Remove complement (~) and wildcard (*) in allow rules so that there are no
unintentional additions when new permissions are declared.
This patch does not add or remove permissions from any rules.
Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
When sudo is invoked (sudo -i) the audit log gets quite a lot of denials
related to the getattr permission against tty_device_t:chr_file for the
*_sudo_t domain. However, no additional logging (that would hint at a
need) by sudo, nor any functional issues come up.
Hence the dontaudit call.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When using sudo with SELinux integrated support, the sudo domains need to be able to create user keys. Without this
privilege, any command invoked like "sudo /etc/init.d/local status" will run within the sudo domain (sysadm_sudo_t)
instead of the sysadm_t domain (or whatever domain is mentioned in the sudoers file).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
sudo should be able to getattr on all executables not just
bin_t/sbin_t. Confined executeables run from sudo need this.
sudo_exec_t needs to be marked as exec_type so prelink will work correctly.
sudo semanage should work
Chris PeBenito
Russell Coker
cgzones
Sven Vermeulen
Chris PeBenito
Dominick Grift
Chris PeBenito