When dropping capabilities only include AUDIT caps if we have them wrt #405975. This makes audit/selinux enabled D-Bus work in a Linux container. Thanks to Jory A. Pratt and Hinnerk van Bruinehsen.

(Portage version: 2.2.0_alpha108/cvs/Linux x86_64)

4 files changed, 241 insertions, 3 deletions

diff --git a/sys-apps/dbus/ChangeLog b/sys-apps/dbus/ChangeLog
index 7379712b9532..ece26c1d5ccc 100644
--- a/sys-apps/dbus/ChangeLog
+++ b/sys-apps/dbus/ChangeLog
@@ -1,6 +1,15 @@
 # ChangeLog for sys-apps/dbus
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/dbus/ChangeLog,v 1.339 2012/05/24 04:21:00 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/dbus/ChangeLog,v 1.340 2012/05/29 15:21:15 ssuominen Exp $
+
+*dbus-1.5.12-r1 (29 May 2012)
+
+  29 May 2012; Samuli Suominen <ssuominen@gentoo.org> dbus-1.4.20.ebuild,
+  +dbus-1.5.12-r1.ebuild,
+  +files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch:
+  When dropping capabilities only include AUDIT caps if we have them wrt
+  #405975. This makes audit/selinux enabled D-Bus work in a Linux container.
+  Thanks to Jory A. Pratt and Hinnerk van Bruinehsen.
 
   24 May 2012; Mike Frysinger <vapier@gentoo.org> dbus-1.4.16-r2.ebuild,
   dbus-1.4.16.ebuild, dbus-1.4.18.ebuild, dbus-1.4.20.ebuild,
diff --git a/sys-apps/dbus/dbus-1.4.20.ebuild b/sys-apps/dbus/dbus-1.4.20.ebuild
index 63c44d9fa00c..9d90cae66215 100644
--- a/sys-apps/dbus/dbus-1.4.20.ebuild
+++ b/sys-apps/dbus/dbus-1.4.20.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/dbus/dbus-1.4.20.ebuild,v 1.10 2012/05/24 04:21:00 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/dbus/dbus-1.4.20.ebuild,v 1.11 2012/05/29 15:21:15 ssuominen Exp $
 
 EAPI=4
 inherit autotools eutils multilib flag-o-matic python systemd virtualx user
@@ -58,7 +58,9 @@ src_prepare() {
 		-e '/"dispatch"/d' \
 		bus/test-main.c || die
 
-	epatch "${FILESDIR}"/${PN}-1.4.0-asneeded.patch
+	epatch \
+		"${FILESDIR}"/${PN}-1.4.0-asneeded.patch \
+		"${FILESDIR}"/${PN}-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch
 
