The sudo application uses /var/db/sudo to keep track of sudo timestamps (to
find out if sudo wants to ask the user to reauthenticate or not).
I have found the same policy rules in fedora's repository (commit
d46a2b01151fd5061cdecd4004dc5993225c053d by Dan Walsh) but couldn't find any
direct mail on the refpolicy archives with a request to push this through.
This is patch 2/3 which allows the sudo domain (defined in the template) to
manipulate the timestamp database
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/sudo.if | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 975af1a..5b55cf5 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
gen_require(`
type sudo_exec_t;
+ type sudo_db_t;
attribute sudodomain;
')
@@ -80,6 +81,10 @@ template(`sudo_role_template',`
allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
allow $3 $1_sudo_t:process signal_perms;
+ manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+ manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+ allow $1_sudo_t sudo_db_t:dir { getattr };
+
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
kernel_link_key($1_sudo_t)
--
1.7.3.4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/06/2011 03:56 PM, Sven Vermeulen wrote:
> The sudo application uses /var/db/sudo to keep track of sudo timestamps (to
> find out if sudo wants to ask the user to reauthenticate or not).
>
> I have found the same policy rules in fedora's repository (commit
> d46a2b01151fd5061cdecd4004dc5993225c053d by Dan Walsh) but couldn't find any
> direct mail on the refpolicy archives with a request to push this through.
>
> This is patch 2/3 which allows the sudo domain (defined in the template) to
> manipulate the timestamp database
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/admin/sudo.if | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index 975af1a..5b55cf5 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -32,6 +32,7 @@ template(`sudo_role_template',`
>
> gen_require(`
> type sudo_exec_t;
> + type sudo_db_t;
> attribute sudodomain;
> ')
>
> @@ -80,6 +81,10 @@ template(`sudo_role_template',`
> allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
> allow $3 $1_sudo_t:process signal_perms;
>
> + manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
> + manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
> + allow $1_sudo_t sudo_db_t:dir { getattr };
> +
> kernel_read_kernel_sysctls($1_sudo_t)
> kernel_read_system_state($1_sudo_t)
> kernel_link_key($1_sudo_t)
See my reply to "[refpolicy] [PATCH 1/3] Adding sudo_db_t type for sudo
timestamp database/directory"
i do not see a need for a new type for this (but i may be wrong)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1O0DMACgkQMlxVo39jgT/CegCeOfYG4MZDxiljHErhhJJCUuEw
xuUAnR0jm+O1Nl8YrChszkhktvUDVCpG
=zEXX
-----END PGP SIGNATURE-----