How do I make sudo "trusted"?
Aleksey Nogin
aleksey at nogin.org
Thu Mar 18 04:13:33 UTC 2004
On 15.03.2004 20:38, Daniel J Walsh wrote:
>>> sudo_t transitions to another domain upon executing shell_exec_t. If
>>> you execute a binary that's not of type shell_exec_t then that
>>> doesn't work.
>>
>>
>>
>> Is there a reason for that? This is kind of unfortunatye - one of the
>> big advantages of sudo is that it logs everything and having to
>> execute the shell first is kind of inconvenient. Can transition on an
>> ordinary bin_t be added?
>
>
> I have just modified sudo to exec
> $SHELL -c COMMAND when in SELinux mode.
This is indeed a big security hole - see
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118602
> This should cause the transitions to happen properly.
Nope.
audit(1079581466.332:0): avc: denied { transition } for pid=3247
exe=/usr/bin/sudo path=/bin/tcsh dev=hda2 ino=3662912
scontext=aleksey:staff_r:sudo_t tcontext=aleksey:system_r:sysadm_t
tclass=process
on calling
sudo -r system_r -t sysadm_t id
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
More information about the selinux
mailing list