-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have a working demonstration of My version of RBAC in Rawhide/FC8. In my view of the world, users have two roles. User Role and Admin Role. So I might login as a staff_t user and be able to transition to webadm_r:webadm_r. In Rawhide right now staff_t can only run sudo to become root. Staff_t is not allowed to execute su. staff_t users should not know the root password. I have hacked up a script /usr/bin/webadm which executes newrole -r webadm_r -t webadm_t and newrole's pam has pam_rootok. Now I edit the /etc/sudoers and allow dwalsh ALL=(ALL) /usr/bin/webadm This allows me to use sudo to become webadm_t as root. (Policy obviously has to be correct. But this is very cumbersome for the administrator and does not scale. I think we need to add SELinux support to sudo, so the administrator could easily add something to /etc/sodoers like dwalsh ALL=(ALL) ROLE=webadm_r TYPE=webadm_t /bin/sh then sudo would execute the code that newrole does to very the transition and setexeccon(dwalsh:webadm_t:webadm_t) exec(/bin/sh) I was told that you are the upstream maintainer of sudo, so I wanted your input/help on making sudo selinux aware. Dan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkeE7+cACgkQrlYvE4MpobMFuACghnhJJpGMkCN5nZE5vlb/O+2H auIAoOXNJ0rWvALJAt8Y8kLPBwkVQD8f =OnRG -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
