From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 22 Nov 2014 22:19:47 +0100 Subject: [refpolicy] [PATCH 2/7] New sudo manages timestamp directory in /var/run/sudo In-Reply-To: References: <1416682480-13282-1-git-send-email-sven.vermeulen@siphos.be> <1416682480-13282-3-git-send-email-sven.vermeulen@siphos.be> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Good catch, I checked against the wrong repo :-( Thanks. I've resent it with the interface added (although I got the mails twice now, my git send-email-fu is not at its peak right now). Wkr, Sven Vermeulen 2014-11-22 20:55 GMT+01:00 Nicolas Iooss : > 2014-11-22 19:54 GMT+01:00 Sven Vermeulen: >> [...] >> --- a/policy/modules/admin/sudo.if >> +++ b/policy/modules/admin/sudo.if >> @@ -52,7 +52,7 @@ template(`sudo_role_template',` >> # >> >> # Use capabilities. >> - allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource }; >> + allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource }; >> allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; >> allow $1_sudo_t self:process { setexec setrlimit }; >> allow $1_sudo_t self:fd use; >> @@ -117,6 +117,7 @@ template(`sudo_role_template',` >> auth_run_chk_passwd($1_sudo_t, $2) >> # sudo stores a token in the pam_pid directory >> auth_manage_pam_pid($1_sudo_t) >> + auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo") > > This interface does not exist in refpolicy and the build fails because > of this. Gentoo policy defines it in authlogin.if and the definition > looks good to me: > https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811 > > Thanks, > > Nicolas >