Allow SELinux support to be disabled via the sudoers file.

Defaults to true if sudo is built with SELinux support and SELinux
is not disabled on the system.

doc/sudoers.man.in

@@ -2,7 +2,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2020
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2021
 .\"	Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "December 11, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "January 8, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -3238,6 +3238,16 @@ when running a command or editing a file.
 This flag is
 \fIoff\fR
 by default.
+.if \n(SL \{\
+.TP 18n
+selinux
+If enabled, the user may specify an SELinux role and/or type to use
+when running the command, as permitted by the SELinux policy.
+If SELinux is disabled on the system, this flag has no effect.
+This flag is
+\fIon\fR
+by default.
+.\}
 .TP 18n
 set_home
 If enabled and

doc/sudoers.man.in.sed

@@ -94,6 +94,14 @@ s/^\(.TH .*\)/.nr SL @SEMAN@\
 		/^\.TP 18n\nprivs$/i\
 .if \\n(PS \\{\\
 		/^\.TP 18n\nprivs$/!i\
+.\\}
+	    }
+	}
+	/^\.TP 18n\nselinux$/,/^\.TP 18n/ {
+	    /^\.TP 18n/ {
+		/^\.TP 18n\nselinux$/i\
+.if \\n(SL \\{\\
+		/^\.TP 18n\nselinux$/!i\
 .\\}
 	    }
 	}

doc/sudoers.mdoc.in

@@ -1,7 +1,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2020
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2021
 .\"	Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd December 11, 2020
+.Dd January 8, 2020
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -3051,6 +3051,15 @@ when running a command or editing a file.
 This flag is
 .Em off
 by default.
+.if \n(SL \{\
+.It selinux
+If enabled, the user may specify an SELinux role and/or type to use
+when running the command, as permitted by the SELinux policy.
+If SELinux is disabled on the system, this flag has no effect.
+This flag is
+.Em on
+by default.
+.\}
 .It set_home
 If enabled and
 .Nm sudo

plugins/sudoers/def_data.c

@@ -569,6 +569,10 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"log_format", T_TUPLE,
 	N_("The format of logs to produce: %s"),
 	def_data_log_format,
+    }, {
+	"selinux", T_FLAG,
+	N_("Enable SELinux RBAC support"),
+	NULL,
     }, {
 	NULL, 0, NULL
     }

plugins/sudoers/def_data.h

@@ -262,6 +262,8 @@
 #define def_runchroot           (sudo_defs_table[I_RUNCHROOT].sd_un.str)
 #define I_LOG_FORMAT            130
 #define def_log_format          (sudo_defs_table[I_LOG_FORMAT].sd_un.tuple)
+#define I_SELINUX               131
+#define def_selinux             (sudo_defs_table[I_SELINUX].sd_un.flag)
 
 enum def_tuple {
     never,

plugins/sudoers/def_data.in

@@ -409,3 +409,6 @@ log_format
 	T_TUPLE
 	"The format of logs to produce: %s"
 	sudo json
+selinux
+	T_FLAG
+	"Enable SELinux RBAC support"

plugins/sudoers/defaults.c

@@ -526,6 +526,9 @@ init_defaults(void)
 #else
     def_pam_session = true;
 #endif
+#ifdef HAVE_SELINUX
+    def_selinux = true;
+#endif
 #ifdef HAVE_INNETGR
     def_use_netgroups = true;
 #endif

plugins/sudoers/policy.c

@@ -839,11 +839,11 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
     }
 #endif /* HAVE_LOGIN_CAP_H */
 #ifdef HAVE_SELINUX
-    if (user_role != NULL) {
+    if (def_selinux && user_role != NULL) {
 	if ((command_info[info_len++] = sudo_new_key_val("selinux_role", user_role)) == NULL)
 	    goto oom;
     }
-    if (user_type != NULL) {
+    if (def_selinux && user_type != NULL) {
 	if ((command_info[info_len++] = sudo_new_key_val("selinux_type", user_type)) == NULL)
 	    goto oom;
     }