[sudo-workers] selinux and noexec

Arno Schuring aelschuring at hotmail.com
Tue Jan 24 20:20:36 EST 2012

Todd C. Miller (Todd.Miller at courtesan.com on 2012-01-24 13:29 -0500):
> On Mon, 23 Jan 2012 20:30:30 +0100, Arno Schuring wrote:
> > Would anyone be interested in making NOEXEC works across SELinux
> > domain changes? I wrote a patch for the current version in Debian
> > that appears to work for me and I'd be willing to adapt it for
> > upstream. However, I'm unfamiliar with Mercurial so I'd appreciate
> > some pointers for that.
> This sounds like a useful change.  I have some basic instructions
> on using Mercurial at http://www.sudo.ws/hg.html

Great, and thanks for the link.

> > Basically, all the patch does is factor out disable_execute() into
> > its own file and link it into sesh. However, that also pulls in
> > libcommon for memory and error handling, and that in turn requires
> > sesh to provide its own cleanup() version.
> If it is easier you can just send me the patch and I can adapt it
> for the upcoming sudo 1.8.4 release.

I'll send you the patch off-list, but "it doesn't apply cleanly" would
be an understatement. Not only have parts of the moving code been
modified in the meantime, but sudo_conv has also been introduced and
that needs to be declared in sesh as well.

So if it's all the same to you, I'll patchbomb the list tomorrow, or do
you prefer 6 attachments to 1 message?


More information about the sudo-workers mailing list