From 2b642954a63fc6c3bffa690b6dfd03c6d097e455 Mon Sep 17 00:00:00 2001
From: Sven Vermeulen <sven.vermeulen@siphos.be>
Date: Sat, 22 Nov 2014 22:16:36 +0100
Subject: [PATCH] New sudo manages timestamp directory in /var/run/sudo

Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
---
 policy/modules/admin/sudo.if | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index d9114b3ef..2ee052b7d 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -52,7 +52,7 @@ template(`sudo_role_template',`
 	#
 
 	# Use capabilities.
-	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+	allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_sudo_t self:process { setexec setrlimit };
 	allow $1_sudo_t self:fd use;
@@ -117,6 +117,7 @@ template(`sudo_role_template',`
 	auth_run_chk_passwd($1_sudo_t, $2)
 	# sudo stores a token in the pam_pid directory
 	auth_manage_pam_pid($1_sudo_t)
+	auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
 	auth_use_nsswitch($1_sudo_t)
 
 	init_rw_utmp($1_sudo_t)