From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 2 Dec 2014 10:27:30 -0500
Subject: [refpolicy] [PATCH 2/7] New sudo manages timestamp directory in
 /var/run/sudo
In-Reply-To: <20141123144007.GB11067@e145.network2>
References: <1416682480-13282-1-git-send-email-sven.vermeulen@siphos.be>	<1416682480-13282-3-git-send-email-sven.vermeulen@siphos.be>	<CAJfZ7=kcMEFrZRap6yjc4qGg_Qk9dzD49ePa5OqO-d8pUhW9Wg@mail.gmail.com>	<CAPzO=Nwmg66jmx=Pxy1_QP3XH2jSOyuF4MNL0WmMLKJDCRiFog@mail.gmail.com>	<20141123125019.GA11067@e145.network2>	<CAPzO=Nyg5b+uyAiouJ02=Of260LrFe+D4TXa5hqg1_4vvRkvLA@mail.gmail.com>
	<20141123144007.GB11067@e145.network2>
Message-ID: <547DDA62.6050509@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/23/2014 9:40 AM, Dominick Grift wrote:
> On Sun, Nov 23, 2014 at 03:09:44PM +0100, Sven Vermeulen wrote:
>> 2014-11-23 13:50 GMT+01:00 Dominick Grift
>> <dac.override@gmail.com>:
>>>>>> @@ -117,6 +117,7 @@ template(`sudo_role_template',` 
>>>>>> auth_run_chk_passwd($1_sudo_t, $2) # sudo stores a token
>>>>>> in the pam_pid directory auth_manage_pam_pid($1_sudo_t) +
>>>>>> auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
>>>>> 
>>>>> This interface does not exist in refpolicy and the build
>>>>> fails because of this. Gentoo policy defines it in
>>>>> authlogin.if and the definition looks good to me: 
>>>>> https://github.com/sjvermeu/hardened-refpolicy/blob/9d229675d7084facc9592f1ddab5f976337524f4/policy/modules/system/authlogin.if#L1811
>>>>>
>>>
>>>
>>>>> 
I do not see how /var/run/sudo is associated with pam
>> 
>> The authlogin.fc already contains the following:
>> 
>> /var/run/sudo(/.*)?
>> gen_context(system_u:object_r:pam_var_run_t,s0) 
>> /var/run/user(/.*)?
>> gen_context(system_u:object_r:var_auth_t,s0) 
>> /var/(db|adm)/sudo(/.*)?
>> gen_context(system_u:object_r:pam_var_run_t,s0) 
>> /var/lib/sudo(/.*)?
>> gen_context(system_u:object_r:pam_var_run_t,s0)
>> 
>> I don't know if it is legacy, or because some PAM modules require
>> a more common access pattern. In any case, this file transition
>> is only to keep the application (and policy) running as-is --
>> without it, users need to run "restorecon -R /var/run/sudo" every
>> time their system is started.
>> 
> 
> Yea, probably legacy. Just sayin' though ideally it should probably
> not be associated with pam_var_run_t in my view.

I agree, but will take it for now, since something like it already
exists in the policy.  If we can find a better solution, I'll take
that too.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com