[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Need to allow output from processes under sudo.

Recently sudo was changed back not to relabel the tty (see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120213 , for example). This means that now the processes that sudo might run need to be given explicit access to the caller's tty (until something better is implemented - see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120213#c2 for my description of how I think it should work).

Anyway, for now I had to add to my local policy modes:

allow { checkpolicy_t consoletype_t ifconfig_t iptables_t ntpd_t load_policy_t sysadm_mail_t ping_t traceroute_t } staff_devpts_t:chr_file { getattr read write };
allow { locate_t sysadm_mail_t } staff_tmp_t:file { getattr write };

And this is probably still very incomplete.

Aleksey Nogin

Home Page: http://nogin.org/
E-Mail: nogin cs caltech edu (office), aleksey nogin org (personal)
Office: Jorgensen 70, tel: (626) 395-2907

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]