From: bigon@debian.org (Laurent Bigonville) Date: Mon, 17 Jul 2017 11:33:12 +0200 Subject: [refpolicy] /var/run/sudo not labeled properly for unconfined users Message-ID: <7d9217ed-b7dc-9137-1691-76e1a3a09f2f@debian.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi, In debian, sudo is currently storing the timestamp use to check the last time a user has given a password in /var/lib/sudo. Due to bug #786555[0] the sudo maintainer is thinking of moving the files to /var/run/sudo/, but on debian /var/run is a tmpfs and the directory needs to be recreated at every boot. sudo itself can create that itself, but the problem is that the directory is not properly label if the user invoking sudo is unconfined: $ sesearch -AT |grep pam_var_run_t |grep sudo allow auditadm_sudo_t pam_var_run_t:dir { getattr reparent create lock add_name read remove_name ioctl search unlink link rmdir open write rename setattr }; allow auditadm_sudo_t pam_var_run_t:file { getattr create lock read ioctl append unlink link open write rename setattr }; allow secadm_sudo_t pam_var_run_t:dir { getattr reparent create lock add_name read remove_name ioctl search unlink link rmdir open write rename setattr }; allow secadm_sudo_t pam_var_run_t:file { getattr create lock read ioctl append unlink link open write rename setattr }; allow staff_sudo_t pam_var_run_t:dir { getattr reparent create lock add_name read remove_name ioctl search unlink link rmdir open write rename setattr }; allow staff_sudo_t pam_var_run_t:file { getattr create lock read ioctl append unlink link open write rename setattr }; allow sysadm_sudo_t pam_var_run_t:dir { getattr reparent create lock add_name read remove_name ioctl search unlink link rmdir open write rename setattr }; allow sysadm_sudo_t pam_var_run_t:file { getattr create lock read ioctl append unlink link open write rename setattr }; allow user_sudo_t pam_var_run_t:dir { getattr reparent create lock add_name read remove_name ioctl search unlink link rmdir open write rename setattr }; allow user_sudo_t pam_var_run_t:file { getattr create lock read ioctl append unlink link open write rename setattr }; type_transition auditadm_sudo_t var_run_t:dir pam_var_run_t "sudo"; type_transition secadm_sudo_t var_run_t:dir pam_var_run_t "sudo"; type_transition staff_sudo_t var_run_t:dir pam_var_run_t "sudo"; type_transition sysadm_sudo_t var_run_t:dir pam_var_run_t "sudo"; type_transition user_sudo_t var_run_t:dir pam_var_run_t "sudo"; One of the solution might be to either ask sudo to properly label the directory using setfscreatecon() or to create the file using a tempfile file or an initscript. But shouldn't rules be added in the policy to transition the directory to be properly label? [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786555