[refpolicy] [PATCH 2/7] New sudo manages timestamp directory in /var/run/sudo

Dominick Grift dac.override at gmail.com
Sun Nov 23 14:40:08 UTC 2014


On Sun, Nov 23, 2014 at 03:09:44PM +0100, Sven Vermeulen wrote:
> 2014-11-23 13:50 GMT+01:00 Dominick Grift <dac.override at gmail.com>:
> >> >> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
> >> >>         auth_run_chk_passwd($1_sudo_t, $2)
> >> >>         # sudo stores a token in the pam_pid directory
> >> >>         auth_manage_pam_pid($1_sudo_t)
> >> >> +       auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
> >> >
> >> > This interface does not exist in refpolicy and the build fails because
> >> > of this. Gentoo policy defines it in authlogin.if and the definition
> >> > looks good to me:
> >> > https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
> >> >
> >
> > I do not see how /var/run/sudo is associated with pam
> 
> The authlogin.fc already contains the following:
> 
> /var/run/sudo(/.*)?             gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/run/user(/.*)?             gen_context(system_u:object_r:var_auth_t,s0)
> /var/(db|adm)/sudo(/.*)?        gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/lib/sudo(/.*)?     gen_context(system_u:object_r:pam_var_run_t,s0)
> 
> I don't know if it is legacy, or because some PAM modules require a
> more common access pattern. In any case, this file transition is only
> to keep the application (and policy) running as-is -- without it,
> users need to run "restorecon -R /var/run/sudo" every time their
> system is started.
> 

Yea, probably legacy. Just sayin' though ideally it should probably not be associated with pam_var_run_t in my view.

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141123/b940c87b/attachment.bin 


More information about the refpolicy mailing list