How do I make sudo "trusted"?
Russell Coker
russell at coker.com.au
Sun Mar 14 05:15:01 UTC 2004
On Fri, 12 Mar 2004 17:39, Aleksey Nogin <aleksey at nogin.org> wrote:
> > In order to have sudo safely change the SELinux user identity (to root),
> > you would need another mechanism for specifying what roles/domains are
> > permitted to the calling user, e.g. new fields in /etc/sudoers.
>
> That would be the best solution IMHO. Should I file a Bugzilla RFE?
Good idea. If you would like to contribute some code then that would be
appreciated, the people doing SE Linux coding are all fairly busy at the
moment...
> > But there's always
> > sudo su -
>
> I wish it was that easy...
>
> audit(1079073344.898:0): avc: denied { execute } for pid=20828
> exe=/usr/bin/sudo name=su dev=hda2 ino=3662894
> scontext=user_u:user_r:sudo_t tcontext=system_u:object_r:su_exec_t
> tclass=file
> audit(1079073344.898:0): avc: denied { entrypoint } for pid=20828
> exe=/usr/bin/sudo path=/bin/su dev=hda2 ino=3662894
> scontext=user_u:user_r:user_t tcontext=system_u:object_r:su_exec_t
> tclass=file
sudo_t transitions to another domain upon executing shell_exec_t. If you
execute a binary that's not of type shell_exec_t then that doesn't work.
The following may work:
sudo sh -c su -
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list