From: domg472@gmail.com (Dominick Grift) Date: Sun, 06 Feb 2011 17:44:00 +0100 Subject: [refpolicy] [PATCH 1/3] Adding sudo_db_t type for sudo timestamp database/directory In-Reply-To: <20110206145516.GA12283@siphos.be> References: <20110206145516.GA12283@siphos.be> Message-ID: <4D4ECFD0.9050001@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/06/2011 03:55 PM, Sven Vermeulen wrote: > The sudo application uses /var/db/sudo to keep track of sudo timestamps (to > find out if sudo wants to ask the user to reauthenticate or not). > > I have found the same policy rules in fedora's repository (commit > d46a2b01151fd5061cdecd4004dc5993225c053d by Dan Walsh) but couldn't find any > direct mail on the refpolicy archives with a request to push this through. > > This is patch 1/3 which defines the type > > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/sudo.te | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te > index 7aacfc2..8f4a2be 100644 > --- a/policy/modules/admin/sudo.te > +++ b/policy/modules/admin/sudo.te > @@ -7,3 +7,6 @@ attribute sudodomain; > > type sudo_exec_t; > application_executable_file(sudo_exec_t) > + > +type sudo_db_t; > +files_type(sudo_db_t) I handled this in a different way: authlogin.fc: # Fedoras sudo moved from run to db, not sure if pam is still involved. /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/db/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1Oz9AACgkQMlxVo39jgT/LjgCgzcTT2tOwkBsUDsLsL/2cELmt OTYAoLI8SnGwtsk3Yqs8KfZJwL9nw0Op =2Vb8 -----END PGP SIGNATURE-----