The sudo application uses /var/db/sudo to keep track of sudo timestamps (to
find out if sudo wants to ask the user to reauthenticate or not).
I have found the same policy rules in fedora's repository (commit
d46a2b01151fd5061cdecd4004dc5993225c053d by Dan Walsh) but couldn't find any
direct mail on the refpolicy archives with a request to push this through.
This is patch 1/3 which defines the type
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/sudo.te | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 7aacfc2..8f4a2be 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,6 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
+
+type sudo_db_t;
+files_type(sudo_db_t)
--
1.7.3.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/06/2011 03:55 PM, Sven Vermeulen wrote:
> The sudo application uses /var/db/sudo to keep track of sudo timestamps (to
> find out if sudo wants to ask the user to reauthenticate or not).
>
> I have found the same policy rules in fedora's repository (commit
> d46a2b01151fd5061cdecd4004dc5993225c053d by Dan Walsh) but couldn't find any
> direct mail on the refpolicy archives with a request to push this through.
>
> This is patch 1/3 which defines the type
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/admin/sudo.te | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
> index 7aacfc2..8f4a2be 100644
> --- a/policy/modules/admin/sudo.te
> +++ b/policy/modules/admin/sudo.te
> @@ -7,3 +7,6 @@ attribute sudodomain;
>
> type sudo_exec_t;
> application_executable_file(sudo_exec_t)
> +
> +type sudo_db_t;
> +files_type(sudo_db_t)
I handled this in a different way:
authlogin.fc:
# Fedoras sudo moved from run to db, not sure if pam is still involved.
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/db/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1Oz9AACgkQMlxVo39jgT/LjgCgzcTT2tOwkBsUDsLsL/2cELmt
OTYAoLI8SnGwtsk3Yqs8KfZJwL9nw0Op
=2Vb8
-----END PGP SIGNATURE-----
On Sun, Feb 06, 2011 at 05:44:00PM +0100, Dominick Grift wrote:
[... snip introducing a new type for /var/db/sudo ...]
> I handled this in a different way:
>
> authlogin.fc:
>
> # Fedoras sudo moved from run to db, not sure if pam is still involved.
> /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/db/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
Fair enough; /var/db/sudo is indeed the new target but for exactly the same
functionality. See also http://www.sudo.ws/repos/sudo/rev/8c9440423d98
I'll resubmit a new patch for this. Thanks for the feedback.
Wkr,
Sven Vermeulen
Since sudo 1.7.4, the timestamp directory has moved from /var/run/sudo to
/var/db/sudo, lib or adm (in that order). See also the sudo changeset
http://www.sudo.ws/repos/sudo/rev/8c9440423d98
Keeping the "old" one (/var/run/sudo) for a while for those systems where
sudo has not been updated yet (change is since 1.7.4, Jul 14 2010).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/authlogin.fc | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 1c4b1e7..2952cef 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -43,3 +43,4 @@ ifdef(`distro_gentoo', `
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
--
1.7.3.4
On 2/6/2011 3:03 PM, Sven Vermeulen wrote:
>
> Since sudo 1.7.4, the timestamp directory has moved from /var/run/sudo to
> /var/db/sudo, lib or adm (in that order). See also the sudo changeset
> http://www.sudo.ws/repos/sudo/rev/8c9440423d98
>
> Keeping the "old" one (/var/run/sudo) for a while for those systems where
> sudo has not been updated yet (change is since 1.7.4, Jul 14 2010).
Merged.
> Signed-off-by: Sven Vermeulen<[email protected]>
> ---
> policy/modules/system/authlogin.fc | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
> index 1c4b1e7..2952cef 100644
> --- a/policy/modules/system/authlogin.fc
> +++ b/policy/modules/system/authlogin.fc
> @@ -43,3 +43,4 @@ ifdef(`distro_gentoo', `
> /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
> /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
> +/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com