From: domg472@gmail.com (Dominick Grift) Date: Fri, 8 Oct 2010 15:07:46 +0200 Subject: [refpolicy] [ patch 37/44] sudo: do not audit attempts to search /root. In-Reply-To: <4CAF168B.7080409@tresys.com> References: <1286216636-28449-1-git-send-email-domg472@gmail.com> <1286216636-28449-39-git-send-email-domg472@gmail.com> <4CAF15C9.4000605@tresys.com> <20101008130103.GB15409@localhost.localdomain> <4CAF168B.7080409@tresys.com> Message-ID: <20101008130744.GC15409@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Oct 08, 2010 at 09:03:07AM -0400, Christopher J. PeBenito wrote: > On 10/08/10 09:01, Dominick Grift wrote: > >On Fri, Oct 08, 2010 at 08:59:53AM -0400, Christopher J. PeBenito wrote: > >>On 10/04/10 14:23, Dominick Grift wrote: > >>>diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if > >>>index ca36b15..da2afce 100644 > >>>--- a/policy/modules/admin/sudo.if > >>>+++ b/policy/modules/admin/sudo.if > >>>@@ -101,6 +101,7 @@ template(`sudo_role_template',` > >>> files_read_usr_symlinks($1_sudo_t) > >>> files_getattr_usr_files($1_sudo_t) > >>> # for some PAM modules and for cwd > >>>+ files_dontaudit_list_default($1_sudo_t) > >>> files_dontaudit_search_home($1_sudo_t) > >>> files_list_tmp($1_sudo_t) > >> > >>I'm confused, /root shouldn't be default_t. > > > >Why not, what do you think it should be? > > There shouldn't be any default_t files if it can be helped. I would > expect user_home_dir_t or admin_home_dir_t if you're on Fedora. This patch set is to make "refpolicy" work on minimal fedora installations. Its not so much about trying to merge every fedora change to refpolicy. However if you are interested in implementing Fedora's admin_home_t i guess i could try that instead. That would mean that for now you can disregard all " default" patches. I just was of the opinion that refpolicy is not interested in implementing fedoras admin_home_t solution, and rather stick to default_t for /root > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101008/cd9559ba/attachment-0001.bin