[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

Sat, 14 Dec 2024 16:30:19 -0800 

commit:     1006b39f0071195bfee767d215501d124892b849
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Fri Nov  8 02:29:03 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1006b39f

Setup sudo log file type

When using the sudoers option logfile=/var/log/sudo.log it needs to create (and 
append) to the log file.

node=test123 type=AVC msg=audit(1731031593.322:16399): avc:  denied  { write } 
for  pid=5792 comm="sudo" name="/" dev="dm-5" ino=2 
scontext=toor_u:staff_r:staff_sudo_t:s0 tcontext=system_u:object_r:var_log_t:s0 
tclass=dir permissive=1
node=test123 type=AVC msg=audit(1731031593.322:16399): avc:  denied  { add_name 
} for  pid=5792 comm="sudo" name="sudo.log" 
scontext=toor_u:staff_r:staff_sudo_t:s0 tcontext=system_u:object_r:var_log_t:s0 
tclass=dir permissive=1
node=test123 type=AVC msg=audit(1731031593.322:16399): avc:  denied  { create } 
for  pid=5792 comm="sudo" name="sudo.log" 
scontext=toor_u:staff_r:staff_sudo_t:s0 tcontext=toor_u:object_r:var_log_t:s0 
tclass=file permissive=1
node=test123 type=AVC msg=audit(1731031593.322:16399): avc:  denied  { append 
open } for  pid=5792 comm="sudo" path="/var/log/sudo.log" dev="dm-5" ino=32 
scontext=toor_u:staff_r:staff_sudo_t:s0 tcontext=toor_u:object_r:var_log_t:s0 
tclass=file permissive=1
node=test123 type=AVC msg=audit(1731031593.322:16400): avc:  denied  { lock } 
for  pid=5792 comm="sudo" path="/var/log/sudo.log" dev="dm-5" ino=32 
scontext=toor_u:staff_r:staff_sudo_t:s0 tcontext=toor_u:object_r:var_log_t:s0 
tclass=file permissive=1
node=test123 type=AVC msg=audit(1731031593.322:16401): avc:  denied  { getattr 
} for  pid=5792 comm="sudo" path="/var/log/sudo.log" dev="dm-5" ino=32 
scontext=toor_u:staff_r:staff_sudo_t:s0 tcontext=toor_u:object_r:var_log_t:s0 
tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/sudo.if | 5 +++++
 policy/modules/admin/sudo.te | 3 +++
 2 files changed, 8 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 1e51044df..456ac215c 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -37,6 +37,7 @@ template(`sudo_role_template',`
 
        gen_require(`
                type sudo_exec_t;
+               type sudo_log_t;
                attribute sudodomain;
        ')
 
@@ -74,6 +75,10 @@ template(`sudo_role_template',`
        allow $1_sudo_t self:key manage_key_perms;
        dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
 
+       allow $1_sudo_t sudo_log_t:dir add_entry_dir_perms;
+       allow $1_sudo_t sudo_log_t:file { append_file_perms create_file_perms };
+       logging_log_filetrans($1_sudo_t, sudo_log_t, file)
+
        # allow getting the process group of the parent process
        allow $1_sudo_t $2:process getpgid;
        allow $1_sudo_t $2:unix_stream_socket rw_socket_perms;

diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 9364d3768..725b91760 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -29,6 +29,9 @@ attribute sudodomain;
 type sudo_exec_t;
 application_executable_file(sudo_exec_t)
 
+type sudo_log_t;
+logging_log_file(sudo_log_t)
+
 tunable_policy(`sudo_all_tcp_connect_http_port',`
        corenet_tcp_connect_http_port(sudodomain)
 ')

Reply via email to