[Debian-ha-maintainers] Bug#551479: Acknowledgement (adding some capability-related code probably originating from drbd8 upstream, successful build but drbdadm up resources returns CAP_SYS_ADMIN necessary error while selinux is completely disabled)

[Piotr Wadas]

Well, this fixes it. But this is not a solution, rather a workaround,
I guess the whole thing is to allow using drbd with selinux/lids enabled,
while removal still does not.. Not, #ifdef that KERNEL_HAS_CN_SKB_PARMS
was in drbd_nl.c - I tried simply adding the same ifdef in connector.c, 
but it did not help, so I decided to comment the whole thing.

Regards,
Piotr Wadas <pwadas at dtpw.pl>


left:~/DRBDSRC/834# diff -uNr modules.before modules.after
diff -uNr modules.before/drbd8/drbd/connector.c 
modules.after/drbd8/drbd/connector.c
--- modules.before/drbd8/drbd/connector.c       2009-10-06 13:32:41.000000000 +0200
+++ modules.after/drbd8/drbd/connector.c        2009-10-18 16:58:42.000000000 +0200
@@ -211,8 +211,6 @@
        msg = NLMSG_DATA(nlh);

        /* DRBD specific change: Only allow packets from ROOT */
-       if (!capable(CAP_SYS_ADMIN))
-               return -EPERM;

        return cn_call_callback(msg, (void (*)(void *))kfree_skb, skb);
 }
diff -uNr modules.before/drbd8/drbd/drbd_nl.c 
modules.after/drbd8/drbd/drbd_nl.c
--- modules.before/drbd8/drbd/drbd_nl.c 2009-10-05 14:52:03.000000000 +0200
+++ modules.after/drbd8/drbd/drbd_nl.c  2009-10-18 16:58:59.000000000 +0200
@@ -2063,13 +2063,6 @@
                return;
        }

-#ifdef KERNEL_HAS_CN_SKB_PARMS
-       if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN)) {
-               retcode = ERR_PERM;
-               goto fail;
-       }
-#endif
-       
        mdev = ensure_mdev(nlp);
        if (!mdev) {
                retcode = ERR_MINOR_INVALID;
left:~/DRBDSRC/834#