From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 11 Apr 2012 20:42:59 +0200
Subject: [refpolicy] [PATCH 1/1] sudo with SELinux support requires key
	handling
Message-ID: <20120411184259.GF6229@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When using sudo with SELinux integrated support, the sudo domains need to be able to create user keys. Without this
privilege, any command invoked like "sudo /etc/init.d/local status" will run within the sudo domain (sysadm_sudo_t)
instead of the sysadm_t domain (or whatever domain is mentioned in the sudoers file).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/sudo.if |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 6e1de7a..f6bef78 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -129,6 +129,7 @@ template(`sudo_role_template',`
 	seutil_libselinux_linked($1_sudo_t)
 
 	userdom_spec_domtrans_all_users($1_sudo_t)
+	userdom_create_all_users_keys($1_sudo_t)
 	userdom_manage_user_home_content_files($1_sudo_t)
 	userdom_manage_user_home_content_symlinks($1_sudo_t)
 	userdom_manage_user_tmp_files($1_sudo_t)
-- 
1.7.3.4