sudo avc denies: was Re: Upgrading to policy-strict RPM's

[Stephen Smalley]

On Mon, 2004-07-12 at 09:14, Erik Fichtner wrote:
> Actually, the user should newrole to sysadm_r before they're allowed to
> execute sudo/su.  Or, if you want to make life easier for the user,
> sudo/su could be allowed to perform a role transition on its own, but
> it should *never* change the identity.

That requires that the original SELinux user identity be authorized for
sysadm_r in the first place, in which case he can directly login or
newrole to sysadm_r.  That is contrary to the model for sudo, where you
want to authorize the user to perform specific tasks with admin
privileges without giving him access to a full admin shell.

> Nonsense.  you can allow your IDENTITIES (context users) to have the
> ability to attain an administrative role which then lets them have the 
> completely orthogonal USER (unix user id).

Not sure we are communicating here.  If the SELinux user identity is
authorized for sysadm_r, then he can directly login or newrole to
sysadm_r and run anything in sysadm_r (that is executable by sysadm_t). 
sudo is supposed to let you authorize a given user to perform a specific
command with admin privileges without giving them full administrative
access.

> [ For example, the system really SHOULD know the difference between
> user "emf" su'ing to user "joe" and running joe's .bashrc.  When I do 
> that, I am not joe, I am merely impersonating him for some reason. ]

Yes, but as joe's .bashrc is under his control, you don't want to run it
with your own set of privileges.

> It would be really nice if this were a tunable as well, since some 
> folks appear to want the identity transition, but I personally think
> that the "Strict" configuration should disable ID transition.

Easy enough to support in the policy, but you would also need a
different /etc/pam.d/su depending on your policy.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency