Merge pull request #831 from dsugar100/main

Setup sudo log file type
SELinuxProject · Nov 13, 2024 · cc6ce5d · cc6ce5d
2 parents 7718b32 + bff76ff
commit cc6ce5d
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
@@ -37,6 +37,7 @@ template(`sudo_role_template',`
 
 	gen_require(`
 		type sudo_exec_t;
+		type sudo_log_t;
 		attribute sudodomain;
 	')
 
@@ -74,6 +75,10 @@ template(`sudo_role_template',`
 	allow $1_sudo_t self:key manage_key_perms;
 	dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
 
+	allow $1_sudo_t sudo_log_t:dir add_entry_dir_perms;
+	allow $1_sudo_t sudo_log_t:file { append_file_perms create_file_perms };
+	logging_log_filetrans($1_sudo_t, sudo_log_t, file)
+
 	# allow getting the process group of the parent process
 	allow $1_sudo_t $2:process getpgid;
 	allow $1_sudo_t $2:unix_stream_socket rw_socket_perms;

diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
@@ -29,6 +29,9 @@ attribute sudodomain;
 type sudo_exec_t;
 application_executable_file(sudo_exec_t)
 
+type sudo_log_t;
+logging_log_file(sudo_log_t)
+
 tunable_policy(`sudo_all_tcp_connect_http_port',`
 	corenet_tcp_connect_http_port(sudodomain)
 ')