sudo: various fixes

These changes resolve these AVCs: type=AVC msg=audit(1653939111.332:1226): avc: denied { getpgid } for pid=2346 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=1 type=AVC msg=audit(1653939111.332:1227): avc: denied { signal } for pid=2346 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:sysadm_r:sysadm_t:s0 tclass=process permissive=1 type=AVC msg=audit(1653939111.333:1228): avc: denied { getpgid } for pid=2346 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=process permissive=1 Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-05-30 17:06:55 -04:00 · 2022-05-30 17:06:55 -04:00 · b641e648df
commit b641e648df
parent 130b680729
1 changed files with 6 additions and 0 deletions
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@ -74,6 +74,9 @@ template(`sudo_role_template',`
 	allow $1_sudo_t self:key manage_key_perms;
 	dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };

+	# allow getting the process group of the parent process
+	allow $1_sudo_t $2:process getpgid;
+
 	# allow accessing /proc/pid/stat of the calling domain
 	ps_process_pattern($1_sudo_t, $2)

@ -125,6 +128,7 @@ template(`sudo_role_template',`
 	auth_use_pam($1_sudo_t)
 	auth_runtime_filetrans_pam_runtime($1_sudo_t, dir, "sudo")

+	init_getpgid($1_sudo_t)
 	init_rw_utmp($1_sudo_t)

 	logging_send_audit_msgs($1_sudo_t)
@ -148,6 +152,8 @@ template(`sudo_role_template',`
 	# for some PAM modules and for cwd
 	userdom_dontaudit_search_user_home_content($1_sudo_t)
 	userdom_dontaudit_search_user_home_dirs($1_sudo_t)
+	# allow forwarding signals to the child process
+	userdom_signal_all_users($1_sudo_t)

 	tunable_policy(`allow_polyinstantiation',`
 		allow $1_sudo_t self:capability sys_admin;