How do I make sudo "trusted"?

[Stephen Smalley]

On Thu, 2004-03-11 at 10:19, Aleksey Nogin wrote:
> Contrast the following two:
> 
> % su -c id
> Password:
> uid=0(root) gid=0(root) 
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
> context=root:sysadm_r:sysadm_t
> 
> % sudo id
> Password:
> uid=0(root) gid=0(root) 
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) 
> context=user_u:user_r:user_t
> 
> How do I change my local policy so have sudo grant the same sysadm 
> permissions as su does? Is it possible to make it tunable? Or is this 
> something that is very dangerous and should not be done? Thanks! 

sudo authenticates the current user, not the target user, so having it
change the SELinux user identity would be dangerous.  It can change
roles (if the current user identity is authorized for the role) via the
-r option.  Hence, if you add yourself to policy/users and authorize
yourself for staff_r and sysadm_r and reload your policy, then you
should be able to do sudo -r sysadm_r <command>.

In order to have sudo safely change the SELinux user identity (to root),
you would need another mechanism for specifying what roles/domains are
permitted to the calling user, e.g. new fields in /etc/sudoers.  Even
then, you still need to start from staff_r in order to reach sysadm_r;
the policy doesn't allow user_r to transition to sysadm_r (if SELinux is
in enforcing mode).
 
-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency