From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 23 Sep 2013 15:02:15 -0400 Subject: [refpolicy] [PATCH] Sudo file context specification did not catch paths In-Reply-To: <1379961202.5366.18.camel@d30> References: <1377546835-8202-1-git-send-email-dominick.grift@gmail.com> <524088BD.90705@tresys.com> <1379961202.5366.18.camel@d30> Message-ID: <52409037.5080705@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/23/2013 02:33 PM, Dominick Grift wrote: > On Mon, 2013-09-23 at 14:30 -0400, Christopher J. PeBenito wrote: >> On Mon 26 Aug 2013 03:53:55 PM EDT, Dominick Grift wrote: >>> >>> Signed-off-by: Dominick Grift >>> diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc >>> index 28ad538..5d0f398 100644 >>> --- a/policy/modules/system/authlogin.fc >>> +++ b/policy/modules/system/authlogin.fc >>> @@ -46,4 +46,4 @@ >>> /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) >>> /var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) >>> /var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0) >>> -/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) >>> +/var/((db)|(lib)|(adm))/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0) >> >> Odd. It seems to work fine for me. Maybe it is some sort of fc sort >> problem on your system? > > see if it catches /var/lib/sudo. It does catch the first and the last, > just not the one in the middle if i remember correctly > > its not just on my system. this bug was reported by the debian guys i > believe Looks like a fc sorting problem: # matchpathcon /var/db/sudo /var/db/sudo system_u:object_r:pam_var_run_t # matchpathcon /var/lib/sudo /var/lib/sudo system_u:object_r:var_lib_t # matchpathcon /var/adm/sudo /var/adm/sudo system_u:object_r:pam_var_run_t # egrep -n 'sudo.*var_run_t' /etc/selinux/targeted/contexts/files/file_contexts 54:/var/(db|lib|adm)/sudo(/.*)? system_u:object_r:pam_var_run_t # egrep -n '^/var/lib.*:var_lib_t' /etc/selinux/strict/contexts/files/file_contexts 135:/var/lib(/.*)? system_u:object_r:var_lib_t I'd rather break it into two lines, one for /var/lib/sudo and one for /var/(db|adm)/sudo to work around this. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com