2012-04-11 18:42:59

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] sudo with SELinux support requires key handling

When using sudo with SELinux integrated support, the sudo domains need to be able to create user keys. Without this
privilege, any command invoked like "sudo /etc/init.d/local status" will run within the sudo domain (sysadm_sudo_t)
instead of the sysadm_t domain (or whatever domain is mentioned in the sudoers file).

Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/sudo.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 6e1de7a..f6bef78 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -129,6 +129,7 @@ template(`sudo_role_template',`
seutil_libselinux_linked($1_sudo_t)

userdom_spec_domtrans_all_users($1_sudo_t)
+ userdom_create_all_users_keys($1_sudo_t)
userdom_manage_user_home_content_files($1_sudo_t)
userdom_manage_user_home_content_symlinks($1_sudo_t)
userdom_manage_user_tmp_files($1_sudo_t)
--
1.7.3.4


2012-05-04 12:44:38

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] sudo with SELinux support requires key handling

On 04/11/12 14:42, Sven Vermeulen wrote:
> When using sudo with SELinux integrated support, the sudo domains need to be able to create user keys. Without this
> privilege, any command invoked like "sudo /etc/init.d/local status" will run within the sudo domain (sysadm_sudo_t)
> instead of the sysadm_t domain (or whatever domain is mentioned in the sudoers file).
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/admin/sudo.if | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index 6e1de7a..f6bef78 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -129,6 +129,7 @@ template(`sudo_role_template',`
> seutil_libselinux_linked($1_sudo_t)
>
> userdom_spec_domtrans_all_users($1_sudo_t)
> + userdom_create_all_users_keys($1_sudo_t)
> userdom_manage_user_home_content_files($1_sudo_t)
> userdom_manage_user_home_content_symlinks($1_sudo_t)
> userdom_manage_user_tmp_files($1_sudo_t)

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com