[redhat-lspp] Reviewing the sudo patch.
Daniel J Walsh
dwalsh at redhat.com
Wed Dec 14 21:47:21 UTC 2005
Chad Hanson wrote:
> Hi Dan,
>
> We believe the security range should stay the same as calling process. This
> is something we would like for su as well. If we could remove the
> pam_selinux from su so that the selinux identity, role, type stay the same
> across su. I think we discussed with Stephen awhile back in a meeting and
> this change would go back to original selinux implementation of su/pam.
>
> -Chad
>
So if we back out the patch out of su and sudo, we end up with
unconfined_t staying as unconfined_t for targeted, will still transition
if a unconfined transition would happen.
And strict and MLS requiring a newrole before calling to have anything
work correctly?
So I guess we can remove the patches, since they were originally added
to make strict policy livable.
Does this sound reasonable to you Stephen?
Dan
>
>> -----Original Message-----
>> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>> Sent: Friday, December 09, 2005 11:09 AM
>> To: redhat-lspp
>> Subject: [redhat-lspp] Reviewing the sudo patch.
>>
>>
>> How should sudo work with MLS? Should it?
>>
>> Basically I am trying to figure out how sudo should work in the with
>> sensitivity levels.
>>
>> Should it maintain the sencurity range of the user running sudo? Or
>> should it get the range of the user being sudo to? (Usually root.)
>>
>>
--
More information about the redhat-lspp
mailing list