On Fri, Jul 09, 2004 at 12:15:58PM -0400, Stephen Smalley wrote:
> > audit(1089381994.953:0): avc: denied { execute_no_trans } for pid=845 exe=/usr/bin/sudo path=/usr/sbin/sesh dev=sda3 ino=32091 scontext=user_u:user_r:user_sudo_t tcontext=system_u:object_r:shell_exec_t tclass=file
> >
> > I receive the same results if running in staff_r or sysadm_r as well.
>
> sudo is presently broken; the SELinux patch and policy for it are being
> reworked. Hopefully there will be something newer in rawhide soon.
That reminds me.... I had this same problem, and I just worked around
it by allowing the avc denies for sudo, and now sudo works as I
expected it to.
What IS unexpected is that su changes the users' context from "user_u"
(or "emf" or whatever username, naturally..) to "root"... Thus, we lose
the context audit trail of who was puttering around as root.
Back in the old 2.4 (pre-xattr) SELinux, su never did this (it only
changed uid to 0 and left the context alone), and from my casual reading
of the flask papers; this was on purpose. (ie: it was my understanding
that the USER would never ever change, but the ROLE and TYPE could)
So what gives?
Thanks...
--
Erik Fichtner; Unix Ronin
