-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an update selinux patch for sudo potentially for rawhide.  I
have updated selinux policy to work with it.  A lot of it was copied
from newrole.

So now you can execute
# grep dwalsh /etc/sudoers
dwalsh	ALL=(ALL) 	ALL

$ id -Z
staff_u:staff_r:staff_t:s0
# sudo -r unconfined_r -t unconfined_t id -Z
staff_u:unconfined_r:unconfined_t:s0
# sudo -r webadm_r -t webadm_t id -Z
staff_u:webadm_r:webadm_t:s0

$ sudo -r unconfined_r -t unconfined_t sh
# /usr/sbin/semanage user -l | grep staff_u
staff_u         staff      s0         s0-s0:c0.c1023
system_r sysadm_r staff_r unconfined_r webadm_r

$ sudo -r webadm_r -t webadm_t sh
# /sbin/service httpd start
Starting httpd:                                            [  OK  ]
# ps -eZ | grep http
staff_u:system_r:httpd_t:s0     11870 ?        00:00:00 httpd
staff_u:system_r:httpd_t:s0     11872 ?        00:00:00 httpd
staff_u:system_r:httpd_t:s0     11874 ?        00:00:00 httpd
staff_u:system_r:httpd_t:s0     11875 ?        00:00:00 httpd
staff_u:system_r:httpd_t:s0     11876 ?        00:00:00 httpd
staff_u:system_r:httpd_t:s0     11877 ?        00:00:00 httpd
staff_u:system_r:httpd_t:s0     11878 ?        00:00:00 httpd
staff_u:system_r:httpd_t:s0     11879 ?        00:00:00 httpd
staff_u:system_r:httpd_t:s0     11880 ?        00:00:00 httpd

# /sbin/service ntp start
ntp: unrecognized service

# touch /dan.html
touch: cannot touch `/dan.html': Permission denied
# touch /var/www/html/dan.html
# ls
# ls -lZ /var/www/html/dan.html
- -rw-r--r--+ root root staff_u:object_r:httpd_sys_content_t:s0
/var/www/html/dan.html

With this patch and the correct selinux policy(rawhide), I can do
everything I want with sudo, for RBAC controls.  The problem is the
administrator needs to know the correct commands to enter to select the
correct roles.  I would rather put this in the sudoers file.  So what
would be the correct context to say when dwalsh runs any app the shell
he starts is running webadm_r:webadm_t?

One controversial part of the sudo patch is the addition of a new shell
/usr/sbin/sesh.  This shell is only to make sure all transitions happen
properly.  So the role/type selected apply to a shell and not to the
command entered on the sudo line.  This prevents the admin from
executing sudo -r webadm_r -t webadm_t rpm -i ...
And rpm running as webadm_t instead of doing a transition to rpm_t.
(if webadm_t has a transition to rpm_t).  We could force this to always
use /bin/bash but there could be problems there.  And not all shells
work the same way, so potentially using the login shell could cause
problems.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkegj0MACgkQrlYvE4MpobM7XACgg1uIbEGvNaTSNzpGYEw04kMN
lIIAnjpjW3I5UtSs9HfyKdyucDCgSApT
=8aRF
-----END PGP SIGNATURE-----