From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1B2D9138247 for ; Sun, 12 Oct 2014 09:13:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 39E9CE0C2A; Sun, 12 Oct 2014 09:13:45 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6FFC1E0BF0 for ; Sun, 12 Oct 2014 09:13:44 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8FD6C3403A1 for ; Sun, 12 Oct 2014 09:13:42 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 44AB37A27 for ; Sun, 12 Oct 2014 09:13:41 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1413104182.67ee9d7026c6e3887eb590811aa1291682945840.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/admin/sudo.if X-VCS-Directories: policy/modules/admin/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 67ee9d7026c6e3887eb590811aa1291682945840 X-VCS-Branch: master Date: Sun, 12 Oct 2014 09:13:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 270e1ad0-bc16-46ba-891f-508f8d2201e8 X-Archives-Hash: 3e2025329c9ba64d6ee5fd26327ac5ad Message-ID: <20141012091341.lXB0JCTsoEurd9FRiLGuikh5RhbOrPHNQmy1mayRfTk@z> commit: 67ee9d7026c6e3887eb590811aa1291682945840 Author: Sven Vermeulen siphos be> AuthorDate: Sun Oct 12 08:56:22 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Oct 12 08:56:22 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=67ee9d70 Allow setting ownership of ts/ directory When creating the ts/ directory (in which sudo keeps timestamps), allow the sudo application to set ownership. No errors involved (only denial) but the end result is different (group ownership is different, even though there is no group privilege). --- policy/modules/admin/sudo.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index b282877..58c456b 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -161,6 +161,9 @@ template(`sudo_role_template',` ') ifdef(`distro_gentoo',` + # Set ownership of ts directory (timestamp keeping) + allow $1_sudo_t self:capability { chown }; + # Create /var/run/sudo auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo") ') ')