[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: How do I make sudo "trusted"?

From: Daniel J Walsh <dwalsh redhat com>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: How do I make sudo "trusted"?
Date: Mon, 15 Mar 2004 23:38:47 -0500

Aleksey Nogin wrote:

On 13.03.2004 21:15, Russell Coker wrote:

sudo_t transitions to another domain upon executing shell_exec_t. If you execute a binary that's not of type shell_exec_t then that doesn't work.

Is there a reason for that? This is kind of unfortunatye - one of the big advantages of sudo is that it logs everything and having to execute the shell first is kind of inconvenient. Can transition on an ordinary bin_t be added?


I have just modified sudo to exec
$SHELL -c COMMAND when in SELinux mode.

This should cause the transitions to happen properly. SELinux will start the default shell under the context of the user, or the context overridden by the -r qualifier. Then if the user specified a command with context, the transition should happen.

so if the user specified

sudo -r sysadm_r rpm -Uhv bind-9.2.3-9.i386.rpm

rpm should end up running in rpm_t context, Just as if you had started a shell as sysadm_t and executed the rpm command.

Dan

Follow-Ups:
- Re: How do I make sudo "trusted"?
  - From: Rui Miguel Seabra
- Re: How do I make sudo "trusted"?
  - From: Aleksey Nogin

References:
- How do I make sudo "trusted"?
  - From: Aleksey Nogin
- Re: How do I make sudo "trusted"?
  - From: Stephen Smalley
- Re: How do I make sudo "trusted"?
  - From: Aleksey Nogin
- Re: How do I make sudo "trusted"?
  - From: Russell Coker
- Re: How do I make sudo "trusted"?
  - From: Aleksey Nogin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]