From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 952651387B2 for ; Sun, 12 Oct 2014 08:44:38 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 24FF6E0E26; Sun, 12 Oct 2014 08:44:38 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 94185E0C9B for ; Sun, 12 Oct 2014 08:44:37 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B5A663403A1 for ; Sun, 12 Oct 2014 08:44:36 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7150F7A18 for ; Sun, 12 Oct 2014 08:44:35 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1413103253.733eef5b0f9b79c0b8dd2b5a9ea4020cc0c765f7.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/admin/sudo.if X-VCS-Directories: policy/modules/admin/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 733eef5b0f9b79c0b8dd2b5a9ea4020cc0c765f7 X-VCS-Branch: next Date: Sun, 12 Oct 2014 08:44:35 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: de5c21bb-d417-4a7a-8f8b-93f4ef1fdae5 X-Archives-Hash: 8c406bf12f597ec0a0e4cc63d89ec0ef commit: 733eef5b0f9b79c0b8dd2b5a9ea4020cc0c765f7 Author: Sven Vermeulen siphos be> AuthorDate: Sun Oct 12 08:40:53 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Oct 12 08:40:53 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=733eef5b Allow sudo to create /var/run/sudo if non-existing When sudo is invoked and the /var/run/sudo directory (in which a ts/ subdirectory would be created and managed by sudo) is not available yet, sudo will try to create it. Grant it this privilege and have this directory be labeled as pam_var_run_t. Without this, we get: sudo: unable to mkdir /var/run/sudo: Permission denied --- policy/modules/admin/sudo.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index d9114b3..b282877 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -160,6 +160,9 @@ template(`sudo_role_template',` fprintd_dbus_chat($1_sudo_t) ') + ifdef(`distro_gentoo',` + auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo") + ') ') ######################################## From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E7355138247 for ; Sun, 12 Oct 2014 09:13:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 14202E0C10; Sun, 12 Oct 2014 09:13:45 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7A80BE0C24 for ; Sun, 12 Oct 2014 09:13:44 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7C15B34039E for ; Sun, 12 Oct 2014 09:13:42 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 33F377A26 for ; Sun, 12 Oct 2014 09:13:41 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1413103253.733eef5b0f9b79c0b8dd2b5a9ea4020cc0c765f7.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/admin/sudo.if X-VCS-Directories: policy/modules/admin/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 733eef5b0f9b79c0b8dd2b5a9ea4020cc0c765f7 X-VCS-Branch: master Date: Sun, 12 Oct 2014 09:13:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: d5a2b72e-1b5f-42bf-962b-33c3e9173e4f X-Archives-Hash: 3d06be2a2386aca684361237c5cb7b5b Message-ID: <20141012091341.g03feIvGMY1bkPp6VDp-HUnbaxd20ZefUntmEQxacC8@z> commit: 733eef5b0f9b79c0b8dd2b5a9ea4020cc0c765f7 Author: Sven Vermeulen siphos be> AuthorDate: Sun Oct 12 08:40:53 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Oct 12 08:40:53 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=733eef5b Allow sudo to create /var/run/sudo if non-existing When sudo is invoked and the /var/run/sudo directory (in which a ts/ subdirectory would be created and managed by sudo) is not available yet, sudo will try to create it. Grant it this privilege and have this directory be labeled as pam_var_run_t. Without this, we get: sudo: unable to mkdir /var/run/sudo: Permission denied --- policy/modules/admin/sudo.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index d9114b3..b282877 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -160,6 +160,9 @@ template(`sudo_role_template',` fprintd_dbus_chat($1_sudo_t) ') + ifdef(`distro_gentoo',` + auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo") + ') ') ########################################