selinux patch breaks sudo NOEXEC capability

Stephen Smalley sds at tycho.nsa.gov
Fri Jan 20 15:39:23 UTC 2006


On Fri, 2006-01-20 at 10:26 -0500, Gene Czarcinski wrote:
> This problem has been reported as 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178429 against 
> fc5test1/development although it exists in FC4 also (the sudo NOEXEC 
> capability was not available in FC3).
> 
> In sudo 1.6.8p8 and later (maybe a bit earlier too) adds a NOEXEC option.  The 
> NOEXEC option is an important security feature since it suppresses a user's 
> ability to "shell out" of a program such as vi to get general root access.  
> When NOEXEC is working, you can use "sudo vi xxx" to edit file xxx but you 
> cannot shell out (e.g., ":!bash") from vi.
> 
> If the selinux patch to the sudo package is applied, then you get the message:
> 
>    /usr/sbin/sesh: Error execing /bin/vi: Permission denied
> 
> and you cannot run vi (or anything) under sudo (when "Defaults noexec" is 
> specified in the /etc/sudoers file).
> 
> A very quick look at the code says that this will not be easy to fix since 
> sudo implements NOEXEC by dummying out the "exec" functions for the program 
> run by sudo.  With the selinux patch applied, sudo invokes /usr/sbin/sesh 
> before invoking your program and sesh is using the dummied-out exec function.

Per other discussions on separating role changes from Unix user identity
changes on selinux list and redhat-lspp list, I think that the sudo and
usermode selinux patches should just be reverted altogether (except
possibly for permission checking code in userhelper for its obscure
passwd manipulation interfaces).  This would be consistent with the
removal of pam_selinux from su's pam configuration, and bring us back to
the original SELinux model prior to Fedora integration.  seusers can
then be used to authorize Unix users for SELinux user identities aka
role sets.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list