selinux-refpolicy/policy/modules/admin/sudo.if

## <summary>Execute a command with a substitute user</summary>

#######################################
## <summary>
##	The role template for the sudo module.
## </summary>
## <desc>
##	<p>
##	This template creates a derived domain which is allowed
##	to change the linux user id, to run commands as a different
##	user.
##	</p>
## </desc>
## <param name="role_prefix">
##	<summary>
##	The prefix of the user role (e.g., user
##	is the prefix for user_r).
##	</summary>
## </param>
## <param name="user_role">
##	<summary>
##	The user role.
##	</summary>
## </param>
## <param name="user_domain">
##	<summary>
##	The user domain associated with the role.
##	</summary>
## </param>
#
template(`sudo_role_template',`

	gen_require(`
		type sudo_exec_t;
		attribute sudodomain;
	')

	##############################
	#
	# Declarations
	#

	type $1_sudo_t, sudodomain;
	userdom_user_application_domain($1_sudo_t, sudo_exec_t)
	domain_interactive_fd($1_sudo_t)
	domain_role_change_exemption($1_sudo_t)
	role $2 types $1_sudo_t;

	##############################
	#
	# Local Policy
	#

	# Use capabilities.
	allow $1_sudo_t self:capability { chown dac_override fowner kill setgid setuid sys_nice sys_resource };
	allow $1_sudo_t self:process { signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr getrlimit rlimitinh siginh transition setsockcreate dyntransition noatsecure setkeycreate };
	allow $1_sudo_t self:process { setexec setrlimit };
	allow $1_sudo_t self:fd use;
	allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
	allow $1_sudo_t self:shm create_shm_perms;
	allow $1_sudo_t self:sem create_sem_perms;
	allow $1_sudo_t self:msgq create_msgq_perms;
	allow $1_sudo_t self:msg { send receive };
	allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
	allow $1_sudo_t self:unix_dgram_socket sendto;
	allow $1_sudo_t self:unix_stream_socket connectto;
	allow $1_sudo_t self:key manage_key_perms;

	allow $1_sudo_t $3:key search;

	# Transmit SIGWINCH to children
	allow $1_sudo_t $3:process signal;

	# Enter this derived domain from the user domain
	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)

	# By default, revert to the calling domain when a shell is executed.
	corecmd_shell_domtrans($1_sudo_t, $3)
	corecmd_bin_domtrans($1_sudo_t, $3)
	allow $3 $1_sudo_t:fd use;
	allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
	allow $3 $1_sudo_t:process signal_perms;

	kernel_read_kernel_sysctls($1_sudo_t)
	kernel_read_system_state($1_sudo_t)
	kernel_link_key($1_sudo_t)

	corecmd_exec_all_executables($1_sudo_t)

	dev_getattr_fs($1_sudo_t)
	dev_read_urand($1_sudo_t)
	dev_rw_generic_usb_dev($1_sudo_t)
	dev_read_sysfs($1_sudo_t)

	domain_use_interactive_fds($1_sudo_t)
	domain_sigchld_interactive_fds($1_sudo_t)
	domain_getattr_all_entry_files($1_sudo_t)

	files_read_etc_files($1_sudo_t)
	files_read_var_files($1_sudo_t)
	files_read_usr_symlinks($1_sudo_t)
	files_getattr_usr_files($1_sudo_t)
	# for some PAM modules and for cwd
	files_dontaudit_search_home($1_sudo_t)
	files_list_tmp($1_sudo_t)

	fs_search_auto_mountpoints($1_sudo_t)
	fs_getattr_xattr_fs($1_sudo_t)

	selinux_validate_context($1_sudo_t)
	selinux_compute_relabel_context($1_sudo_t)

	term_getattr_pty_fs($1_sudo_t)
	term_dontaudit_getattr_unallocated_ttys($1_sudo_t)
	term_relabel_all_ttys($1_sudo_t)
	term_relabel_all_ptys($1_sudo_t)

	auth_run_chk_passwd($1_sudo_t, $2)
	# sudo stores a token in the pam runtime directory
	auth_manage_pam_runtime_dirs($1_sudo_t)
	auth_manage_pam_runtime_files($1_sudo_t)
	auth_use_pam($1_sudo_t)
	auth_runtime_filetrans_pam_runtime($1_sudo_t, dir, "sudo")

