[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: How do I make sudo "trusted"?

From: Aleksey Nogin <aleksey nogin org>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: How do I make sudo "trusted"?
Date: Wed, 17 Mar 2004 20:13:33 -0800

On 15.03.2004 20:38, Daniel J Walsh wrote:

sudo_t transitions to another domain upon executing shell_exec_t. If you execute a binary that's not of type shell_exec_t then that doesn't work.

Is there a reason for that? This is kind of unfortunatye - one of the big advantages of sudo is that it logs everything and having to execute the shell first is kind of inconvenient. Can transition on an ordinary bin_t be added?
I have just modified sudo to exec
$SHELL -c COMMAND when in SELinux mode.

This is indeed a big security hole - see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118602

This should cause the transitions to happen properly.

Nope.

audit(1079581466.332:0): avc: denied { transition } for pid=3247 exe=/usr/bin/sudo path=/bin/tcsh dev=hda2 ino=3662912 scontext=aleksey:staff_r:sudo_t tcontext=aleksey:system_r:sysadm_t tclass=process

on calling
sudo -r system_r -t sysadm_t id

--
Aleksey Nogin

Home Page: http://nogin.org/
E-Mail: nogin cs caltech edu (office), aleksey nogin org (personal)
Office: Jorgensen 70, tel: (626) 395-2907

Follow-Ups:
- Re: How do I make sudo "trusted"?
  - From: Stephen Smalley

References:
- How do I make sudo "trusted"?
  - From: Aleksey Nogin
- Re: How do I make sudo "trusted"?
  - From: Stephen Smalley
- Re: How do I make sudo "trusted"?
  - From: Aleksey Nogin
- Re: How do I make sudo "trusted"?
  - From: Russell Coker
- Re: How do I make sudo "trusted"?
  - From: Aleksey Nogin
- Re: How do I make sudo "trusted"?
  - From: Daniel J Walsh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]