From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id C64021382C5 for ; Mon, 1 Feb 2021 02:10:35 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4854CE09C0; Mon, 1 Feb 2021 02:10:14 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2E07DE09C0 for ; Mon, 1 Feb 2021 02:10:14 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4A647341031 for ; Mon, 1 Feb 2021 02:10:13 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 9F1FA4BE for ; Mon, 1 Feb 2021 02:10:09 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1612142502.21ac5d4937112c4cca29d52c36c91b240c2abb5f.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/admin/sudo.te X-VCS-Directories: policy/modules/admin/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 21ac5d4937112c4cca29d52c36c91b240c2abb5f X-VCS-Branch: master Date: Mon, 1 Feb 2021 02:10:09 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 8653fcb3-fe02-49ab-a84f-a615659dd414 X-Archives-Hash: 9a53431885638966d7c0b922ccc42795 commit: 21ac5d4937112c4cca29d52c36c91b240c2abb5f Author: Kenton Groombridge concord sh> AuthorDate: Tue Jan 26 23:08:54 2021 +0000 Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 1 01:21:42 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=21ac5d49 sudo: add tunable for HTTP connections Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/sudo.te | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te index 2cebeef7..2ac111d6 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -1,5 +1,16 @@ policy_module(sudo, 1.15.0) +## +##

+## Determine whether all sudo domains +## can connect to TCP HTTP ports. This +## is needed if an additional authentication +## mechanism via an HTTP server is +## required for users to use sudo. +##

+## +gen_tunable(sudo_all_tcp_connect_http_port, false) + ######################################## # # Declarations @@ -7,3 +18,7 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) + +tunable_policy(`sudo_all_tcp_connect_http_port',` + corenet_tcp_connect_http_port(sudodomain) +')