	init_rw_utmp($1_sudo_t)

	logging_send_audit_msgs($1_sudo_t)
	logging_send_syslog_msg($1_sudo_t)

	miscfiles_read_localization($1_sudo_t)

	seutil_read_default_contexts($1_sudo_t)
	seutil_libselinux_linked($1_sudo_t)

	userdom_spec_domtrans_all_users($1_sudo_t)
	userdom_create_all_users_keys($1_sudo_t)
	userdom_create_user_pty($1_sudo_t)
	userdom_manage_user_home_content_files($1_sudo_t)
	userdom_manage_user_home_content_symlinks($1_sudo_t)
	userdom_manage_user_tmp_files($1_sudo_t)
	userdom_manage_user_tmp_symlinks($1_sudo_t)
	userdom_setattr_user_ptys($1_sudo_t)
	userdom_use_user_terminals($1_sudo_t)
	# for some PAM modules and for cwd
	userdom_dontaudit_search_user_home_content($1_sudo_t)
	userdom_dontaudit_search_user_home_dirs($1_sudo_t)

	ifdef(`hide_broken_symptoms', `
		dontaudit $1_sudo_t $3:socket_class_set { read write };
	')

	tunable_policy(`use_nfs_home_dirs',`
		fs_manage_nfs_files($1_sudo_t)
	')

	tunable_policy(`use_samba_home_dirs',`
		fs_manage_cifs_files($1_sudo_t)
	')

	optional_policy(`
		dbus_system_bus_client($1_sudo_t)

		ifdef(`init_systemd',`
			init_dbus_chat($1_sudo_t)
		')
	')

	optional_policy(`
		fprintd_dbus_chat($1_sudo_t)
	')

')

########################################
## <summary>
##	Send a SIGCHLD signal to the sudo domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`sudo_sigchld',`
	gen_require(`
		attribute sudodomain;
	')

	allow $1 sudodomain:process sigchld;
')
add sudo 2005-08-09 19:30:43 +00:00			`## <summary>Execute a command with a substitute user</summary>`

			`#######################################`
			`## <summary>`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`## The role template for the sudo module.`
add sudo 2005-08-09 19:30:43 +00:00			`## </summary>`
			`## <desc>`
			`## <p>`
			`## This template creates a derived domain which is allowed`
			`## to change the linux user id, to run commands as a different`
			`## user.`
			`## </p>`
			`## </desc>`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`## <param name="role_prefix">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`## The prefix of the user role (e.g., user`
			`## is the prefix for user_r).`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add sudo 2005-08-09 19:30:43 +00:00			`## </param>`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`## <param name="user_role">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`## The user role.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
send user role to per userdomain templates. update templated interfaces to have the prefix be the first argument 2005-08-30 15:48:57 +00:00			`## </param>`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`## <param name="user_domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`## The user domain associated with the role.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
send user role to per userdomain templates. update templated interfaces to have the prefix be the first argument 2005-08-30 15:48:57 +00:00			`## </param>`
add sudo 2005-08-09 19:30:43 +00:00			`#`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			template(`sudo_role_template',`
add sudo 2005-08-09 19:30:43 +00:00
fixes for module compiling 2005-09-14 00:30:10 +00:00			gen_require(`
			`type sudo_exec_t;`
sudo patch from dan. 2009-07-28 14:29:11 +00:00			`attribute sudodomain;`
fixes for module compiling 2005-09-14 00:30:10 +00:00			`')`

add sudo 2005-08-09 19:30:43 +00:00			`##############################`
			`#`
			`# Declarations`
			`#`

remove trailing whitespaces 2016-12-06 12:28:10 +00:00			`type $1_sudo_t, sudodomain;`
Add user application, tmp and tmpfs file interfaces. 2011-10-28 12:48:10 +00:00			`userdom_user_application_domain($1_sudo_t, sudo_exec_t)`
another round of renaming 2006-02-20 21:33:25 +00:00			`domain_interactive_fd($1_sudo_t)`
sudo patch from dan. 2009-07-28 14:29:11 +00:00			`domain_role_change_exemption($1_sudo_t)`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`role $2 types $1_sudo_t;`
add sudo 2005-08-09 19:30:43 +00:00
			`##############################`
			`#`
			`# Local Policy`
			`#`

