Чтобы работал pam_tcb.so вызывающий процесс должен иметь установленную CAP_SETGID.


Поскольку newrole (как и весь SeLinux) писали маньяки безопасности они сделали вот это:

/**
 * This function will drop the capabilities so that we are left
 * only with access to the audit system and the ability to raise
 * CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_FOWNER and CAP_CHOWN,
 * before invoking pam_namespace.  These capabilities are needed
 * for performing bind mounts/unmounts and to create potential new
 * instance directories with appropriate DAC attributes. If the
 * user is root, we leave the capabilities alone since they already
 * should have access to the audit netlink socket and should have
 * the ability to create/mount/unmount instance directories.
 *
 * Returns zero on success, non-zero otherwise
 */
static int drop_capabilities(int full)
{
    capng_setpid(getpid());
    capng_clear(CAPNG_SELECT_BOTH);



Получаем:

stat64("/etc/tcb", {st_mode=S_IFDIR|0710, st_size=4096, ...}) = 0
stat64("/etc/tcb/root", {st_mode=S_IFDIR|S_ISGID|0710, st_size=4096, ...}) = 0
getgroups32(1024, [0, 1, 2, 3, 4, 6, 10, 19]) = 8
setgroups32(0, [])                = -1 EPERM (Operation not permitted)

Где setgroups() sets the supplementary group IDs for the calling process. Appropriate privileges (Linux: the CAP_SETGID capability) are required. 


Патч сводится к policycoreutils/newrole/newrole.c:

-               capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1);
+               capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, CAP_SETGID, -1);


Приложите пожалуйста этот патч. Спасибо.