[sudo-workers] selinux and noexec
Todd C. Miller
Todd.Miller at courtesan.com
Fri Jan 27 08:33:46 EST 2012
On Thu, 26 Jan 2012 23:08:52 +0100, Arno Schuring wrote:
> Just one thing I noticed: why do you need to re-read sudo.conf in sesh?
> This could possibly be an issue, depending on when the selinux domain
> transition happens. If sesh already runs in the target context, then
> selinux might block access to the conffile. The code doesn't seem to
> fail on EACCESS (as I read it), so it will be fine and can be solved
> with a dontaudit selinux rule -- but I'm still curious :)
Reading sudo.conf also initializes the debug subsystem, which is
configured in sudo.conf (if at all). This may fail due to either
DAC or MAC permissions but as you say this is not a fatal error.
More information about the sudo-workers