[refpolicy] [PATCH 2/7] New sudo manages timestamp directory in /var/run/sudo

Nicolas Iooss nicolas.iooss at m4x.org
Sat Nov 22 19:55:24 UTC 2014


2014-11-22 19:54 GMT+01:00 Sven Vermeulen:
> [...]
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -52,7 +52,7 @@ template(`sudo_role_template',`
>         #
>
>         # Use capabilities.
> -       allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
> +       allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
>         allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
>         allow $1_sudo_t self:process { setexec setrlimit };
>         allow $1_sudo_t self:fd use;
> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
>         auth_run_chk_passwd($1_sudo_t, $2)
>         # sudo stores a token in the pam_pid directory
>         auth_manage_pam_pid($1_sudo_t)
> +       auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")

This interface does not exist in refpolicy and the build fails because
of this. Gentoo policy defines it in authlogin.if and the definition
looks good to me:
https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811

Thanks,

Nicolas



More information about the refpolicy mailing list