[refpolicy] [PATCH] Sudo file context specification did not catch paths

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] Sudo file context specification did not catch paths
@ 2013-08-26 19:53 Dominick Grift
  2013-09-23 18:30 ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2013-08-26 19:53 UTC (permalink / raw)
  To: refpolicy


Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 28ad538..5d0f398 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -46,4 +46,4 @@
 /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
-/var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/((db)|(lib)|(adm))/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH] Sudo file context specification did not catch paths
  2013-08-26 19:53 [refpolicy] [PATCH] Sudo file context specification did not catch paths Dominick Grift
@ 2013-09-23 18:30 ` Christopher J. PeBenito
  2013-09-23 18:33   ` Dominick Grift
  0 siblings, 1 reply; 4+ messages in thread
From: Christopher J. PeBenito @ 2013-09-23 18:30 UTC (permalink / raw)
  To: refpolicy

On Mon 26 Aug 2013 03:53:55 PM EDT, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
> index 28ad538..5d0f398 100644
> --- a/policy/modules/system/authlogin.fc
> +++ b/policy/modules/system/authlogin.fc
> @@ -46,4 +46,4 @@
>  /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
>  /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
>  /var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
> -/var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
> +/var/((db)|(lib)|(adm))/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)

Odd. It seems to work fine for me.  Maybe it is some sort of fc sort 
problem on your system?

--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH] Sudo file context specification did not catch paths
  2013-09-23 18:30 ` Christopher J. PeBenito
@ 2013-09-23 18:33   ` Dominick Grift
  2013-09-23 19:02     ` Christopher J. PeBenito
  0 siblings, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2013-09-23 18:33 UTC (permalink / raw)
  To: refpolicy

On Mon, 2013-09-23 at 14:30 -0400, Christopher J. PeBenito wrote:
> On Mon 26 Aug 2013 03:53:55 PM EDT, Dominick Grift wrote:
> >
> > Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
> > index 28ad538..5d0f398 100644
> > --- a/policy/modules/system/authlogin.fc
> > +++ b/policy/modules/system/authlogin.fc
> > @@ -46,4 +46,4 @@
> >  /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
> >  /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
> >  /var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
> > -/var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
> > +/var/((db)|(lib)|(adm))/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
> 
> Odd. It seems to work fine for me.  Maybe it is some sort of fc sort 
> problem on your system?

see if it catches /var/lib/sudo. It does catch the first and the last,
just not the one in the middle if i remember correctly

its not just on my system. this bug was reported by the debian guys i
believe

> 
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [refpolicy] [PATCH] Sudo file context specification did not catch paths
  2013-09-23 18:33   ` Dominick Grift
@ 2013-09-23 19:02     ` Christopher J. PeBenito
  0 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2013-09-23 19:02 UTC (permalink / raw)
  To: refpolicy

On 09/23/2013 02:33 PM, Dominick Grift wrote:
> On Mon, 2013-09-23 at 14:30 -0400, Christopher J. PeBenito wrote:
>> On Mon 26 Aug 2013 03:53:55 PM EDT, Dominick Grift wrote:
>>>
>>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
>>> diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
>>> index 28ad538..5d0f398 100644
>>> --- a/policy/modules/system/authlogin.fc
>>> +++ b/policy/modules/system/authlogin.fc
>>> @@ -46,4 +46,4 @@
>>>  /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
>>>  /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
>>>  /var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
>>> -/var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
>>> +/var/((db)|(lib)|(adm))/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
>>
>> Odd. It seems to work fine for me.  Maybe it is some sort of fc sort 
>> problem on your system?
> 
> see if it catches /var/lib/sudo. It does catch the first and the last,
> just not the one in the middle if i remember correctly
> 
> its not just on my system. this bug was reported by the debian guys i
> believe

Looks like a fc sorting problem:

# matchpathcon /var/db/sudo
/var/db/sudo	system_u:object_r:pam_var_run_t
# matchpathcon /var/lib/sudo
/var/lib/sudo	system_u:object_r:var_lib_t
# matchpathcon /var/adm/sudo
/var/adm/sudo	system_u:object_r:pam_var_run_t

# egrep -n 'sudo.*var_run_t' /etc/selinux/targeted/contexts/files/file_contexts
54:/var/(db|lib|adm)/sudo(/.*)?	system_u:object_r:pam_var_run_t
# egrep -n '^/var/lib.*:var_lib_t' /etc/selinux/strict/contexts/files/file_contexts
135:/var/lib(/.*)?	system_u:object_r:var_lib_t

I'd rather break it into two lines, one for /var/lib/sudo and one for /var/(db|adm)/sudo to work around this.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2013-09-23 19:02 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-08-26 19:53 [refpolicy] [PATCH] Sudo file context specification did not catch paths Dominick Grift
2013-09-23 18:30 ` Christopher J. PeBenito
2013-09-23 18:33   ` Dominick Grift
2013-09-23 19:02     ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.