[refpolicy] [PATCH 1/3] Adding sudo_db_t type for sudo timestamp database/directory

[refpolicy] [PATCH 1/3] Adding sudo_db_t type for sudo timestamp database/directory

[Sven Vermeulen]

The sudo application uses /var/db/sudo to keep track of sudo timestamps (to
find out if sudo wants to ask the user to reauthenticate or not). 

I have found the same policy rules in fedora's repository (commit
d46a2b01151fd5061cdecd4004dc5993225c053d by Dan Walsh) but couldn't find any
direct mail on the refpolicy archives with a request to push this through.

This is patch 1/3 which defines the type

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/sudo.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 7aacfc2..8f4a2be 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,6 @@ attribute sudodomain;
 
 type sudo_exec_t;
 application_executable_file(sudo_exec_t)
+
+type sudo_db_t;
+files_type(sudo_db_t)
-- 
1.7.3.4

[refpolicy] [PATCH 1/3] Adding sudo_db_t type for sudo timestamp database/directory

[Dominick Grift]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/06/2011 03:55 PM, Sven Vermeulen wrote:
> The sudo application uses /var/db/sudo to keep track of sudo timestamps (to
> find out if sudo wants to ask the user to reauthenticate or not). 
> 
> I have found the same policy rules in fedora's repository (commit
> d46a2b01151fd5061cdecd4004dc5993225c053d by Dan Walsh) but couldn't find any
> direct mail on the refpolicy archives with a request to push this through.
> 
> This is patch 1/3 which defines the type
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/sudo.te |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
> index 7aacfc2..8f4a2be 100644
> --- a/policy/modules/admin/sudo.te
> +++ b/policy/modules/admin/sudo.te
> @@ -7,3 +7,6 @@ attribute sudodomain;
>  
>  type sudo_exec_t;
>  application_executable_file(sudo_exec_t)
> +
> +type sudo_db_t;
> +files_type(sudo_db_t)

I handled this in a different way:

authlogin.fc:

# Fedoras sudo moved from run to db, not sure if pam is still involved.
/var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
/var/db/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1Oz9AACgkQMlxVo39jgT/LjgCgzcTT2tOwkBsUDsLsL/2cELmt
OTYAoLI8SnGwtsk3Yqs8KfZJwL9nw0Op
=2Vb8
-----END PGP SIGNATURE-----

[refpolicy] [PATCH 1/3] Adding sudo_db_t type for sudo timestamp database/directory

[Sven Vermeulen]

On Sun, Feb 06, 2011 at 05:44:00PM +0100, Dominick Grift wrote:
[... snip introducing a new type for /var/db/sudo ...]
> I handled this in a different way:
> 
> authlogin.fc:
> 
> # Fedoras sudo moved from run to db, not sure if pam is still involved.
> /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/db/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)

Fair enough; /var/db/sudo is indeed the new target but for exactly the same
functionality. See also http://www.sudo.ws/repos/sudo/rev/8c9440423d98

I'll resubmit a new patch for this. Thanks for the feedback.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH v2 1/1] Sudo timestamp directory has changed since v1.7.4, reflect this in .fc file

[Sven Vermeulen]

Since sudo 1.7.4, the timestamp directory has moved from /var/run/sudo to
/var/db/sudo, lib or adm (in that order). See also the sudo changeset
http://www.sudo.ws/repos/sudo/rev/8c9440423d98

Keeping the "old" one (/var/run/sudo) for a while for those systems where
sudo has not been updated yet (change is since 1.7.4, Jul 14 2010).


Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/authlogin.fc |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 1c4b1e7..2952cef 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -43,3 +43,4 @@ ifdef(`distro_gentoo', `
 /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
-- 
1.7.3.4

[refpolicy] [PATCH v2 1/1] Sudo timestamp directory has changed since v1.7.4, reflect this in .fc file

[Christopher J. PeBenito]

On 2/6/2011 3:03 PM, Sven Vermeulen wrote:
>
> Since sudo 1.7.4, the timestamp directory has moved from /var/run/sudo to
> /var/db/sudo, lib or adm (in that order). See also the sudo changeset
> http://www.sudo.ws/repos/sudo/rev/8c9440423d98
>
> Keeping the "old" one (/var/run/sudo) for a while for those systems where
> sudo has not been updated yet (change is since 1.7.4, Jul 14 2010).

Merged.

> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be>
> ---
>   policy/modules/system/authlogin.fc |    1 +
>   1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
> index 1c4b1e7..2952cef 100644
> --- a/policy/modules/system/authlogin.fc
> +++ b/policy/modules/system/authlogin.fc
> @@ -43,3 +43,4 @@ ifdef(`distro_gentoo', `
>   /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
>   /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
>   /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
> +/var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com