From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 23 Nov 2014 15:09:44 +0100 Subject: [refpolicy] [PATCH 2/7] New sudo manages timestamp directory in /var/run/sudo In-Reply-To: <20141123125019.GA11067@e145.network2> References: <1416682480-13282-1-git-send-email-sven.vermeulen@siphos.be> <1416682480-13282-3-git-send-email-sven.vermeulen@siphos.be> <20141123125019.GA11067@e145.network2> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2014-11-23 13:50 GMT+01:00 Dominick Grift : >> >> @@ -117,6 +117,7 @@ template(`sudo_role_template',` >> >> auth_run_chk_passwd($1_sudo_t, $2) >> >> # sudo stores a token in the pam_pid directory >> >> auth_manage_pam_pid($1_sudo_t) >> >> + auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo") >> > >> > This interface does not exist in refpolicy and the build fails because >> > of this. Gentoo policy defines it in authlogin.if and the definition >> > looks good to me: >> > https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811 >> > > > I do not see how /var/run/sudo is associated with pam The authlogin.fc already contains the following: /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) I don't know if it is legacy, or because some PAM modules require a more common access pattern. In any case, this file transition is only to keep the application (and policy) running as-is -- without it, users need to run "restorecon -R /var/run/sudo" every time their system is started. Wkr, Sven Vermeulen