From 901ac5314982f5600ef11691969b9af89aeba772 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 20 Dec 2021 14:21:33 +0100
Subject: [PATCH] Allow userdomains use pam_ssh_agent_auth for passwordless
 sudo

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/901ac5314982f5600ef11691969b9af89aeba772
Conflict: NA

The pam_ssh_agent_auth module can be used for granting permissions based
on SSH agent requests. When configured for using in the sudo pam module,
it requires permissions for sudodomain to use the user socket file and
stream connect to its corresponding userdomain.

Resolves: rhbz#1917879
Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/admin/sudo.if | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 356b150..f6df896 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -58,6 +58,8 @@ template(`sudo_role_template',`
 	allow $1_sudo_t $3:file read_file_perms;;
 	allow $1_sudo_t $3:key search;
 
+	allow $1_sudo_t $1_t:unix_stream_socket connectto;
+
 	# Enter this derived domain from the user domain
 	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
 
@@ -99,6 +101,10 @@ template(`sudo_role_template',`
 	')
 
 	optional_policy(`
+		userdom_write_user_tmp_sockets($1_sudo_t)
+	')
+
+	optional_policy(`
 		usermanage_domtrans_passwd($1_sudo_t)
 	')
 ')
-- 
1.8.3.1