[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/
Date: Sun, 12 Oct 2014 08:59:53 +0000 (UTC)	[thread overview]
Message-ID: <1413104182.67ee9d7026c6e3887eb590811aa1291682945840.swift@gentoo> (raw)

commit:     67ee9d7026c6e3887eb590811aa1291682945840
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:56:22 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:56:22 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=67ee9d70

Allow setting ownership of ts/ directory

When creating the ts/ directory (in which sudo keeps timestamps), allow
the sudo application to set ownership.

No errors involved (only denial) but the end result is different (group
ownership is different, even though there is no group privilege).

---
 policy/modules/admin/sudo.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index b282877..58c456b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -161,6 +161,9 @@ template(`sudo_role_template',`
 	')
 
 	ifdef(`distro_gentoo',`
+		# Set ownership of ts directory (timestamp keeping)
+		allow $1_sudo_t self:capability { chown };
+		# Create /var/run/sudo
 		auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
 	')
 ')

WARNING: multiple messages have this Message-ID (diff)

From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
Date: Sun, 12 Oct 2014 09:13:41 +0000 (UTC)	[thread overview]
Message-ID: <1413104182.67ee9d7026c6e3887eb590811aa1291682945840.swift@gentoo> (raw)
Message-ID: <20141012091341.lXB0JCTsoEurd9FRiLGuikh5RhbOrPHNQmy1mayRfTk@z> (raw)

commit:     67ee9d7026c6e3887eb590811aa1291682945840
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:56:22 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:56:22 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=67ee9d70

Allow setting ownership of ts/ directory

When creating the ts/ directory (in which sudo keeps timestamps), allow
the sudo application to set ownership.

No errors involved (only denial) but the end result is different (group
ownership is different, even though there is no group privilege).

---
 policy/modules/admin/sudo.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index b282877..58c456b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -161,6 +161,9 @@ template(`sudo_role_template',`
 	')
 
 	ifdef(`distro_gentoo',`
+		# Set ownership of ts directory (timestamp keeping)
+		allow $1_sudo_t self:capability { chown };
+		# Create /var/run/sudo
 		auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
 	')
 ')

next             reply	other threads:[~2014-10-12  8:59 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-12  8:59 Sven Vermeulen [this message]
2014-10-12  9:13 ` [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/ Sven Vermeulen
  -- strict thread matches above, loose matches on Subject: below --
2017-02-17  8:44 Jason Zaman
2017-02-17  8:50 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-01-01 16:36 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-01-01 16:37 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-02 19:06 Jason Zaman
2015-06-09 10:45 Sven Vermeulen
2015-06-07  9:31 Sven Vermeulen
2015-01-29  6:51 Jason Zaman
2014-11-28 10:04 Sven Vermeulen
2014-11-27 22:23 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-11-28 10:04 ` [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2014-10-12  8:44 Sven Vermeulen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b282877 dfblob:58c456b dfblob:b282877 dfblob:58c456b )
 OR (
bs:"[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1413104182.67ee9d7026c6e3887eb590811aa1291682945840.swift@gentoo \
    --to=swift@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox