From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Sat, 22 Nov 2014 20:55:24 +0100 Subject: [refpolicy] [PATCH 2/7] New sudo manages timestamp directory in /var/run/sudo In-Reply-To: <1416682480-13282-3-git-send-email-sven.vermeulen@siphos.be> References: <1416682480-13282-1-git-send-email-sven.vermeulen@siphos.be> <1416682480-13282-3-git-send-email-sven.vermeulen@siphos.be> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2014-11-22 19:54 GMT+01:00 Sven Vermeulen: > [...] > --- a/policy/modules/admin/sudo.if > +++ b/policy/modules/admin/sudo.if > @@ -52,7 +52,7 @@ template(`sudo_role_template',` > # > > # Use capabilities. > - allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; > + allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource }; > allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; > allow $1_sudo_t self:process { setexec setrlimit }; > allow $1_sudo_t self:fd use; > @@ -117,6 +117,7 @@ template(`sudo_role_template',` > auth_run_chk_passwd($1_sudo_t, $2) > # sudo stores a token in the pam_pid directory > auth_manage_pam_pid($1_sudo_t) > + auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo") This interface does not exist in refpolicy and the build fails because of this. Gentoo policy defines it in authlogin.if and the definition looks good to me: https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811 Thanks, Nicolas