From: dac.override@gmail.com (Dominick Grift)
Date: Sun, 23 Nov 2014 13:50:20 +0100
Subject: [refpolicy] [PATCH 2/7] New sudo manages timestamp directory in
 /var/run/sudo
In-Reply-To: <CAPzO=Nwmg66jmx=Pxy1_QP3XH2jSOyuF4MNL0WmMLKJDCRiFog@mail.gmail.com>
References: <1416682480-13282-1-git-send-email-sven.vermeulen@siphos.be>
	<1416682480-13282-3-git-send-email-sven.vermeulen@siphos.be>
	<CAJfZ7=kcMEFrZRap6yjc4qGg_Qk9dzD49ePa5OqO-d8pUhW9Wg@mail.gmail.com>
	<CAPzO=Nwmg66jmx=Pxy1_QP3XH2jSOyuF4MNL0WmMLKJDCRiFog@mail.gmail.com>
Message-ID: <20141123125019.GA11067@e145.network2>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, Nov 22, 2014 at 10:19:47PM +0100, Sven Vermeulen wrote:
> Good catch, I checked against the wrong repo :-( Thanks.
> 
> I've resent it with the interface added (although I got the mails
> twice now, my git send-email-fu is not at its peak right now).
> 
> Wkr,
>   Sven Vermeulen
> 
> 2014-11-22 20:55 GMT+01:00 Nicolas Iooss <nicolas.iooss@m4x.org>:
> > 2014-11-22 19:54 GMT+01:00 Sven Vermeulen:
> >> [...]
> >> --- a/policy/modules/admin/sudo.if
> >> +++ b/policy/modules/admin/sudo.if
> >> @@ -52,7 +52,7 @@ template(`sudo_role_template',`
> >>         #
> >>
> >>         # Use capabilities.
> >> -       allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
> >> +       allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
> >>         allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
> >>         allow $1_sudo_t self:process { setexec setrlimit };
> >>         allow $1_sudo_t self:fd use;
> >> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
> >>         auth_run_chk_passwd($1_sudo_t, $2)
> >>         # sudo stores a token in the pam_pid directory
> >>         auth_manage_pam_pid($1_sudo_t)
> >> +       auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
> >
> > This interface does not exist in refpolicy and the build fails because
> > of this. Gentoo policy defines it in authlogin.if and the definition
> > looks good to me:
> > https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
> >

I do not see how /var/run/sudo is associated with pam

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141123/b28f95b3/attachment.bin