			`# Use capabilities.`
sudo: allow using CAP_KILL for SIGWINCH With the following process tree: LABEL UID PID PPID TTY CMD sysadm_u:sysadm_r:sysadm_t root 18146 12404 pts/0 /usr/bin/zsh sysadm_u:sysadm_r:sysadm_sudo_t root 18441 18146 pts/0 sudo -su user sysadm_u:sysadm_r:sysadm_sudo_t root 18443 18441 pts/1 sudo -su user sysadm_u:sysadm_r:sysadm_t user 18444 18443 pts/1 /usr/bin/zsh When the terminal window of the first process is resized, SIGWINCH is forwarded by process 18443, which requests capability CAP_KILL: type=AVC msg=audit(1567881640.754:13839): avc: denied { kill } for pid=18443 comm="sudo" capability=5 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:sysadm_r:sysadm_sudo_t tclass=capability permissive=0 type=SYSCALL msg=audit(1567881640.754:13839): arch=c000003e syscall=62 success=no exit=-1 a0=ffffb7f4 a1=1c a2=ffffffff a3=100 items=0 ppid=18441 pid=18443 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=690 comm="sudo" exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null) type=PROCTITLE msg=audit(1567881640.754:13839): proctitle=7375646F002D73750075736572 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2019-09-14 12:00:58 +00:00			`allow $1_sudo_t self:capability { chown dac_override fowner kill setgid setuid sys_nice sys_resource };`
Remove complement and wildcard in allow rules. Remove complement (~) and wildcard (*) in allow rules so that there are no unintentional additions when new permissions are declared. This patch does not add or remove permissions from any rules. 2017-08-13 20:21:44 +00:00			`allow $1_sudo_t self:process { signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr getrlimit rlimitinh siginh transition setsockcreate dyntransition noatsecure setkeycreate };`
add sudo 2005-08-09 19:30:43 +00:00			`allow $1_sudo_t self:process { setexec setrlimit };`
			`allow $1_sudo_t self:fd use;`
merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`allow $1_sudo_t self:fifo_file rw_fifo_file_perms;`
add sudo 2005-08-09 19:30:43 +00:00			`allow $1_sudo_t self:shm create_shm_perms;`
			`allow $1_sudo_t self:sem create_sem_perms;`
			`allow $1_sudo_t self:msgq create_msgq_perms;`
			`allow $1_sudo_t self:msg { send receive };`
more merging from 1.27.1-15 2005-10-14 17:55:40 +00:00			`allow $1_sudo_t self:unix_dgram_socket create_socket_perms;`
			`allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;`
			`allow $1_sudo_t self:unix_dgram_socket sendto;`
			`allow $1_sudo_t self:unix_stream_socket connectto;`
Sudo patch from Dan Walsh. 2010-02-11 14:15:45 +00:00			`allow $1_sudo_t self:key manage_key_perms;`
sudo patch from dan. 2009-07-28 14:29:11 +00:00
			`allow $1_sudo_t $3:key search;`
add sudo 2005-08-09 19:30:43 +00:00
sudo: allow transmitting SIGWINCH to its child When resizing the X11 window of a terminal running sudo on a remote Debian 10 system (through ssh), sudo forwards SIGWINCH to its children (this behavior might be caused by using "Defaults use_pty" in /etc/sudoers). This leads to the following audit logs: type=AVC msg=audit(1567880108.988:13823): avc: denied { signal } for pid=15670 comm="sudo" scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:sysadm_r:sysadm_t tclass=process permissive=0 type=SYSCALL msg=audit(1567880108.988:13823): arch=c000003e syscall=62 success=no exit=-13 a0=ffffc2c9 a1=1c a2=ffffffff a3=100 items=0 ppid=15607 pid=15670 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=721 comm="sudo" exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null) type=PROCTITLE msg=audit(1567880108.988:13823): proctitle=2F7573722F62696E2F7375646F002D73 The process tree (ps -ef, edited) on this remote system was: LABEL UID PID PPID TTY CMD system_u:system_r:sshd_t user 15519 15480 ? sshd: user@pts/5 sysadm_u:sysadm_r:sysadm_t user 15524 15519 pts/5 -zsh sysadm_u:sysadm_r:sysadm_sudo_t root 15607 15524 pts/5 /usr/bin/sudo -s sysadm_u:sysadm_r:sysadm_sudo_t root 15670 15607 pts/6 /usr/bin/sudo -s sysadm_u:sysadm_r:sysadm_t root 15671 15670 pts/6 /usr/bin/zsh The denied syscall was: * syscall=62: int kill(pid_t pid, int sig) * a0=ffffc2c9: pid = -15671 (process group of sudo's child) * a1=1c: sig = 28 = SIGWINCH Allow such a signal to be transmitted. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2019-09-14 11:58:39 +00:00			`# Transmit SIGWINCH to children`
			`allow $1_sudo_t $3:process signal;`

