-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch is needed for sudo. Also added setkeycreatecon, although this will not work the way the code is currently. Pam activity should probably be happening after setkeycreatecon and setexeccon But I am not sure how pam_keyinit should work here any ways. Currently you loose access to your keying material when you su or sudo. These things will not be labeled corectly as currently used. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAke/HrwACgkQrlYvE4MpobND4QCg4L9uaKuKhMxQwlhCBUY5icwT wCkAoIzPvgXScs286cbO2g8RZG3WVWtN =5+0w -----END PGP SIGNATURE-----
diff -up sudo-1.6.9p13/selinux.c.selinux sudo-1.6.9p13/selinux.c
--- sudo-1.6.9p13/selinux.c.selinux 2008-02-20 12:00:48.000000000 -0500
+++ sudo-1.6.9p13/selinux.c 2008-02-22 13:34:08.000000000 -0500
@@ -314,9 +314,19 @@ selinux_exec(char *role, char *type, cha
if (setexeccon(new_context)) {
warn("unable to set exec context to %s", new_context);
- goto error;
+ if (security_getenforce() == 1) {
+ goto error;
+ }
}
+ if (setkeycreatecon(new_context)) {
+ warn("Error! Unable to set key creation context to %s",
+ new_context);
+ if (security_getenforce() == 1) {
+ goto error;
+ }
+ }
+
#ifdef WITH_AUDIT
if (send_audit_message(1, old_context, new_context, user_ttypath))
goto error;
Attachment:
sudo-1.6.9p13-selinux.patch.sig
Description: Binary data
