From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 22 Nov 2014 19:54:35 +0100
Subject: [refpolicy] [PATCH 2/7] New sudo manages timestamp directory in
	/var/run/sudo
In-Reply-To: <1416682480-13282-1-git-send-email-sven.vermeulen@siphos.be>
References: <1416682480-13282-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1416682480-13282-3-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
---
 policy/modules/admin/sudo.if | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index d9114b3..2ee052b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -52,7 +52,7 @@ template(`sudo_role_template',`
 	#
 
 	# Use capabilities.
-	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+	allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_sudo_t self:process { setexec setrlimit };
 	allow $1_sudo_t self:fd use;
@@ -117,6 +117,7 @@ template(`sudo_role_template',`
 	auth_run_chk_passwd($1_sudo_t, $2)
 	# sudo stores a token in the pam_pid directory
 	auth_manage_pam_pid($1_sudo_t)
+	auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
 	auth_use_nsswitch($1_sudo_t)
 
 	init_rw_utmp($1_sudo_t)
-- 
2.0.4