RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

New sudo manages timestamp directory in /var/run/sudo 

Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
This commit is contained in:
Sven Vermeulen 2014-11-22 22:16:36 +01:00 committed by Chris PeBenito
parent f0ebf14176
commit 2b642954a6
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
policy/modules/admin/sudo.if
View File

@ -52,7 +52,7 @@ template(`sudo_role_template',`
#
# Use capabilities.
allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
@ -117,6 +117,7 @@ template(`sudo_role_template',`
auth_run_chk_passwd($1_sudo_t, $2)
# sudo stores a token in the pam_pid directory
auth_manage_pam_pid($1_sudo_t)
auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
auth_use_nsswitch($1_sudo_t)
init_rw_utmp($1_sudo_t)