policycoreutils: newrole retain CAP_SETPCAP

We retain CAP_SETPCAP so that we can drop the additional capabilities
we held onto to set up namespaces.

While we are at it, just add some console whine in case things fail.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
This commit is contained in:
Eric Paris 2011-06-29 02:56:56 -04:00
parent 802369fbe2
commit e3ffa8c31f
1 changed files with 4 additions and 2 deletions

View File

@ -586,7 +586,7 @@ static int drop_capabilities(int full)
return -1; return -1;
} }
if (! full) if (! full)
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE); capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE | CAP_SETPCAP);
return capng_apply(CAPNG_SELECT_BOTH); return capng_apply(CAPNG_SELECT_BOTH);
} }
@ -1030,8 +1030,10 @@ int main(int argc, char *argv[])
* if it makes sense to continue to run newrole, and setting up * if it makes sense to continue to run newrole, and setting up
* a scrubbed environment. * a scrubbed environment.
*/ */
if (drop_capabilities(FALSE)) if (drop_capabilities(FALSE)) {
perror(_("Sorry, newrole failed to drop capabilities\n"));
return -1; return -1;
}
if (set_signal_handles()) if (set_signal_handles())
return -1; return -1;