How do I make sudo "trusted"?
Stephen Smalley
sds at epoch.ncsc.mil
Fri Mar 12 12:56:41 UTC 2004
On Thu, 2004-03-11 at 16:17, Jeff Johnson wrote:
> All true.
>
> But there's always
> sudo su -
With SELinux in enforcing mode, that would still require root password
authentication; pam_rootok performs a SELinux permission check (in
addition to the usual test) to see whether the calling domain is
authorized to bypass normal authentication. And the role and domain
transitions would still need to be authorized; if you started from
user_r, SELinux wouldn't let you get to sysadm_r (unless someone has
messed up the policy).
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list