honor SELinux labels, when creating and writing config files

[elogind.git] / src / nspawn / nspawn.c

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 98b583d7479995828edef31524ade45ef51a8b75..1d602a5b31ee88beb0c7b7a2e13687ac7dffa96e 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -57,6 +57,7 @@
 #include "dev-setup.h"
 #include "fdset.h"
 #include "build.h"
+#include "fileio.h"
 
 typedef enum LinkJournal {
         LINK_NO,
@@ -96,7 +97,9 @@ static uint64_t arg_retain =
         (1ULL << CAP_SYS_PTRACE) |
         (1ULL << CAP_SYS_TTY_CONFIG) |
         (1ULL << CAP_SYS_RESOURCE) |
-        (1ULL << CAP_SYS_BOOT);
+        (1ULL << CAP_SYS_BOOT) |
+        (1ULL << CAP_AUDIT_WRITE) |
+        (1ULL << CAP_AUDIT_CONTROL);
 
 static int help(void) {
 
@@ -883,8 +886,17 @@ static int process_pty(int master, pid_t pid, sigset_t *mask) {
         signal_ev.events = EPOLLIN;
         signal_ev.data.fd = signal_fd;
 
-        if (epoll_ctl(ep, EPOLL_CTL_ADD, STDOUT_FILENO, &stdout_ev) < 0 ||
-            epoll_ctl(ep, EPOLL_CTL_ADD, master, &master_ev) < 0 ||
+        if (epoll_ctl(ep, EPOLL_CTL_ADD, STDOUT_FILENO, &stdout_ev) < 0) {
+                if (errno != EPERM) {
+                        log_error("Failed to register stdout in epoll: %m");
+                        r = -errno;
+                        goto finish;
+                }
+                /* stdout without epoll support. Likely redirected to regular file. */
+                stdout_writable = true;
+        }
+
+        if (epoll_ctl(ep, EPOLL_CTL_ADD, master, &master_ev) < 0 ||
             epoll_ctl(ep, EPOLL_CTL_ADD, signal_fd, &signal_ev) < 0) {
                 log_error("Failed to register fds in epoll: %m");
                 r = -errno;