Re: SUDO package

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 2562 bytes --]

Stephen Smalley wrote:

>On Wed, 2003-04-30 at 11:42, Daniel J Walsh wrote:
>  
>
>>I have a hard time with the previous two.  Just seems to me SELinux
>>needs some sort
>>of dontallow functionality to handle these situation.  Otherwise every
>>time I add a policy 
>>that has a somewhat global effect on files/dir, I need to change the
>>all the file/directory attributes 
>>in the policy.  Has this been discussed previously?
>>    
>>
>
>True.  The problem is more severe for exec_type than for the directory
>access; IMHO, it isn't too much to ask you to enumerate the major
>directory types in which binaries to be executed by sudo might live, and
>most (all?) of those types should be part of the basic policy
>definition, not package-specific, e.g. bin_t, sbin_t, etc.  You don't
>even need to define an attribute for that purpose; you can just list
>them in your allow rule, or pull them from a macro definition added to
>the global macros.
>  
>
I am still not sure I can do this.  Are you are stating that I would 
have to have an allow rule for
each *exec_t?  Just searching domains/programs I found  > 100 of these 
in the default policy.  
Maybe we are at odds with what sudo can do.  I consider sudo to be a 
shortcut from doing
su,newrole,COMMAND.  So sudo needs all the rights that su/newrole has 
for a particular role.  
Now you might be against this because of the security ramifications, 
which is ok.  But if users
are going to use a SELinux system they are going to expect this behaviour.

>  
>
>>This is a problem since with Sudo you are sharing the same terminal
>>between the process that rand sudo
>>and the sudo process.  So if you change the privs of the terminal one
>>process or the other could have 
>>more privs.  I would prefer to leave the terminal with the current
>>privs (Usually lower) and make the 
>>application run by sudo change the terminal privs if it has to. 
>>(probably seldom).  Any other ideas?
>>    
>>
>
>I'm not clear as to why you can't implement something akin to what
>newrole does.  Otherwise, what prevents another process of lower
>privilege from arbitrarily accessing the privileged process' terminal?
>You can't rely on the DAC protections.
>
>  
>
Ok I just went back and read the code again and it looks like I can 
implement the terminal stuff.
There is a -b option on the sudo command that allows sudo to run in 
background.  Or using job
control you could run the command in background.

sudo -r sysadm_r /usr/bin/PROGRAM &

So what happens to control over the terminal in this situation?

Dan


[-- Attachment #2: Type: text/html, Size: 3171 bytes --]