[redhat-lspp] Reviewing the sudo patch.

Daniel J Walsh dwalsh at redhat.com
Wed Dec 14 21:47:21 UTC 2005


Chad Hanson wrote:
> Hi Dan,
>
> We believe the security range should stay the same as calling process. This
> is something we would like for su as well. If we could remove the
> pam_selinux from su so that the selinux identity, role, type stay the same
> across su. I think we discussed with Stephen awhile back in a meeting and
> this change would go back to original selinux implementation of su/pam.
>
> -Chad
>   
So if we back out the patch out of su and sudo, we end up with
unconfined_t staying as unconfined_t for targeted, will still transition 
if a unconfined transition would happen.

And strict and MLS requiring a newrole before calling to have anything 
work correctly?

So I guess we can remove the patches, since they were originally added 
to make strict policy livable.

Does this sound reasonable to you Stephen?

Dan
>   
>> -----Original Message-----
>> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>> Sent: Friday, December 09, 2005 11:09 AM
>> To: redhat-lspp
>> Subject: [redhat-lspp] Reviewing the sudo patch.
>>
>>
>> How should sudo work with MLS?  Should it?
>>
>> Basically I am trying to figure out how sudo should work in the with 
>> sensitivity levels.
>>
>> Should it maintain the sencurity range of the user running sudo?  Or 
>> should it get the range of the user being sudo to? (Usually root.)
>>
>>     


-- 





More information about the redhat-lspp mailing list