From: Daniel J Walsh <dwalsh@redhat.com>
To: selinux@tycho.nsa.gov
Subject: SELinux version of sudo
Date: Tue, 15 Apr 2003 10:32:09 -0400 [thread overview]
Message-ID: <3E9C17E9.2060203@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2166 bytes --]
I have been playing around with SELinux a little and was getting
agravated in always changing roles and
then having to su to root. What I really needed was the functionality
of sudo and newrole combined together.
So I am building a version of sudo that will take as a parameter the
role and or type to execute the program as.
(I would eventually move this to the /etc/sudoers file if I can figure
out how to use yacc). I am not sure whether
this is a good idea or not. It could lead to better security, since I
believe most users are going to get sick of
changing to sysadm_r and executing su/sudo every time they want to
change the configuration, so they are likely
to just log in at sysadm_r. By making it easier for them to do this
with sudo, they might maintain better security.
The code seems to work except that I am hitting on a policy error.
Basically I don't have a policy that allows
/usr/bin/sudo to exec other applications. What do I need to change in
policy to make this happen?
I am getting the following errors in the /var/log/messages
Apr 15 09:13:40 pxe kernel: avc: denied { setattr } for pid=2377
exe=/usr/bin/sudo path=/var/run/sudo/dwalsh/1 dev=03:02 ino=962189
scontext=dwalsh:user_r:user_su_t tcontext=dwalsh:object_r:var_run_t
tclass=file
Apr 15 09:13:50 pxe kernel:
Apr 15 09:13:50 pxe kernel: avc: denied { transition } for pid=2378
exe=/usr/bin/sudo path=/usr/local/selinux/bin/id dev=03:02 ino=2316548
scontext=dwalsh:user_r:user_su_t tcontext=dwalsh:sysadm_r:sysadm_t
tclass=process
Added the following line to policy/file_contexts/program/su.fc
/usr/bin/sudo system_u:object_r:su_exec_t
Also modified policy/domains/program/newrole.te
--- newrole.te~ 2003-03-06 18:13:25.000000000 -0500
+++ newrole.te 2003-04-14 16:26:10.000000000 -0400
@@ -27,7 +27,8 @@
can_exec(newrole_t, chkpwd_exec_t)
# Allow newrole_t to transition to user domains.
-domain_trans(newrole_t, shell_exec_t, userdomain)
+# domain_trans(newrole_t, shell_exec_t, userdomain)
+domain_trans(newrole_t,{ bin_t sbin_t exec_type }, userdomain)
domain_trans(newrole_t, ls_exec_t, userdomain)
# Use capabilities.
[-- Attachment #2: sudo-1.6.6-4.src.rpm --]
[-- Type: application/x-rpm, Size: 344709 bytes --]
next reply other threads:[~2003-04-15 14:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-15 14:32 Daniel J Walsh [this message]
2003-04-15 17:33 ` SELinux version of sudo Stephen Smalley
2003-04-15 18:28 ` Daniel J Walsh
2003-04-16 4:08 ` Russell Coker
2003-04-16 10:33 ` Daniel J Walsh
2003-04-16 12:21 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E9C17E9.2060203@redhat.com \
--to=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.