sudo avc denies: was Re: Upgrading to policy-strict RPM's
Stephen Smalley
sds at epoch.ncsc.mil
Mon Jul 12 13:26:18 UTC 2004
On Mon, 2004-07-12 at 09:14, Erik Fichtner wrote:
> Actually, the user should newrole to sysadm_r before they're allowed to
> execute sudo/su. Or, if you want to make life easier for the user,
> sudo/su could be allowed to perform a role transition on its own, but
> it should *never* change the identity.
That requires that the original SELinux user identity be authorized for
sysadm_r in the first place, in which case he can directly login or
newrole to sysadm_r. That is contrary to the model for sudo, where you
want to authorize the user to perform specific tasks with admin
privileges without giving him access to a full admin shell.
> Nonsense. you can allow your IDENTITIES (context users) to have the
> ability to attain an administrative role which then lets them have the
> completely orthogonal USER (unix user id).
Not sure we are communicating here. If the SELinux user identity is
authorized for sysadm_r, then he can directly login or newrole to
sysadm_r and run anything in sysadm_r (that is executable by sysadm_t).
sudo is supposed to let you authorize a given user to perform a specific
command with admin privileges without giving them full administrative
access.
> [ For example, the system really SHOULD know the difference between
> user "emf" su'ing to user "joe" and running joe's .bashrc. When I do
> that, I am not joe, I am merely impersonating him for some reason. ]
Yes, but as joe's .bashrc is under his control, you don't want to run it
with your own set of privileges.
> It would be really nice if this were a tunable as well, since some
> folks appear to want the identity transition, but I personally think
> that the "Strict" configuration should disable ID transition.
Easy enough to support in the policy, but you would also need a
different /etc/pam.d/su depending on your policy.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list