return capng_apply(CAPNG_SELECT_BOTH); } @@ -1030,8 +1030,10 @@ int main(int argc, char *argv[]) * if it makes sense to continue to run newrole, and setting up * a scrubbed environment. */ - if (drop_capabilities(FALSE)) + if (drop_capabilities(FALSE)) { + perror(_("Sorry, newrole failed to drop capabilities\n")); return -1; + } if (set_signal_handles()) return -1;