On 11.03.2004 07:36, Stephen Smalley wrote:
sudo authenticates the current user, not the target user,
Well, sudo + sudoers does authenticate the "I am somebody who can act on behalf of the target user", why is this insufficient?
so having it change the SELinux user identity would be dangerous.
Even if explicitly permitted by sudoers?
It can change roles (if the current user identity is authorized for the role) via the -r option. Hence, if you add yourself to policy/users and authorize yourself for staff_r and sysadm_r and reload your policy, then you should be able to do sudo -r sysadm_r <command>.
Do you expect everybody who are used to doing things via sudo (a lot of places where more than one user has admin access have policies insisting on sudo - in particular because sudo will log everything) to be willing to figure this out? Why is this information (e.g. "user x is allowed to act as root when re-authenticated") has to be listed in _two_ separate places (sudoers and policies)?
In order to have sudo safely change the SELinux user identity (to root),
you would need another mechanism for specifying what roles/domains are
permitted to the calling user, e.g. new fields in /etc/sudoers.
That would be the best solution IMHO. Should I file a Bugzilla RFE?
Even then, you still need to start from staff_r in order to reach sysadm_r; the policy doesn't allow user_r to transition to sysadm_r (if SELinux is in enforcing mode).
Not sure I understand what you are saying - it works with su, why can't it be made to work with sudo?
----
On 11.03.2004 13:17, Jeff Johnson wrote:
All true.
But there's always sudo su -
I wish it was that easy...
audit(1079073344.898:0): avc: denied { execute } for pid=20828 exe=/usr/bin/sudo name=su dev=hda2 ino=3662894 scontext=user_u:user_r:sudo_t tcontext=system_u:object_r:su_exec_t tclass=file
audit(1079073344.898:0): avc: denied { entrypoint } for pid=20828 exe=/usr/bin/sudo path=/bin/su dev=hda2 ino=3662894 scontext=user_u:user_r:user_t tcontext=system_u:object_r:su_exec_t tclass=file
audit(1079073344.898:0): avc: denied { read } for pid=20828 exe=/usr/bin/sudo path=/bin/su dev=hda2 ino=3662894 scontext=user_u:user_r:sudo_t tcontext=system_u:object_r:su_exec_t tclass=file
audit(1079073344.930:0): avc: denied { search } for pid=20828 exe=/bin/su dev= ino=791 scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t tclass=dir
audit(1079073344.930:0): avc: denied { read write } for pid=20828 exe=/bin/su name=access dev= ino=6 scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t tclass=file
audit(1079073344.930:0): avc: denied { compute_av } for pid=20828 exe=/bin/su scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t tclass=security
audit(1079073344.935:0): avc: denied { read } for pid=20828 exe=/bin/su name=shadow dev=hda2 ino=229911 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shadow_t tclass=file
audit(1079073344.935:0): avc: denied { getattr } for pid=20828 exe=/bin/su path=/etc/shadow dev=hda2 ino=229911 scontext=user_u:user_r:user_t tcontext=system_u:object_r:shadow_t tclass=file
audit(1079073345.026:0): avc: denied { compute_user } for pid=20828 exe=/bin/su scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t tclass=security
audit(1079073345.079:0): avc: denied { check_context } for pid=20828 exe=/bin/su scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t tclass=security
audit(1079073345.080:0): avc: denied { compute_relabel } for pid=20828 exe=/bin/su scontext=user_u:user_r:user_t tcontext=system_u:object_r:security_t tclass=security
audit(1079073345.080:0): avc: denied { relabelfrom } for pid=20828 exe=/bin/su name=7 dev= ino=9 scontext=user_u:user_r:user_t tcontext=user_u:object_r:user_devpts_t tclass=chr_file
audit(1079073345.080:0): avc: denied { relabelto } for pid=20828 exe=/bin/su name=7 dev= ino=9 scontext=user_u:user_r:user_t tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
audit(1079073345.080:0): avc: denied { write } for pid=20828 exe=/bin/su name=exec dev= ino=1364983829 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=file
audit(1079073345.080:0): avc: denied { setexec } for pid=20828 exe=/bin/su scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=process
audit(1079073345.082:0): avc: denied { setuid } for pid=20829 exe=/bin/su capability=7 scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t tclass=capability
audit(1079073345.083:0): avc: denied { transition } for pid=20829 exe=/bin/su path=/bin/bash dev=hda2 ino=3662881 scontext=user_u:user_r:user_t tcontext=root:sysadm_r:sysadm_t tclass=process
audit(1079073345.083:0): avc: denied { siginh } for pid=20829 exe=/bin/bash scontext=user_u:user_r:user_t tcontext=root:sysadm_r:sysadm_t tclass=process
audit(1079073345.084:0): avc: denied { rlimitinh } for pid=20829 exe=/bin/bash scontext=user_u:user_r:user_t tcontext=root:sysadm_r:sysadm_t tclass=process
audit(1079073345.084:0): avc: denied { noatsecure } for pid=20829 exe=/bin/bash scontext=user_u:user_r:user_t tcontext=root:sysadm_r:sysadm_t tclass=process
-- Aleksey Nogin
Home Page: http://nogin.org/ E-Mail: nogin@xxxxxxxxxxxxxx (office), aleksey@xxxxxxxxx (personal) Office: Jorgensen 70, tel: (626) 395-2907
