On Fri, 12 Mar 2004 17:39, Aleksey Nogin aleksey@nogin.org wrote:
In order to have sudo safely change the SELinux user identity (to root), you would need another mechanism for specifying what roles/domains are permitted to the calling user, e.g. new fields in /etc/sudoers.
That would be the best solution IMHO. Should I file a Bugzilla RFE?
Good idea. If you would like to contribute some code then that would be appreciated, the people doing SE Linux coding are all fairly busy at the moment...
But there's always sudo su -
I wish it was that easy...
audit(1079073344.898:0): avc: denied { execute } for pid=20828 exe=/usr/bin/sudo name=su dev=hda2 ino=3662894 scontext=user_u:user_r:sudo_t tcontext=system_u:object_r:su_exec_t tclass=file audit(1079073344.898:0): avc: denied { entrypoint } for pid=20828 exe=/usr/bin/sudo path=/bin/su dev=hda2 ino=3662894 scontext=user_u:user_r:user_t tcontext=system_u:object_r:su_exec_t tclass=file
sudo_t transitions to another domain upon executing shell_exec_t. If you execute a binary that's not of type shell_exec_t then that doesn't work.
The following may work: sudo sh -c su -