diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc index 7bddc02a..2b59ed0a 100644 --- a/policy/modules/admin/sudo.fc +++ b/policy/modules/admin/sudo.fc @@ -1,2 +1,4 @@ /usr/bin/sudo(edit)? -- gen_context(system_u:object_r:sudo_exec_t,s0) + +/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index e753ac9d..cf1ca308 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -32,6 +32,7 @@ template(`sudo_role_template',` gen_require(` type sudo_exec_t; + type sudo_db_t; attribute sudodomain; ') @@ -47,6 +48,8 @@ template(`sudo_role_template',` ubac_constrained($1_sudo_t) role $2 types $1_sudo_t; + manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t) + ############################## # # Local Policy @@ -113,6 +116,7 @@ template(`sudo_role_template',` term_relabel_all_ttys($1_sudo_t) term_relabel_all_ptys($1_sudo_t) + term_getattr_pty_fs($1_sudo_t) auth_run_chk_passwd($1_sudo_t, $2) # sudo stores a token in the pam_pid directory diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te index c368bdc0..c927b85e 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -7,3 +7,7 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) + +type sudo_db_t; +files_type(sudo_db_t) + diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index 88fc6f6f..db965815 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -95,6 +95,10 @@ logging_send_syslog_msg(pulseaudio_t) miscfiles_read_localization(pulseaudio_t) +optional_policy(` + alsa_read_rw_config(pulseaudio_t) +') + optional_policy(` bluetooth_stream_connect(pulseaudio_t) ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a80b4c71..477612ec 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -782,6 +782,8 @@ optional_policy(` dbus_read_config(initrc_t) dbus_manage_lib_files(initrc_t) + init_dbus_chat(initrc_t) + optional_policy(` consolekit_dbus_chat(initrc_t) ')