[refpolicy] [PATCH 2/3] Allow sudo domain to manipulate timestamp database/directory

[refpolicy] [PATCH 2/3] Allow sudo domain to manipulate timestamp database/directory

[Sven Vermeulen]

The sudo application uses /var/db/sudo to keep track of sudo timestamps (to
find out if sudo wants to ask the user to reauthenticate or not).

I have found the same policy rules in fedora's repository (commit
d46a2b01151fd5061cdecd4004dc5993225c053d by Dan Walsh) but couldn't find any
direct mail on the refpolicy archives with a request to push this through.

This is patch 2/3 which allows the sudo domain (defined in the template) to
manipulate the timestamp database

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/sudo.if |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 975af1a..5b55cf5 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
 
 	gen_require(`
 		type sudo_exec_t;
+		type sudo_db_t;
 		attribute sudodomain;
 	')
 
@@ -80,6 +81,10 @@ template(`sudo_role_template',`
 	allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
 	allow $3 $1_sudo_t:process signal_perms;
 
+	manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+	manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+	allow $1_sudo_t sudo_db_t:dir { getattr };
+
 	kernel_read_kernel_sysctls($1_sudo_t)
 	kernel_read_system_state($1_sudo_t)
 	kernel_link_key($1_sudo_t)
-- 
1.7.3.4

[refpolicy] [PATCH 2/3] Allow sudo domain to manipulate timestamp database/directory

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/06/2011 03:56 PM, Sven Vermeulen wrote:
> The sudo application uses /var/db/sudo to keep track of sudo timestamps (to
> find out if sudo wants to ask the user to reauthenticate or not).
> 
> I have found the same policy rules in fedora's repository (commit
> d46a2b01151fd5061cdecd4004dc5993225c053d by Dan Walsh) but couldn't find any
> direct mail on the refpolicy archives with a request to push this through.
> 
> This is patch 2/3 which allows the sudo domain (defined in the template) to
> manipulate the timestamp database
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/sudo.if |    5 +++++
>  1 files changed, 5 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index 975af1a..5b55cf5 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -32,6 +32,7 @@ template(`sudo_role_template',`
>  
>  	gen_require(`
>  		type sudo_exec_t;
> +		type sudo_db_t;
>  		attribute sudodomain;
>  	')
>  
> @@ -80,6 +81,10 @@ template(`sudo_role_template',`
>  	allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
>  	allow $3 $1_sudo_t:process signal_perms;
>  
> +	manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
> +	manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
> +	allow $1_sudo_t sudo_db_t:dir { getattr };
> +
>  	kernel_read_kernel_sysctls($1_sudo_t)
>  	kernel_read_system_state($1_sudo_t)
>  	kernel_link_key($1_sudo_t)

See my reply to "[refpolicy] [PATCH 1/3] Adding sudo_db_t type for sudo
timestamp database/directory"

i do not see a need for a new type for this (but i may be wrong)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1O0DMACgkQMlxVo39jgT/CegCeOfYG4MZDxiljHErhhJJCUuEw
xuUAnR0jm+O1Nl8YrChszkhktvUDVCpG
=zEXX
-----END PGP SIGNATURE-----