From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 6 Feb 2011 15:56:17 +0100 Subject: [refpolicy] [PATCH 2/3] Allow sudo domain to manipulate timestamp database/directory Message-ID: <20110206145616.GA12288@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The sudo application uses /var/db/sudo to keep track of sudo timestamps (to find out if sudo wants to ask the user to reauthenticate or not). I have found the same policy rules in fedora's repository (commit d46a2b01151fd5061cdecd4004dc5993225c053d by Dan Walsh) but couldn't find any direct mail on the refpolicy archives with a request to push this through. This is patch 2/3 which allows the sudo domain (defined in the template) to manipulate the timestamp database Signed-off-by: Sven Vermeulen --- policy/modules/admin/sudo.if | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 975af1a..5b55cf5 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -32,6 +32,7 @@ template(`sudo_role_template',` gen_require(` type sudo_exec_t; + type sudo_db_t; attribute sudodomain; ') @@ -80,6 +81,10 @@ template(`sudo_role_template',` allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; allow $3 $1_sudo_t:process signal_perms; + manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t) + manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t) + allow $1_sudo_t sudo_db_t:dir { getattr }; + kernel_read_kernel_sysctls($1_sudo_t) kernel_read_system_state($1_sudo_t) kernel_link_key($1_sudo_t) -- 1.7.3.4