[sudo-workers] selinux and noexec
aelschuring at hotmail.com
Thu Jan 26 17:08:52 EST 2012
Todd C. Miller (Todd.Miller at courtesan.com on 2012-01-25 15:05 -0500):
> I've adapted this for sudo trunk and merged it into the 1.8 branch
> for the upcoming 1.8.4 release (it will be in the next beta release).
> Can you check out the 1.8 branch and verify that it works correctly
> for you?
Tested on both selinux and non-selinux systems, current trunk appears
to work fine. I like how you changed the codepath to disable_execute,
your solution allows to keep it static.
Just one thing I noticed: why do you need to re-read sudo.conf in sesh?
This could possibly be an issue, depending on when the selinux domain
transition happens. If sesh already runs in the target context, then
selinux might block access to the conffile. The code doesn't seem to
fail on EACCESS (as I read it), so it will be fine and can be solved
with a dontaudit selinux rule -- but I'm still curious :)
Many thanks for your help,
More information about the sudo-workers