From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 4 May 2012 08:44:38 -0400
Subject: [refpolicy] [PATCH 1/1] sudo with SELinux support requires key
 handling
In-Reply-To: <20120411184259.GF6229@siphos.be>
References: <20120411184259.GF6229@siphos.be>
Message-ID: <4FA3CF36.4070300@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/11/12 14:42, Sven Vermeulen wrote:
> When using sudo with SELinux integrated support, the sudo domains need to be able to create user keys. Without this
> privilege, any command invoked like "sudo /etc/init.d/local status" will run within the sudo domain (sysadm_sudo_t)
> instead of the sysadm_t domain (or whatever domain is mentioned in the sudoers file).
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/sudo.if |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index 6e1de7a..f6bef78 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -129,6 +129,7 @@ template(`sudo_role_template',`
>  	seutil_libselinux_linked($1_sudo_t)
>  
>  	userdom_spec_domtrans_all_users($1_sudo_t)
> +	userdom_create_all_users_keys($1_sudo_t)
>  	userdom_manage_user_home_content_files($1_sudo_t)
>  	userdom_manage_user_home_content_symlinks($1_sudo_t)
>  	userdom_manage_user_tmp_files($1_sudo_t)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com