From: dac.override@gmail.com (Dominick Grift)
Date: Sun, 23 Nov 2014 15:40:08 +0100
Subject: [refpolicy] [PATCH 2/7] New sudo manages timestamp directory in
 /var/run/sudo
In-Reply-To: <CAPzO=Nyg5b+uyAiouJ02=Of260LrFe+D4TXa5hqg1_4vvRkvLA@mail.gmail.com>
References: <1416682480-13282-1-git-send-email-sven.vermeulen@siphos.be>
	<1416682480-13282-3-git-send-email-sven.vermeulen@siphos.be>
	<CAJfZ7=kcMEFrZRap6yjc4qGg_Qk9dzD49ePa5OqO-d8pUhW9Wg@mail.gmail.com>
	<CAPzO=Nwmg66jmx=Pxy1_QP3XH2jSOyuF4MNL0WmMLKJDCRiFog@mail.gmail.com>
	<20141123125019.GA11067@e145.network2>
	<CAPzO=Nyg5b+uyAiouJ02=Of260LrFe+D4TXa5hqg1_4vvRkvLA@mail.gmail.com>
Message-ID: <20141123144007.GB11067@e145.network2>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, Nov 23, 2014 at 03:09:44PM +0100, Sven Vermeulen wrote:
> 2014-11-23 13:50 GMT+01:00 Dominick Grift <dac.override@gmail.com>:
> >> >> @@ -117,6 +117,7 @@ template(`sudo_role_template',`
> >> >>         auth_run_chk_passwd($1_sudo_t, $2)
> >> >>         # sudo stores a token in the pam_pid directory
> >> >>         auth_manage_pam_pid($1_sudo_t)
> >> >> +       auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
> >> >
> >> > This interface does not exist in refpolicy and the build fails because
> >> > of this. Gentoo policy defines it in authlogin.if and the definition
> >> > looks good to me:
> >> > https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
> >> >
> >
> > I do not see how /var/run/sudo is associated with pam
> 
> The authlogin.fc already contains the following:
> 
> /var/run/sudo(/.*)?             gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/run/user(/.*)?             gen_context(system_u:object_r:var_auth_t,s0)
> /var/(db|adm)/sudo(/.*)?        gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/lib/sudo(/.*)?     gen_context(system_u:object_r:pam_var_run_t,s0)
> 
> I don't know if it is legacy, or because some PAM modules require a
> more common access pattern. In any case, this file transition is only
> to keep the application (and policy) running as-is -- without it,
> users need to run "restorecon -R /var/run/sudo" every time their
> system is started.
> 

Yea, probably legacy. Just sayin' though ideally it should probably not be associated with pam_var_run_t in my view.

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141123/b940c87b/attachment.bin