Use numeric registers to handle conditionals instead of trying

to do it all with text processing.

doc/sudoers.man.in

@@ -18,6 +18,10 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\" 
+.nr SL @SEMAN@
+.nr BA @BAMAN@
+.nr LC @LCMAN@
+.\"
 .\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
 .\"
 .\" Standard preamble:
@@ -144,7 +148,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "April  7, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -403,10 +407,15 @@ See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults par
 \& Cmnd_Spec_List ::= Cmnd_Spec |
 \&                    Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
 \&
-\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
 \&
 \& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
 \&
+.if \n(SL \{\
+\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
+\&
+\}
 \& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
 \&               \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqTRANSCRIPT:\*(Aq | \*(AqNOTRANSCRIPT:\*(Aq)
 .Ve
@@ -475,6 +484,15 @@ only the group will be set, the command still runs as user \fBtcm\fR.
 \& tcm    boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
 \&        /usr/local/bin/minicom
 .Ve
+.if \n(SL \{\
+.SS "SELinux_Spec"
+.IX Subsection "SELinux_Spec"
+On systems with SELinux support, \fIsudoers\fR entries may optionally have
+an SELinux role and/or type associated with a command.  If a role or
+type is specified with the command it will override any default values
+specified in \fIsudoers\fR.  A role or type specified on the command line,
+however, will supercede the values in \fIsudoers\fR.
+\}
 .SS "Tag_Spec"
 .IX Subsection "Tag_Spec"
 A command may have zero or more tags associated with it.  There are
@@ -979,11 +997,13 @@ umask in \fIsudoers\fR than the user's own umask and matches historical
 behavior.  If \fIumask_override\fR is not set, \fBsudo\fR will set the
 umask to be the union of the user's umask and what is specified in
 \&\fIsudoers\fR.  This flag is \fIoff\fR by default.
-@LCMAN@.IP "use_loginclass" 16
-@LCMAN@.IX Item "use_loginclass"
-@LCMAN@If set, \fBsudo\fR will apply the defaults specified for the target user's
-@LCMAN@login class if one exists.  Only available if \fBsudo\fR is configured with
-@LCMAN@the \-\-with\-logincap option.  This flag is \fIoff\fR by default.
+.if \n(LC \{\
+.IP "use_loginclass" 16
+.IX Item "use_loginclass"
+If set, \fBsudo\fR will apply the defaults specified for the target user's
+login class if one exists.  Only available if \fBsudo\fR is configured with
+the \-\-with\-logincap option.  This flag is \fIoff\fR by default.
+\}
 .IP "visiblepw" 16
 .IX Item "visiblepw"
 By default, \fBsudo\fR will refuse to run if the user must enter a
@@ -1100,12 +1120,14 @@ two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW
 .Sp
 The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
 .RE
-@SEMAN@.IP "role" 16
-@SEMAN@.IX Item "role"
-@SEMAN@The default SELinux role to use when constructing a new security
-@SEMAN@context to run the command.  The default role may be overridden on
-@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
-@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
+.if \n(SL \{\
+.IP "role" 16
+.IX Item "role"
+The default SELinux role to use when constructing a new security
+context to run the command.  The default role may be overridden on
+a per-command basis in \fIsudoers\fR or via command line options.
+This option is only available whe \fBsudo\fR is built with SELinux support.
+\}
 .IP "runas_default" 16
 .IX Item "runas_default"
 The default user to run commands as if the \fB\-u\fR option is not specified
@@ -1133,12 +1155,14 @@ The default is \fI@timedir@\fR.
 .IX Item "timestampowner"
 The owner of the timestamp directory and the timestamps stored therein.
 The default is \f(CW\*(C`root\*(C'\fR.
-@SEMAN@.IP "type" 16
-@SEMAN@.IX Item "type"
-@SEMAN@The default SELinux type to use when constructing a new security
-@SEMAN@context to run the command.  The default type may be overridden on
-@SEMAN@a per-command basis in \fIsudoers\fR or via command line options.
-@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
+.if \n(SL \{\
+.IP "type" 16
+.IX Item "type"
+The default SELinux type to use when constructing a new security
+context to run the command.  The default type may be overridden on
+a per-command basis in \fIsudoers\fR or via command line options.
+This option is only available whe \fBsudo\fR is built with SELinux support.
+\}
 .PP
 \&\fBStrings that can be used in a boolean context\fR:
 .IP "askpass" 12
@@ -1665,7 +1689,7 @@ editor, a safer approach is to give the user permission to run
 \&\fBsudoedit\fR.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
-\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(8)
+\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(@mansectsu@)
 .SH "CAVEATS"
 .IX Header "CAVEATS"
 The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR