Re: How do I make sudo "trusted"?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 12 Mar 2004 17:39, Aleksey Nogin <aleksey@xxxxxxxxx> wrote:
> > In order to have sudo safely change the SELinux user identity (to root),
> > you would need another mechanism for specifying what roles/domains are
> > permitted to the calling user, e.g. new fields in /etc/sudoers.
>
> That would be the best solution IMHO. Should I file a Bugzilla RFE?

Good idea.  If you would like to contribute some code then that would be 
appreciated, the people doing SE Linux coding are all fairly busy at the 
moment...

> > But there's always
> >    sudo su -
>
> I wish it was that easy...
>
> audit(1079073344.898:0): avc:  denied  { execute } for  pid=20828
> exe=/usr/bin/sudo name=su dev=hda2 ino=3662894
> scontext=user_u:user_r:sudo_t tcontext=system_u:object_r:su_exec_t
> tclass=file
> audit(1079073344.898:0): avc:  denied  { entrypoint } for  pid=20828
> exe=/usr/bin/sudo path=/bin/su dev=hda2 ino=3662894
> scontext=user_u:user_r:user_t tcontext=system_u:object_r:su_exec_t
> tclass=file

sudo_t transitions to another domain upon executing shell_exec_t.  If you 
execute a binary that's not of type shell_exec_t then that doesn't work.

The following may work:
sudo sh -c su -

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux