On Fri, 2006-01-20 at 10:26 -0500, Gene Czarcinski wrote: > This problem has been reported as > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178429 against > fc5test1/development although it exists in FC4 also (the sudo NOEXEC > capability was not available in FC3). > > In sudo 1.6.8p8 and later (maybe a bit earlier too) adds a NOEXEC option. The > NOEXEC option is an important security feature since it suppresses a user's > ability to "shell out" of a program such as vi to get general root access. > When NOEXEC is working, you can use "sudo vi xxx" to edit file xxx but you > cannot shell out (e.g., ":!bash") from vi. > > If the selinux patch to the sudo package is applied, then you get the message: > > /usr/sbin/sesh: Error execing /bin/vi: Permission denied > > and you cannot run vi (or anything) under sudo (when "Defaults noexec" is > specified in the /etc/sudoers file). > > A very quick look at the code says that this will not be easy to fix since > sudo implements NOEXEC by dummying out the "exec" functions for the program > run by sudo. With the selinux patch applied, sudo invokes /usr/sbin/sesh > before invoking your program and sesh is using the dummied-out exec function. Per other discussions on separating role changes from Unix user identity changes on selinux list and redhat-lspp list, I think that the sudo and usermode selinux patches should just be reverted altogether (except possibly for permission checking code in userhelper for its obscure passwd manipulation interfaces). This would be consistent with the removal of pam_selinux from su's pam configuration, and bring us back to the original SELinux model prior to Fedora integration. seusers can then be used to authorize Unix users for SELinux user identities aka role sets. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list