This problem has been reported as https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178429 against fc5test1/development although it exists in FC4 also (the sudo NOEXEC capability was not available in FC3). In sudo 1.6.8p8 and later (maybe a bit earlier too) adds a NOEXEC option. The NOEXEC option is an important security feature since it suppresses a user's ability to "shell out" of a program such as vi to get general root access. When NOEXEC is working, you can use "sudo vi xxx" to edit file xxx but you cannot shell out (e.g., ":!bash") from vi. If the selinux patch to the sudo package is applied, then you get the message: /usr/sbin/sesh: Error execing /bin/vi: Permission denied and you cannot run vi (or anything) under sudo (when "Defaults noexec" is specified in the /etc/sudoers file). A very quick look at the code says that this will not be easy to fix since sudo implements NOEXEC by dummying out the "exec" functions for the program run by sudo. With the selinux patch applied, sudo invokes /usr/sbin/sesh before invoking your program and sesh is using the dummied-out exec function. Gene -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
