On Thu, 2004-03-11 at 10:19, Aleksey Nogin wrote: > Contrast the following two: > > % su -c id > Password: > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=root:sysadm_r:sysadm_t > > % sudo id > Password: > uid=0(root) gid=0(root) > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > context=user_u:user_r:user_t > > How do I change my local policy so have sudo grant the same sysadm > permissions as su does? Is it possible to make it tunable? Or is this > something that is very dangerous and should not be done? Thanks! sudo authenticates the current user, not the target user, so having it change the SELinux user identity would be dangerous. It can change roles (if the current user identity is authorized for the role) via the -r option. Hence, if you add yourself to policy/users and authorize yourself for staff_r and sysadm_r and reload your policy, then you should be able to do sudo -r sysadm_r <command>. In order to have sudo safely change the SELinux user identity (to root), you would need another mechanism for specifying what roles/domains are permitted to the calling user, e.g. new fields in /etc/sudoers. Even then, you still need to start from staff_r in order to reach sysadm_r; the policy doesn't allow user_r to transition to sysadm_r (if SELinux is in enforcing mode). -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