 	# required for asneeded patch but also for bug 263909, cross-compile so
 	# don't remove eautoreconf
diff --git a/sys-apps/dbus/dbus-1.5.12-r1.ebuild b/sys-apps/dbus/dbus-1.5.12-r1.ebuild
new file mode 100644
index 000000000000..a564e26066d3
--- /dev/null
+++ b/sys-apps/dbus/dbus-1.5.12-r1.ebuild
@@ -0,0 +1,188 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/dbus/dbus-1.5.12-r1.ebuild,v 1.1 2012/05/29 15:21:15 ssuominen Exp $
+
+EAPI=4
+inherit autotools eutils linux-info flag-o-matic python systemd virtualx user
+
+DESCRIPTION="A message bus system, a simple way for applications to talk to each other"
+HOMEPAGE="http://dbus.freedesktop.org/"
+SRC_URI="http://dbus.freedesktop.org/releases/dbus/${P}.tar.gz"
+
+LICENSE="|| ( AFL-2.1 GPL-2 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd"
+IUSE="debug doc selinux static-libs systemd test X"
+
+RDEPEND=">=dev-libs/expat-2
+	selinux? (
+		sec-policy/selinux-dbus
+		sys-libs/libselinux
+		)
+	systemd? ( >=sys-apps/systemd-32 )
+	X? (
+		x11-libs/libX11
+		x11-libs/libXt
+		)"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig
+	doc? (
+		app-doc/doxygen
+		app-text/docbook-xml-dtd:4.1.2
+		app-text/xmlto
+		)
+	test? (
+		>=dev-libs/glib-2.24
+		dev-lang/python:2.7
+		)"
+
+# out of sources build directory
+BD=${WORKDIR}/${P}-build
+# out of sources build dir for make check
+TBD=${WORKDIR}/${P}-tests-build
+
+pkg_setup() {
+	enewgroup messagebus
+	enewuser messagebus -1 -1 -1 messagebus
+
+	if use test; then
+		python_set_active_version 2
+		python_pkg_setup
+	fi
+
+	if use kernel_linux; then
+		CONFIG_CHECK="~EPOLL"
+		linux-info_pkg_setup
+	fi
+}
+
+src_prepare() {
+	epatch "${FILESDIR}"/${P}-selinux-when-dropping-capabilities-only-include-AUDI.patch
+
+	# Tests were restricted because of this
+	sed -i \
+		-e 's/.*bus_dispatch_test.*/printf ("Disabled due to excess noise\\n");/' \
+		-e '/"dispatch"/d' \
+		bus/test-main.c || die
+
+	# required for asneeded patch but also for bug 263909, cross-compile so
+	# don't remove eautoreconf
+	eautoreconf
+}
+
+src_configure() {
+	local myconf
+
+	# so we can get backtraces from apps
+	append-flags -rdynamic
+
+	# libaudit is *only* used in DBus wrt SELinux support, so disable it, if
+	# not on an SELinux profile.
+	myconf=(
+		--localstatedir=/var
+		--docdir=/usr/share/doc/${PF}
+		--htmldir=/usr/share/doc/${PF}/html
+		$(use_enable static-libs static)
+		$(use_enable debug verbose-mode)
+		--disable-asserts
+		--disable-checks
+		$(use_enable selinux)
+		$(use_enable selinux libaudit)
+		$(use_enable kernel_linux inotify)
+		$(use_enable kernel_FreeBSD kqueue)
+		$(use_enable systemd)
+		--disable-embedded-tests
+		--disable-modular-tests
+		$(use_enable debug stats)
+		--with-xml=expat
+		--with-session-socket-dir=/tmp
+		--with-system-pid-file=/var/run/dbus.pid
+		--with-system-socket=/var/run/dbus/system_bus_socket
+		--with-dbus-user=messagebus
+		$(use_with X x)
+		"$(systemd_with_unitdir)"
+		)
+
+	mkdir "${BD}"
+	cd "${BD}"
+	einfo "Running configure in ${BD}"
+	ECONF_SOURCE="${S}" econf "${myconf[@]}" \
+		$(use_enable doc xml-docs) \
+		$(use_enable doc doxygen-docs)
+
+	if use test; then
+		mkdir "${TBD}"
+		cd "${TBD}"
+		einfo "Running configure in ${TBD}"
+		ECONF_SOURCE="${S}" econf "${myconf[@]}" \
+			$(use_enable test asserts) \
+			$(use_enable test checks) \
+			$(use_enable test embedded-tests) \
+			$(has_version dev-libs/dbus-glib && echo --enable-modular-tests)
+	fi
+}
+
+src_compile() {
+	# after the compile, it uses a selinuxfs interface to
+	# check if the SELinux policy has the right support
+	use selinux && addwrite /selinux/access
+
+	cd "${BD}"
+	einfo "Running make in ${BD}"
+	emake
+
+	if use test; then
+		cd "${TBD}"
+		einfo "Running make in ${TBD}"
+		emake
+	fi
+}
+
+src_test() {
+	cd "${TBD}"
+	DBUS_VERBOSE=1 Xemake -j1 check
+}
+
+src_install() {
+	newinitd "${FILESDIR}"/dbus.initd dbus
+
+	if use X; then
+		# dbus X session script (#77504)
+		# turns out to only work for GDM (and startx). has been merged into
+		# other desktop (kdm and such scripts)
+		exeinto /etc/X11/xinit/xinitrc.d
+		doexe "${FILESDIR}"/80-dbus
+	fi
+
+	# needs to exist for dbus sessions to launch
+	keepdir /usr/share/dbus-1/services
+	keepdir /etc/dbus-1/{session,system}.d
+	# machine-id symlink from pkg_postinst()
+	keepdir /var/lib/dbus
+
+	dodoc AUTHORS ChangeLog HACKING NEWS README doc/TODO
+
+	cd "${BD}"
+	emake DESTDIR="${D}" install
+
+	find "${ED}" -type f -name '*.la' -exec rm -f {} +
+}
+
+pkg_postinst() {
+	elog "To start the D-Bus system-wide messagebus by default"
+	elog "you should add it to the default runlevel :"
+	elog "\`rc-update add dbus default\`"
+	elog
+	elog "Some applications require a session bus in addition to the system"
+	elog "bus. Please see \`man dbus-launch\` for more information."
+	elog
+	ewarn "You must restart D-Bus \`/etc/init.d/dbus restart\` to run"
+	ewarn "the new version of the daemon."
+	ewarn "Don't do this while X is running because it will restart your X as well."
+
+	# Ensure unique id is generated and put it in /etc wrt #370451 but symlink
+	# for DBUS_MACHINE_UUID_FILE (see tools/dbus-launch.c) and reverse
+	# dependencies with hardcoded paths (although the known ones got fixed already)
+	dbus-uuidgen --ensure="${EROOT}"/etc/machine-id
+	ln -sf "${EROOT}"/etc/machine-id "${EROOT}"/var/lib/dbus/machine-id
+}
diff --git a/sys-apps/dbus/files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch b/sys-apps/dbus/files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch
new file mode 100644
index 000000000000..45d610c5ef1d
--- /dev/null
+++ b/sys-apps/dbus/files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch
@@ -0,0 +1,39 @@
+http://bugs.gentoo.org/405975
+
+From e1b83fb58eadfd02227673db9a7e2833d29b0c98 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 23 Apr 2012 00:32:43 +0200
+Subject: [PATCH] selinux: when dropping capabilities only include AUDIT caps
+ if we have them
+
+When we drop capabilities we shouldn't assume we can keep
+CAP_AUDIT_WRITE unconditionally, since it will not be available when
+running in containers.
+
+This patch only adds CAP_AUDIT_WRITE to the list of caps we keep if we
+actually have it in the first place.
+
+This makes audit/selinux enabled D-Bus work in a Linux container.
+---
+ bus/selinux.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/bus/selinux.c b/bus/selinux.c
+index 36287e9..1bfc791 100644
+--- a/bus/selinux.c
++++ b/bus/selinux.c
+@@ -1053,8 +1053,9 @@ _dbus_change_to_daemon_user  (const char    *user,
+       int rc;
+ 
+       capng_clear (CAPNG_SELECT_BOTH);
+-      capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
+-                    CAP_AUDIT_WRITE);
++      if (capng_have_capability (CAPNG_PERMITTED, CAP_AUDIT_WRITE))
++        capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED,
++                      CAP_AUDIT_WRITE);
+       rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP);
+       if (rc)
+         {
+-- 
+1.7.10
+