patch from Dan for sudo:
sudo should be able to getattr on all executables not just bin_t/sbin_t. Confined executeables run from sudo need this. sudo_exec_t needs to be marked as exec_type so prelink will work correctly. sudo semanage should work
This commit is contained in:
Chris PeBenito
parent
b50f2ee48d
commit
6c20f77e80
@ -1,3 +1,4 @@
|
||||
- Patch for misc fixes in sudo from Dan Walsh.
|
||||
- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
|
||||
- Patch for handling restart of nscd when ran from useradd, groupadd, and
|
||||
admin passwd, from Dan Walsh.
|
||||
|
||||
@ -37,7 +37,6 @@ template(`sudo_per_role_template',`
|
||||
|
||||
gen_require(`
|
||||
type sudo_exec_t;
|
||||
bool secure_mode;
|
||||
')
|
||||
|
||||
##############################
|
||||
@ -95,9 +94,8 @@ template(`sudo_per_role_template',`
|
||||
# sudo stores a token in the pam_pid directory
|
||||
auth_manage_pam_pid($1_sudo_t)
|
||||
|
||||
corecmd_getattr_bin_files($1_sudo_t)
|
||||
corecmd_read_sbin_symlinks($1_sudo_t)
|
||||
corecmd_getattr_sbin_files($1_sudo_t)
|
||||
corecmd_getattr_all_executables($1_sudo_t)
|
||||
|
||||
domain_use_interactive_fds($1_sudo_t)
|
||||
domain_sigchld_interactive_fds($1_sudo_t)
|
||||
|
||||
@ -1,11 +1,11 @@
|
||||
|
||||
policy_module(sudo,1.0.1)
|
||||
policy_module(sudo,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
|
||||
type sudo_exec_t;
|
||||
files_type(sudo_exec_t)
|
||||
corecmd_executable_file(sudo_exec_t)
|
||||
|
||||
# Remaining policy in per user domain template.
|
||||
|
||||
@ -911,6 +911,27 @@ interface(`corecmd_exec_chroot',`
|
||||
allow $1 self:capability sys_chroot;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all executable files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`corecmd_getattr_all_executables',`
|
||||
gen_require(`
|
||||
attribute exec_type;
|
||||
type bin_t, sbin_t;
|
||||
')
|
||||
|
||||
allow $1 { bin_t sbin_t }:dir list_dir_perms;
|
||||
getattr_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute all executable files.
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(corecommands,1.5.2)
|
||||
policy_module(corecommands,1.5.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user