Recently sudo was changed back not to relabel the tty (see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120213 , for
example). This means that now the processes that sudo might run need to
be given explicit access to the caller's tty (until something better is
implemented - see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120213#c2 for my
description of how I think it should work).
Anyway, for now I had to add to my local policy modes:
allow { checkpolicy_t consoletype_t ifconfig_t iptables_t ntpd_t
load_policy_t sysadm_mail_t ping_t traceroute_t }
staff_devpts_t:chr_file { getattr read write };
allow { locate_t sysadm_mail_t } staff_tmp_t:file { getattr write };
And this is probably still very incomplete.
--
Aleksey Nogin
Home Page:
http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907