add sudo 2005-08-09 19:30:43 +00:00			`# Enter this derived domain from the user domain`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`domtrans_pattern($3, sudo_exec_t, $1_sudo_t)`
add sudo 2005-08-09 19:30:43 +00:00
			`# By default, revert to the calling domain when a shell is executed.`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`corecmd_shell_domtrans($1_sudo_t, $3)`
sudo patch from dan. 2009-07-28 14:29:11 +00:00			`corecmd_bin_domtrans($1_sudo_t, $3)`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`allow $3 $1_sudo_t:fd use;`
Two insignificant fixes that i stumbled on when merging dev_getattr_fs() Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-10-08 20:40:58 +00:00			`allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;`
Sudo patch from Dan Walsh. sudo gets execed by apps that leak sockets 2010-06-18 18:43:22 +00:00			`allow $3 $1_sudo_t:process signal_perms;`
add sudo 2005-08-09 19:30:43 +00:00
renaming from 20060131 interface review, round 2 2006-01-31 16:49:43 +00:00			`kernel_read_kernel_sysctls($1_sudo_t)`
add sudo 2005-08-09 19:30:43 +00:00			`kernel_read_system_state($1_sudo_t)`
sudo patch from dan. 2009-07-28 14:29:11 +00:00			`kernel_link_key($1_sudo_t)`
add sudo 2005-08-09 19:30:43 +00:00
Sudo patch from Dan Walsh. 2010-02-11 14:15:45 +00:00			`corecmd_exec_all_executables($1_sudo_t)`
fix ordering of interface calls in sudo. 2009-08-05 13:48:46 +00:00
Module version bump for Dominick's sudo cleanup. 2010-10-08 18:33:04 +00:00			`dev_getattr_fs($1_sudo_t)`
add sudo 2005-08-09 19:30:43 +00:00			`dev_read_urand($1_sudo_t)`
sudo patch from dan. 2009-07-28 14:29:11 +00:00			`dev_rw_generic_usb_dev($1_sudo_t)`
			`dev_read_sysfs($1_sudo_t)`
add sudo 2005-08-09 19:30:43 +00:00
fix ordering of interface calls in sudo. 2009-08-05 13:48:46 +00:00			`domain_use_interactive_fds($1_sudo_t)`
			`domain_sigchld_interactive_fds($1_sudo_t)`
			`domain_getattr_all_entry_files($1_sudo_t)`

			`files_read_etc_files($1_sudo_t)`
			`files_read_var_files($1_sudo_t)`
			`files_read_usr_symlinks($1_sudo_t)`
			`files_getattr_usr_files($1_sudo_t)`
			`# for some PAM modules and for cwd`
			`files_dontaudit_search_home($1_sudo_t)`
			`files_list_tmp($1_sudo_t)`

add sudo 2005-08-09 19:30:43 +00:00			`fs_search_auto_mountpoints($1_sudo_t)`
			`fs_getattr_xattr_fs($1_sudo_t)`

sudo patch from dan. 2009-07-28 14:29:11 +00:00			`selinux_validate_context($1_sudo_t)`
			`selinux_compute_relabel_context($1_sudo_t)`

