sudo patch from dan.

policy/modules/admin/sudo.if

@@ -32,6 +32,7 @@ template(`sudo_role_template',`
 
 	gen_require(`
 		type sudo_exec_t;
+		attribute sudodomain;
 	')
 
 	##############################
@@ -39,9 +40,10 @@ template(`sudo_role_template',`
 	# Declarations
 	#
 
-	type $1_sudo_t; 
+	type $1_sudo_t, sudodomain; 
 	application_domain($1_sudo_t, sudo_exec_t)
 	domain_interactive_fd($1_sudo_t)
+	domain_role_change_exemption($1_sudo_t)
 	ubac_constrained($1_sudo_t)
 	role $2 types $1_sudo_t;
 
@@ -51,7 +53,7 @@ template(`sudo_role_template',`
 	#
 
 	# Use capabilities.
-	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
+	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_sudo_t self:process { setexec setrlimit };
 	allow $1_sudo_t self:fd use;
@@ -64,27 +66,37 @@ template(`sudo_role_template',`
 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_sudo_t self:unix_dgram_socket sendto;
 	allow $1_sudo_t self:unix_stream_socket connectto;
-	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
+
+	allow $1_sudo_t $3:key search;
 
 	# Enter this derived domain from the user domain
 	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
 
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_sudo_t, $3)
+	corecmd_bin_domtrans($1_sudo_t, $3)
 	allow $3 $1_sudo_t:fd use;
 	allow $3 $1_sudo_t:fifo_file rw_file_perms;
 	allow $3 $1_sudo_t:process sigchld;
 
 	kernel_read_kernel_sysctls($1_sudo_t)
 	kernel_read_system_state($1_sudo_t)
-	kernel_search_key($1_sudo_t)
+	kernel_link_key($1_sudo_t)
 
 	dev_read_urand($1_sudo_t)
+	dev_rw_generic_usb_dev($1_sudo_t)
+	dev_read_sysfs($1_sudo_t)
 
 	fs_search_auto_mountpoints($1_sudo_t)
 	fs_getattr_xattr_fs($1_sudo_t)
 
-	auth_domtrans_chk_passwd($1_sudo_t)
+	selinux_validate_context($1_sudo_t)
+	selinux_compute_relabel_context($1_sudo_t)
+
+	term_relabel_all_user_ttys($1_sudo_t)
+	term_relabel_all_user_ptys($1_sudo_t)
+
+	auth_run_chk_passwd($1_sudo_t, $2)
 	# sudo stores a token in the pam_pid directory
 	auth_manage_pam_pid($1_sudo_t)
 	auth_use_nsswitch($1_sudo_t)
@@ -102,18 +114,55 @@ template(`sudo_role_template',`
 	files_getattr_usr_files($1_sudo_t)
 	# for some PAM modules and for cwd
 	files_dontaudit_search_home($1_sudo_t)
+	files_list_tmp($1_sudo_t)
 
 	init_rw_utmp($1_sudo_t)
 
+	logging_send_audit_msgs($1_sudo_t)
 	logging_send_syslog_msg($1_sudo_t)
 
 	miscfiles_read_localization($1_sudo_t)
 
+	seutil_search_default_contexts($1_sudo_t)
+	seutil_libselinux_linked($1_sudo_t)
+
+	userdom_spec_domtrans_all_users($1_sudo_t)
 	userdom_manage_user_home_content_files($1_sudo_t)
 	userdom_manage_user_home_content_symlinks($1_sudo_t)
 	userdom_manage_user_tmp_files($1_sudo_t)
 	userdom_manage_user_tmp_symlinks($1_sudo_t)
 	userdom_use_user_terminals($1_sudo_t)
+	userdom_use_user_terminals($1_sudo_t)
 	# for some PAM modules and for cwd
 	userdom_dontaudit_search_user_home_content($1_sudo_t)
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_files($1_sudo_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_manage_cifs_files($1_sudo_t)
+	')
+
+	optional_policy(`
+		dbus_system_bus_client($1_sudo_t)
+	')
+')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to the sudo domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sudo_sigchld',`
+	gen_require(`
+		attribute sudodomain;
+	')
+
+	allow $1 sudodomain:process sigchld;
 ')

policy/modules/admin/sudo.te

@@ -1,9 +1,10 @@
 
-policy_module(sudo, 1.4.0)
+policy_module(sudo, 1.4.1)
 
 ########################################
 #
 # Declarations
+attribute sudodomain;
 
 type sudo_exec_t;
 application_executable_file(sudo_exec_t)