From: domg472@gmail.com (Dominick Grift) Date: Sun, 06 Feb 2011 17:45:39 +0100 Subject: [refpolicy] [PATCH 2/3] Allow sudo domain to manipulate timestamp database/directory In-Reply-To: <20110206145616.GA12288@siphos.be> References: <20110206145616.GA12288@siphos.be> Message-ID: <4D4ED033.7020905@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/06/2011 03:56 PM, Sven Vermeulen wrote: > The sudo application uses /var/db/sudo to keep track of sudo timestamps (to > find out if sudo wants to ask the user to reauthenticate or not). > > I have found the same policy rules in fedora's repository (commit > d46a2b01151fd5061cdecd4004dc5993225c053d by Dan Walsh) but couldn't find any > direct mail on the refpolicy archives with a request to push this through. > > This is patch 2/3 which allows the sudo domain (defined in the template) to > manipulate the timestamp database > > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/sudo.if | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if > index 975af1a..5b55cf5 100644 > --- a/policy/modules/admin/sudo.if > +++ b/policy/modules/admin/sudo.if > @@ -32,6 +32,7 @@ template(`sudo_role_template',` > > gen_require(` > type sudo_exec_t; > + type sudo_db_t; > attribute sudodomain; > ') > > @@ -80,6 +81,10 @@ template(`sudo_role_template',` > allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; > allow $3 $1_sudo_t:process signal_perms; > > + manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t) > + manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t) > + allow $1_sudo_t sudo_db_t:dir { getattr }; > + > kernel_read_kernel_sysctls($1_sudo_t) > kernel_read_system_state($1_sudo_t) > kernel_link_key($1_sudo_t) See my reply to "[refpolicy] [PATCH 1/3] Adding sudo_db_t type for sudo timestamp database/directory" i do not see a need for a new type for this (but i may be wrong) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1O0DMACgkQMlxVo39jgT/CegCeOfYG4MZDxiljHErhhJJCUuEw xuUAnR0jm+O1Nl8YrChszkhktvUDVCpG =zEXX -----END PGP SIGNATURE-----