patch from Dan for sudo:
sudo should be able to getattr on all executables not just bin_t/sbin_t. Confined executeables run from sudo need this. sudo_exec_t needs to be marked as exec_type so prelink will work correctly. sudo semanage should work
This commit is contained in:
Chris PeBenito
parent
b50f2ee48d
commit
6c20f77e80
@ -1,3 +1,4 @@
|
|||||||
|
- Patch for misc fixes in sudo from Dan Walsh.
|
||||||
- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
|
- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
|
||||||
- Patch for handling restart of nscd when ran from useradd, groupadd, and
|
- Patch for handling restart of nscd when ran from useradd, groupadd, and
|
||||||
admin passwd, from Dan Walsh.
|
admin passwd, from Dan Walsh.
|
||||||
|
|||||||
@ -37,7 +37,6 @@ template(`sudo_per_role_template',`
|
|||||||
|
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type sudo_exec_t;
|
type sudo_exec_t;
|
||||||
bool secure_mode;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@ -95,9 +94,8 @@ template(`sudo_per_role_template',`
|
|||||||
# sudo stores a token in the pam_pid directory
|
# sudo stores a token in the pam_pid directory
|
||||||
auth_manage_pam_pid($1_sudo_t)
|
auth_manage_pam_pid($1_sudo_t)
|
||||||
|
|
||||||
corecmd_getattr_bin_files($1_sudo_t)
|
|
||||||
corecmd_read_sbin_symlinks($1_sudo_t)
|
corecmd_read_sbin_symlinks($1_sudo_t)
|
||||||
corecmd_getattr_sbin_files($1_sudo_t)
|
corecmd_getattr_all_executables($1_sudo_t)
|
||||||
|
|
||||||
domain_use_interactive_fds($1_sudo_t)
|
domain_use_interactive_fds($1_sudo_t)
|
||||||
domain_sigchld_interactive_fds($1_sudo_t)
|
domain_sigchld_interactive_fds($1_sudo_t)
|
||||||
|
|||||||
@ -1,11 +1,11 @@
|
|||||||
|
|
||||||
policy_module(sudo,1.0.1)
|
policy_module(sudo,1.0.2)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
|
|
||||||
type sudo_exec_t;
|
type sudo_exec_t;
|
||||||
files_type(sudo_exec_t)
|
corecmd_executable_file(sudo_exec_t)
|
||||||
|
|
||||||
# Remaining policy in per user domain template.
|
# Remaining policy in per user domain template.
|
||||||
|
|||||||
@ -911,6 +911,27 @@ interface(`corecmd_exec_chroot',`
|
|||||||
allow $1 self:capability sys_chroot;
|
allow $1 self:capability sys_chroot;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of all executable files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`corecmd_getattr_all_executables',`
|
||||||
|
gen_require(`
|
||||||
|
attribute exec_type;
|
||||||
|
type bin_t, sbin_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 { bin_t sbin_t }:dir list_dir_perms;
|
||||||
|
getattr_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Execute all executable files.
|
## Execute all executable files.
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(corecommands,1.5.2)
|
policy_module(corecommands,1.5.3)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user