nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sudo: fixes for polyinstantiation

Browse Source 
PAM can be configured to allow sudo to unmount/remount private tmp
directories when invoked. Allow this access if enabled.

Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
Kenton Groombridge 2021-11-10 12:14:46 -05:00
parent 82461e6172
commit 910e36829e
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
policy/modules/admin/sudo.if
View File

@ -145,6 +145,12 @@ template(`sudo_role_template',`
userdom_dontaudit_search_user_home_content($1_sudo_t) userdom_dontaudit_search_user_home_content($1_sudo_t)
userdom_dontaudit_search_user_home_dirs($1_sudo_t) userdom_dontaudit_search_user_home_dirs($1_sudo_t)
tunable_policy(`allow_polyinstantiation',`
allow $1_sudo_t self:capability sys_admin;
fs_mount_xattr_fs($1_sudo_t)
fs_unmount_xattr_fs($1_sudo_t)
')
tunable_policy(`sudo_allow_user_exec_domains',` tunable_policy(`sudo_allow_user_exec_domains',`
allow $1_sudo_t $3:key search; allow $1_sudo_t $3:key search;