If you run newrole as root and it drops capabilities, the next shell
script does not have any capabilities and can not function.
newrole -L TopSecret
Would end up with a root shell and no capabilities.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>
We retain CAP_SETPCAP so that we can drop the additional capabilities
we held onto to set up namespaces.
While we are at it, just add some console whine in case things fail.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Dan Walsh <dwalsh@redhat.com>