sudo: wants to get attributes of generic pts filesystems. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-10-04 18:23:50 +00:00			`term_getattr_pty_fs($1_sudo_t)`
Hide getattr denials upon sudo invocation When sudo is invoked (sudo -i) the audit log gets quite a lot of denials related to the getattr permission against tty_device_t:chr_file for the *_sudo_t domain. However, no additional logging (that would hint at a need) by sudo, nor any functional issues come up. Hence the dontaudit call. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> 2014-03-25 20:30:04 +00:00			`term_dontaudit_getattr_unallocated_ttys($1_sudo_t)`
Remove concept of user from terminal module interfaces dealing with ptynode and ttynode since these attributes are not specific to users. 2010-02-11 19:20:10 +00:00			`term_relabel_all_ttys($1_sudo_t)`
			`term_relabel_all_ptys($1_sudo_t)`
sudo patch from dan. 2009-07-28 14:29:11 +00:00
			`auth_run_chk_passwd($1_sudo_t, $2)`
Update callers for "pid" to "runtime" interface rename. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2020-06-27 21:11:48 +00:00			`# sudo stores a token in the pam runtime directory`
			`auth_manage_pam_runtime_dirs($1_sudo_t)`
			`auth_manage_pam_runtime_files($1_sudo_t)`
pam_faillock creates files in /run/faillock These are changes needed when pam_fallock creates files in /run/faillock (which is labeled faillog_t). sudo and xdm (and probably other domains) will create files in this directory for successful and failed login attempts. v3 - Updated based on feedback type=AVC msg=audit(1545153126.899:210): avc: denied { search } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1545153131.090:214): avc: denied { write } for pid=8448 comm="lightdm" name="faillock" dev="tmpfs" ino=39318 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1545153131.090:214): avc: denied { add_name } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1545153131.090:214): avc: denied { create } for pid=8448 comm="lightdm" name="dsugar" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1545153131.091:215): avc: denied { setattr } for pid=8448 comm="lightdm" name="dsugar" dev="tmpfs" ino=87599 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1 type=AVC msg=audit(1545167205.531:626): avc: denied { search } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1545167205.531:627): avc: denied { write } for pid=8264 comm="sudo" name="faillock" dev="tmpfs" ino=35405 scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1545167205.531:627): avc: denied { add_name } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1545167205.531:627): avc: denied { create } for pid=8264 comm="sudo" name="root" scontext=sysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:faillog_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com> 2019-01-06 18:31:42 +00:00			`auth_use_pam($1_sudo_t)`
Update callers for "pid" to "runtime" interface rename. Signed-off-by: Chris PeBenito <pebenito@ieee.org> 2020-06-27 21:11:48 +00:00			`auth_runtime_filetrans_pam_runtime($1_sudo_t, dir, "sudo")`
add sudo 2005-08-09 19:30:43 +00:00
Change initrc_var_run_t interface noun from script_pid to utmp for clarity. 2006-01-18 18:08:39 +00:00			`init_rw_utmp($1_sudo_t)`
add sudo 2005-08-09 19:30:43 +00:00
sudo patch from dan. 2009-07-28 14:29:11 +00:00			`logging_send_audit_msgs($1_sudo_t)`
add sudo 2005-08-09 19:30:43 +00:00			`logging_send_syslog_msg($1_sudo_t)`

			`miscfiles_read_localization($1_sudo_t)`

fix: sudo can't determine default type for sysadm_r 2019-08-28 08:46:22 +00:00			`seutil_read_default_contexts($1_sudo_t)`
sudo patch from dan. 2009-07-28 14:29:11 +00:00			`seutil_libselinux_linked($1_sudo_t)`

