From 6c20f77e8039005fff7cb31557dc90e1ae6137e6 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mar 19 2007 16:32:44 +0000
Subject: patch from Dan for sudo:

sudo should be able to getattr on all executables not just 
bin_t/sbin_t.  Confined executeables run from sudo need this.

sudo_exec_t needs to be marked as exec_type so prelink will work correctly.

sudo semanage should work


---

diff --git a/Changelog b/Changelog
index 3af8457..5f37eed 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Patch for misc fixes in sudo from Dan Walsh.
 - Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
 - Patch for handling restart of nscd when ran from useradd, groupadd, and
   admin passwd, from Dan Walsh.
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index da47fa9..249c3fc 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -37,7 +37,6 @@ template(`sudo_per_role_template',`
 
 	gen_require(`
 		type sudo_exec_t;
-		bool secure_mode;
 	')
 
 	##############################
@@ -95,9 +94,8 @@ template(`sudo_per_role_template',`
 	# sudo stores a token in the pam_pid directory
 	auth_manage_pam_pid($1_sudo_t)
 
-	corecmd_getattr_bin_files($1_sudo_t)
 	corecmd_read_sbin_symlinks($1_sudo_t)
-	corecmd_getattr_sbin_files($1_sudo_t)
+	corecmd_getattr_all_executables($1_sudo_t)
 
 	domain_use_interactive_fds($1_sudo_t)
 	domain_sigchld_interactive_fds($1_sudo_t)
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index bf3ea5f..3324d51 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -1,11 +1,11 @@
 
-policy_module(sudo,1.0.1)
+policy_module(sudo,1.0.2)
 
 ########################################
 #
 # Declarations
 
 type sudo_exec_t;
-files_type(sudo_exec_t)
+corecmd_executable_file(sudo_exec_t)
 
 # Remaining policy in per user domain template.
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index cc7c620..9c7095c 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -913,6 +913,27 @@ interface(`corecmd_exec_chroot',`
 
 ########################################
 ## <summary>
+##	Get the attributes of all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_getattr_all_executables',`
+	gen_require(`
+		attribute exec_type;
+		type bin_t, sbin_t;
+	')
+
+	allow $1 { bin_t sbin_t }:dir list_dir_perms;
+	getattr_files_pattern($1,{ bin_t sbin_t },{ bin_t sbin_t })
+')
+
+########################################
+## <summary>
 ##	Execute all executable files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 1c797f4..2bf8ae0 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.5.2)
+policy_module(corecommands,1.5.3)
 
 ########################################
 #