Re: SELinux version of sudo

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 1798 bytes --]



Russell Coker wrote:

>On Wed, 16 Apr 2003 03:33, Stephen Smalley wrote:
>  
>
>>The idea of merging su and newrole has been suggested on the list
>>previously; please be sure that you have read the earlier discussions
>>and are aware of the potential risks, e.g. see the thread starting at
>>http://marc.theaimsgroup.com/?l=selinux&m=102643997004008&w=2, so that
>>you can avoid common pitfalls.
>>    
>>
>
>That thread did not entirely convince me not to do it, but did convince me 
>that it would take much of consideration and testing, and that there were 
>more important things to spend time on.
>
>Another potential solution to this issue is to allow the administrators in 
>question to ssh into an account with UID=0 and then they only need to use 
>newrole to get all the privs they need.
>
>  
>
>>via allow rules.  It isn't clear that you should be using the existing
>>$1_su_t domain for this purpose, unless you are also patching su to
>>provide this functionality and to ensure that it does not allow
>>    
>>
>
>I agree.  The $1_su_t domain only makes sense when you are limiting the 
>transitions to a certain set of domains.  If you grant the su/sudo program 
>privrole access then there is no benefit in having more than one domain in 
>the way it is currently done.
>
>Maybe we should work from the other direction and consider adding setuid() 
>support to newrole?
>  
>
I like the idea of combining DAC with MAC using sudo rather than 
su/newrole.  This would allow
an administrator to allow other people run functions that require 
greater access to the system without them
having to have the root password.   IE.  You could allow someone to 
manage the printers database without
having to become root.  Doing all MAC becomes to combersome for this 
type of thing.

>  
>

[-- Attachment #2: Type: text/html, Size: 2437 bytes --]