From 2cf320fc82593fd1b3c71688f770e443366780ec Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 23 Apr 2012 00:32:43 +0200
Subject: [PATCH] selinux: when dropping capabilities only include AUDIT caps
 if we have them

When we drop capabilities we shouldn't assume we can keep
CAP_AUDIT_WRITE unconditionally, since it will not be available when
running in containers.

This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we
actually have it in the first place.

This makes audit/selinux enabled D-Bus work in a Linux container.

Bug: https://bugs.freedesktop.org/show_bug.cgi?id=49062
Acked-by: Thiago Macieira <thiago@kde.org>
Acked-by: Colin Walters <walters@verbum.org>
Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
---
 bus/selinux.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/bus/selinux.c b/bus/selinux.c
index c36c94e..7ae84d6 100644
--- a/bus/selinux.c
+++ b/bus/selinux.c
@@ -1045,8 +1045,9 @@ _dbus_change_to_daemon_user  (const char    *user,
       int rc;
 
       capng_clear (CAPNG_SELECT_BOTH);
-      capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
-                    CAP_AUDIT_WRITE);
+      if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))
+        capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+                      CAP_AUDIT_WRITE);
       rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
       if (rc)
         {
-- 
2.7.4