Commit 2cf320fc authored by Lennart Poettering's avatar Lennart Poettering Committed by Simon McVittie

selinux: when dropping capabilities only include AUDIT caps if we have them

When we drop capabilities we shouldn't assume we can keep
CAP_AUDIT_WRITE unconditionally, since it will not be available when
running in containers.

This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we
actually have it in the first place.

This makes audit/selinux enabled D-Bus work in a Linux container.

Bug: Thiago Macieira's avatarThiago Macieira <>
Acked-by: Colin Walters's avatarColin Walters <>
Reviewed-by: default avatarSimon McVittie <>
parent efd8209d
......@@ -1045,6 +1045,7 @@ _dbus_change_to_daemon_user (const char *user,
int rc;
capng_clear (CAPNG_SELECT_BOTH);
if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))
rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment