From: Daniel J Walsh <dwalsh@redhat.com>
To: Todd Miller <Tmiller@tresys.com>, SE Linux <selinux@tycho.nsa.gov>
Subject: Not that anyone would ever run in permissive mode but...
Date: Fri, 22 Feb 2008 14:13:01 -0500 [thread overview]
Message-ID: <47BF1EBD.6050603@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 702 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch is needed for sudo.
Also added setkeycreatecon, although this will not work the way the code
is currently.
Pam activity should probably be happening after setkeycreatecon and
setexeccon
But I am not sure how pam_keyinit should work here any ways.
Currently you loose access to your keying material when you su or sudo.
These things will not be labeled corectly as currently used.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAke/HrwACgkQrlYvE4MpobND4QCg4L9uaKuKhMxQwlhCBUY5icwT
wCkAoIzPvgXScs286cbO2g8RZG3WVWtN
=5+0w
-----END PGP SIGNATURE-----
[-- Attachment #2: sudo-1.6.9p13-selinux.patch --]
[-- Type: text/plain, Size: 741 bytes --]
diff -up sudo-1.6.9p13/selinux.c.selinux sudo-1.6.9p13/selinux.c
--- sudo-1.6.9p13/selinux.c.selinux 2008-02-20 12:00:48.000000000 -0500
+++ sudo-1.6.9p13/selinux.c 2008-02-22 13:34:08.000000000 -0500
@@ -314,9 +314,19 @@ selinux_exec(char *role, char *type, cha
if (setexeccon(new_context)) {
warn("unable to set exec context to %s", new_context);
- goto error;
+ if (security_getenforce() == 1) {
+ goto error;
+ }
}
+ if (setkeycreatecon(new_context)) {
+ warn("Error! Unable to set key creation context to %s",
+ new_context);
+ if (security_getenforce() == 1) {
+ goto error;
+ }
+ }
+
#ifdef WITH_AUDIT
if (send_audit_message(1, old_context, new_context, user_ttypath))
goto error;
[-- Attachment #3: sudo-1.6.9p13-selinux.patch.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]
next reply other threads:[~2008-02-22 19:13 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-22 19:13 Daniel J Walsh [this message]
2008-02-22 20:39 ` Not that anyone would ever run in permissive mode but Todd Miller
2008-02-22 20:45 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47BF1EBD.6050603@redhat.com \
--to=dwalsh@redhat.com \
--cc=Tmiller@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.