mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-31 14:25:15 +00:00
Code Issues Releases Wiki Activity

Add support for SELinux RBAC. Sudoers entries may specify a role and type.

Browse Source 
There are also role and type defaults that may be used.  To make sure a
transition occurs, when using RBAC commands are executed via the new sesh
binary.  Based on initial changes from Dan Walsh.
This commit is contained in:
Todd C. Miller
2008-02-09 14:30:06 +00:00
parent 5d20923c2f
commit f2b70188b6
14 changed files with 858 additions and 277 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
parse.c
View File

@@ -274,6 +274,13 @@ sudo_file_lookup(nss, validated, pwflag)
if (cmnd_match != UNSPEC) {
match = cmnd_match;
tags = &cs->tags;
#ifdef HAVE_SELINUX
/* Set role and type if not specified on command line. */
if (user_role == NULL)
user_role = cs->role ? estrdup(cs->role) : def_role;
if (user_type == NULL)
user_type = cs->type ? estrdup(cs->type) : def_type;
#endif /* HAVE_SELINUX */
goto matched2;
}
}
@@ -311,6 +318,12 @@ sudo_file_append_cmnd(cs, tags, lbuf)
{
struct member *m;
#ifdef HAVE_SELINUX
if (cs->role)
lbuf_append(lbuf, "ROLE=", cs->role, " ", NULL);
if (cs->type)
lbuf_append(lbuf, "TYPE=", cs->type, " ", NULL);
#endif /* HAVE_SELINUX */
if (TAG_CHANGED(setenv)) {
lbuf_append(lbuf, cs->tags.setenv ? "SETENV: " :
"NOSETENV: ", NULL);