From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 2/3] Allow sudo domain to manipulate timestamp database/directory
Date: Sun, 06 Feb 2011 17:45:39 +0100 [thread overview]
Message-ID: <4D4ED033.7020905@gmail.com> (raw)
In-Reply-To: <20110206145616.GA12288@siphos.be>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/06/2011 03:56 PM, Sven Vermeulen wrote:
> The sudo application uses /var/db/sudo to keep track of sudo timestamps (to
> find out if sudo wants to ask the user to reauthenticate or not).
>
> I have found the same policy rules in fedora's repository (commit
> d46a2b01151fd5061cdecd4004dc5993225c053d by Dan Walsh) but couldn't find any
> direct mail on the refpolicy archives with a request to push this through.
>
> This is patch 2/3 which allows the sudo domain (defined in the template) to
> manipulate the timestamp database
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/admin/sudo.if | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index 975af1a..5b55cf5 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -32,6 +32,7 @@ template(`sudo_role_template',`
>
> gen_require(`
> type sudo_exec_t;
> + type sudo_db_t;
> attribute sudodomain;
> ')
>
> @@ -80,6 +81,10 @@ template(`sudo_role_template',`
> allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
> allow $3 $1_sudo_t:process signal_perms;
>
> + manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
> + manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
> + allow $1_sudo_t sudo_db_t:dir { getattr };
> +
> kernel_read_kernel_sysctls($1_sudo_t)
> kernel_read_system_state($1_sudo_t)
> kernel_link_key($1_sudo_t)
See my reply to "[refpolicy] [PATCH 1/3] Adding sudo_db_t type for sudo
timestamp database/directory"
i do not see a need for a new type for this (but i may be wrong)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1O0DMACgkQMlxVo39jgT/CegCeOfYG4MZDxiljHErhhJJCUuEw
xuUAnR0jm+O1Nl8YrChszkhktvUDVCpG
=zEXX
-----END PGP SIGNATURE-----
prev parent reply other threads:[~2011-02-06 16:45 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-06 14:56 [refpolicy] [PATCH 2/3] Allow sudo domain to manipulate timestamp database/directory Sven Vermeulen
2011-02-06 16:45 ` Dominick Grift [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D4ED033.7020905@gmail.com \
--to=domg472@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.