			`userdom_spec_domtrans_all_users($1_sudo_t)`
sudo with SELinux support requires key handling When using sudo with SELinux integrated support, the sudo domains need to be able to create user keys. Without this privilege, any command invoked like "sudo /etc/init.d/local status" will run within the sudo domain (sysadm_sudo_t) instead of the sysadm_t domain (or whatever domain is mentioned in the sudoers file). Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> 2012-04-11 18:42:59 +00:00			`userdom_create_all_users_keys($1_sudo_t)`
sudo: allow using use_pty flag When /etc/sudoers contains "Defaults use_pty", sudo creates a new pseudo-pty when running a command. This is currently denied from a sysadm_u session: type=AVC msg=audit(1567807315.843:13300): avc: denied { read write } for pid=5053 comm="sudo" name="ptmx" dev="devtmpfs" ino=1108 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=system_u:object_r:ptmx_t tclass=chr_file permissive=0 As it seems logical for the newly-created pty to be labeled user_devpts_t, use userdom_create_user_pty() to allow this. Then, a new denial appears: type=AVC msg=audit(1567808670.441:13341): avc: denied { setattr } for pid=30256 comm="sudo" name="9" dev="devpts" ino=12 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:object_r:user_devpts_t tclass=chr_file permissive=0 type=SYSCALL msg=audit(1567808670.441:13341): arch=c000003e syscall=92 success=no exit=-13 a0=563c5aac5f80 a1=0 a2=5 a3=fffffffffffff874 items=0 ppid=20934 pid=30256 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=687 comm="sudo" exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null) On x86-64, syscall 92 is chown(). Allow this access with userdom_setattr_user_ptys(). Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2019-09-06 22:37:52 +00:00			`userdom_create_user_pty($1_sudo_t)`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`userdom_manage_user_home_content_files($1_sudo_t)`
			`userdom_manage_user_home_content_symlinks($1_sudo_t)`
			`userdom_manage_user_tmp_files($1_sudo_t)`
			`userdom_manage_user_tmp_symlinks($1_sudo_t)`
sudo: allow using use_pty flag When /etc/sudoers contains "Defaults use_pty", sudo creates a new pseudo-pty when running a command. This is currently denied from a sysadm_u session: type=AVC msg=audit(1567807315.843:13300): avc: denied { read write } for pid=5053 comm="sudo" name="ptmx" dev="devtmpfs" ino=1108 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=system_u:object_r:ptmx_t tclass=chr_file permissive=0 As it seems logical for the newly-created pty to be labeled user_devpts_t, use userdom_create_user_pty() to allow this. Then, a new denial appears: type=AVC msg=audit(1567808670.441:13341): avc: denied { setattr } for pid=30256 comm="sudo" name="9" dev="devpts" ino=12 scontext=sysadm_u:sysadm_r:sysadm_sudo_t tcontext=sysadm_u:object_r:user_devpts_t tclass=chr_file permissive=0 type=SYSCALL msg=audit(1567808670.441:13341): arch=c000003e syscall=92 success=no exit=-13 a0=563c5aac5f80 a1=0 a2=5 a3=fffffffffffff874 items=0 ppid=20934 pid=30256 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=687 comm="sudo" exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t key=(null) On x86-64, syscall 92 is chown(). Allow this access with userdom_setattr_user_ptys(). Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> 2019-09-06 22:37:52 +00:00			`userdom_setattr_user_ptys($1_sudo_t)`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`userdom_use_user_terminals($1_sudo_t)`
add sudo 2005-08-09 19:30:43 +00:00			`# for some PAM modules and for cwd`
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`userdom_dontaudit_search_user_home_content($1_sudo_t)`
Adding dontaudit for sudo Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> 2012-03-22 20:13:34 +00:00			`userdom_dontaudit_search_user_home_dirs($1_sudo_t)`
sudo patch from dan. 2009-07-28 14:29:11 +00:00
Sudo patch from Dan Walsh. sudo gets execed by apps that leak sockets 2010-06-18 18:43:22 +00:00			ifdef(`hide_broken_symptoms', `
			`dontaudit $1_sudo_t $3:socket_class_set { read write };`
			`')`

sudo patch from dan. 2009-07-28 14:29:11 +00:00			tunable_policy(`use_nfs_home_dirs',`
			`fs_manage_nfs_files($1_sudo_t)`
			`')`

			tunable_policy(`use_samba_home_dirs',`
			`fs_manage_cifs_files($1_sudo_t)`
			`')`

			optional_policy(`
			`dbus_system_bus_client($1_sudo_t)`
sudo: Whitespace fix. 2019-01-05 19:17:18 +00:00
systemd related interfaces This patch has interface changes related to systemd support as well as policy that uses the new interfaces. 2019-01-04 07:51:18 +00:00			ifdef(`init_systemd',`
			`init_dbus_chat($1_sudo_t)`
			`')`
sudo patch from dan. 2009-07-28 14:29:11 +00:00			`')`
Sudo patch from Dan Walsh. 2010-02-11 14:15:45 +00:00
			optional_policy(`
			`fprintd_dbus_chat($1_sudo_t)`
			`')`

sudo patch from dan. 2009-07-28 14:29:11 +00:00			`')`

			`########################################`
			`## <summary>`
			`## Send a SIGCHLD signal to the sudo domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`sudo_sigchld',`
			gen_require(`
			`attribute sudodomain;`
			`')`

			`allow $1 sudodomain:process sigchld;`
add sudo 2005-08-09 19:30:43 +00:00			`')`