From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id B82BB138247 for ; Sun, 12 Oct 2014 08:59:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 54B56E0E95; Sun, 12 Oct 2014 08:59:56 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 05E03E0E95 for ; Sun, 12 Oct 2014 08:59:55 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 2D97F33BF4D for ; Sun, 12 Oct 2014 08:59:55 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id DD4BE7A0A for ; Sun, 12 Oct 2014 08:59:53 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1413104182.67ee9d7026c6e3887eb590811aa1291682945840.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/admin/sudo.if X-VCS-Directories: policy/modules/admin/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 67ee9d7026c6e3887eb590811aa1291682945840 X-VCS-Branch: next Date: Sun, 12 Oct 2014 08:59:53 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: cfb7e523-0bcc-4655-b2ac-7e76ffaf5289 X-Archives-Hash: 0816ac0958815d3669a36eb37731574a commit: 67ee9d7026c6e3887eb590811aa1291682945840 Author: Sven Vermeulen siphos be> AuthorDate: Sun Oct 12 08:56:22 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Oct 12 08:56:22 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=67ee9d70 Allow setting ownership of ts/ directory When creating the ts/ directory (in which sudo keeps timestamps), allow the sudo application to set ownership. No errors involved (only denial) but the end result is different (group ownership is different, even though there is no group privilege). --- policy/modules/admin/sudo.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index b282877..58c456b 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -161,6 +161,9 @@ template(`sudo_role_template',` ') ifdef(`distro_gentoo',` + # Set ownership of ts directory (timestamp keeping) + allow $1_sudo_t self:capability { chown }; + # Create /var/run/sudo auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo") ') ') From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1B2D9138247 for ; Sun, 12 Oct 2014 09:13:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 39E9CE0C2A; Sun, 12 Oct 2014 09:13:45 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6FFC1E0BF0 for ; Sun, 12 Oct 2014 09:13:44 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8FD6C3403A1 for ; Sun, 12 Oct 2014 09:13:42 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 44AB37A27 for ; Sun, 12 Oct 2014 09:13:41 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1413104182.67ee9d7026c6e3887eb590811aa1291682945840.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/admin/sudo.if X-VCS-Directories: policy/modules/admin/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 67ee9d7026c6e3887eb590811aa1291682945840 X-VCS-Branch: master Date: Sun, 12 Oct 2014 09:13:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 270e1ad0-bc16-46ba-891f-508f8d2201e8 X-Archives-Hash: 3e2025329c9ba64d6ee5fd26327ac5ad Message-ID: <20141012091341.lXB0JCTsoEurd9FRiLGuikh5RhbOrPHNQmy1mayRfTk@z> commit: 67ee9d7026c6e3887eb590811aa1291682945840 Author: Sven Vermeulen siphos be> AuthorDate: Sun Oct 12 08:56:22 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Oct 12 08:56:22 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=67ee9d70 Allow setting ownership of ts/ directory When creating the ts/ directory (in which sudo keeps timestamps), allow the sudo application to set ownership. No errors involved (only denial) but the end result is different (group ownership is different, even though there is no group privilege). --- policy/modules/admin/sudo.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index b282877..58c456b 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -161,6 +161,9 @@ template(`sudo_role_template',` ') ifdef(`distro_gentoo',` + # Set ownership of ts directory (timestamp keeping) + allow $1_sudo_t self:capability { chown }; + # Create /var/run/sudo auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo") ') ')