fd.o bug #12429 Reverse check to setpcap and only init audit if we were root

* patch by Dan Walsh <dwalsh@redhat.com>
* https://bugs.freedesktop.org/show_bug.cgi?id=12429
* Reverse we_were_root check to setpcap if we were root.  Also only init
  audit if we were root.  So error dbus message will not show up when policy
  reload happens.  dbus -session will no longer try to send audit message,
  only system will.

diff --git a/bus/selinux.c b/bus/selinux.c
index 7fedba6..8c7a6f8 100644 (file)
--- a/bus/selinux.c
+++ b/bus/selinux.c
@@ -113,7 +113,7 @@ static const struct avc_lock_callback lock_cb =
 static int audit_fd = -1;
 #endif
 
-static void
+void
 audit_init(void)
 {
 #ifdef HAVE_LIBAUDIT  
@@ -350,12 +350,8 @@ bus_selinux_full_init (void)
 
   freecon (bus_context);
   
-  audit_init ();
-
-  return TRUE;
-#else
-  return TRUE;
 #endif /* HAVE_SELINUX */
+  return TRUE;
 }
 
 /**

diff --git a/dbus/dbus-sysdeps-util-unix.c b/dbus/dbus-sysdeps-util-unix.c
index df967a3..e03e0b7 100644 (file)
--- a/dbus/dbus-sysdeps-util-unix.c
+++ b/dbus/dbus-sysdeps-util-unix.c
@@ -338,7 +338,7 @@ _dbus_change_to_daemon_user  (const char    *user,
    * run as ... doesn't really help. But keeps people happy.
    */
     
-  if (!we_were_root)
+  if (we_were_root)
     {
       cap_value_t new_cap_list[] = { CAP_AUDIT_WRITE };
       cap_value_t tmp_cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID, CAP_SETGID };
@@ -414,7 +414,7 @@ _dbus_change_to_daemon_user  (const char    *user,
     }
   
 #ifdef HAVE_LIBAUDIT
-  if (!we_were_root)
+  if (we_were_root)
     {
       if (cap_set_proc (new_caps))
         {
@@ -433,6 +433,7 @@ _dbus_change_to_daemon_user  (const char    *user,
                           _dbus_strerror (errno));
           return FALSE;
         }
+      audit_init();
     }
 #endif