From: bigon@debian.org (Laurent Bigonville)
Date: Mon, 17 Jul 2017 11:33:12 +0200
Subject: [refpolicy] /var/run/sudo not labeled properly for unconfined users
Message-ID: <7d9217ed-b7dc-9137-1691-76e1a3a09f2f@debian.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,

In debian, sudo is currently storing the timestamp use to check the last 
time a user has given a password in /var/lib/sudo.

Due to bug #786555[0] the sudo maintainer is thinking of moving the 
files to /var/run/sudo/, but on debian /var/run is a tmpfs and the 
directory needs to be recreated at every boot. sudo itself can create 
that itself, but the problem is that the directory is not properly label 
if the user invoking sudo is unconfined:

$ sesearch -AT |grep pam_var_run_t |grep sudo
allow auditadm_sudo_t pam_var_run_t:dir { getattr reparent create lock add_name read remove_name ioctl search unlink link rmdir open write rename setattr };
allow auditadm_sudo_t pam_var_run_t:file { getattr create lock read ioctl append unlink link open write rename setattr };
allow secadm_sudo_t pam_var_run_t:dir { getattr reparent create lock add_name read remove_name ioctl search unlink link rmdir open write rename setattr };
allow secadm_sudo_t pam_var_run_t:file { getattr create lock read ioctl append unlink link open write rename setattr };
allow staff_sudo_t pam_var_run_t:dir { getattr reparent create lock add_name read remove_name ioctl search unlink link rmdir open write rename setattr };
allow staff_sudo_t pam_var_run_t:file { getattr create lock read ioctl append unlink link open write rename setattr };
allow sysadm_sudo_t pam_var_run_t:dir { getattr reparent create lock add_name read remove_name ioctl search unlink link rmdir open write rename setattr };
allow sysadm_sudo_t pam_var_run_t:file { getattr create lock read ioctl append unlink link open write rename setattr };
allow user_sudo_t pam_var_run_t:dir { getattr reparent create lock add_name read remove_name ioctl search unlink link rmdir open write rename setattr };
allow user_sudo_t pam_var_run_t:file { getattr create lock read ioctl append unlink link open write rename setattr };
type_transition auditadm_sudo_t var_run_t:dir pam_var_run_t "sudo";
type_transition secadm_sudo_t var_run_t:dir pam_var_run_t "sudo";
type_transition staff_sudo_t var_run_t:dir pam_var_run_t "sudo";
type_transition sysadm_sudo_t var_run_t:dir pam_var_run_t "sudo";
type_transition user_sudo_t var_run_t:dir pam_var_run_t "sudo";

One of the solution might be to either ask sudo to properly label the 
directory using setfscreatecon() or to create the file using a tempfile 
file or an initscript. But shouldn't rules be added in the policy to 
transition the directory to be properly label?

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786555