On 15.03.2004 20:38, Daniel J Walsh wrote:
sudo_t transitions to another domain upon executing shell_exec_t. If you execute a binary that's not of type shell_exec_t then that doesn't work.
Is there a reason for that? This is kind of unfortunatye - one of the big advantages of sudo is that it logs everything and having to execute the shell first is kind of inconvenient. Can transition on an ordinary bin_t be added?
I have just modified sudo to exec $SHELL -c COMMAND when in SELinux mode.
This is indeed a big security hole - see https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118602
This should cause the transitions to happen properly.
Nope.
audit(1079581466.332:0): avc: denied { transition } for pid=3247 exe=/usr/bin/sudo path=/bin/tcsh dev=hda2 ino=3662912 scontext=aleksey:staff_r:sudo_t tcontext=aleksey:system_r:sysadm_t tclass=process
on calling sudo -r system_r -t sysadm_t id
-- Aleksey Nogin
Home Page: http://nogin.org/ E-Mail: nogin@xxxxxxxxxxxxxx (office), aleksey@xxxxxxxxx (personal) Office: Jorgensen 70, tel: (626) 395-2907
