diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index c19350604..6bd08d9c0 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -2,7 +2,7 @@ .\" .\" SPDX-License-Identifier: ISC .\" -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2020 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2021 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.TH "SUDOERS" "@mansectform@" "December 11, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "@mansectform@" "January 8, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -3238,6 +3238,16 @@ when running a command or editing a file. This flag is \fIoff\fR by default. +.if \n(SL \{\ +.TP 18n +selinux +If enabled, the user may specify an SELinux role and/or type to use +when running the command, as permitted by the SELinux policy. +If SELinux is disabled on the system, this flag has no effect. +This flag is +\fIon\fR +by default. +.\} .TP 18n set_home If enabled and diff --git a/doc/sudoers.man.in.sed b/doc/sudoers.man.in.sed index 32ee5600d..eca83a306 100644 --- a/doc/sudoers.man.in.sed +++ b/doc/sudoers.man.in.sed @@ -94,6 +94,14 @@ s/^\(.TH .*\)/.nr SL @SEMAN@\ /^\.TP 18n\nprivs$/i\ .if \\n(PS \\{\\ /^\.TP 18n\nprivs$/!i\ +.\\} + } + } + /^\.TP 18n\nselinux$/,/^\.TP 18n/ { + /^\.TP 18n/ { + /^\.TP 18n\nselinux$/i\ +.if \\n(SL \\{\\ + /^\.TP 18n\nselinux$/!i\ .\\} } } diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index cb1b9ad97..c14855b49 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -1,7 +1,7 @@ .\" .\" SPDX-License-Identifier: ISC .\" -.\" Copyright (c) 1994-1996, 1998-2005, 2007-2020 +.\" Copyright (c) 1994-1996, 1998-2005, 2007-2021 .\" Todd C. Miller .\" .\" Permission to use, copy, modify, and distribute this software for any @@ -24,7 +24,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.Dd December 11, 2020 +.Dd January 8, 2020 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -3051,6 +3051,15 @@ when running a command or editing a file. This flag is .Em off by default. +.if \n(SL \{\ +.It selinux +If enabled, the user may specify an SELinux role and/or type to use +when running the command, as permitted by the SELinux policy. +If SELinux is disabled on the system, this flag has no effect. +This flag is +.Em on +by default. +.\} .It set_home If enabled and .Nm sudo diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c index 7e4ec11fd..56cd22468 100644 --- a/plugins/sudoers/def_data.c +++ b/plugins/sudoers/def_data.c @@ -569,6 +569,10 @@ struct sudo_defs_types sudo_defs_table[] = { "log_format", T_TUPLE, N_("The format of logs to produce: %s"), def_data_log_format, + }, { + "selinux", T_FLAG, + N_("Enable SELinux RBAC support"), + NULL, }, { NULL, 0, NULL } diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h index 3c6a66815..5c712b82f 100644 --- a/plugins/sudoers/def_data.h +++ b/plugins/sudoers/def_data.h @@ -262,6 +262,8 @@ #define def_runchroot (sudo_defs_table[I_RUNCHROOT].sd_un.str) #define I_LOG_FORMAT 130 #define def_log_format (sudo_defs_table[I_LOG_FORMAT].sd_un.tuple) +#define I_SELINUX 131 +#define def_selinux (sudo_defs_table[I_SELINUX].sd_un.flag) enum def_tuple { never, diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in index 4f18d6a0d..e8162e833 100644 --- a/plugins/sudoers/def_data.in +++ b/plugins/sudoers/def_data.in @@ -409,3 +409,6 @@ log_format T_TUPLE "The format of logs to produce: %s" sudo json +selinux + T_FLAG + "Enable SELinux RBAC support" diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c index bfc265220..8bc48b798 100644 --- a/plugins/sudoers/defaults.c +++ b/plugins/sudoers/defaults.c @@ -526,6 +526,9 @@ init_defaults(void) #else def_pam_session = true; #endif +#ifdef HAVE_SELINUX + def_selinux = true; +#endif #ifdef HAVE_INNETGR def_use_netgroups = true; #endif diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c index 6f1787f18..d4be26491 100644 --- a/plugins/sudoers/policy.c +++ b/plugins/sudoers/policy.c @@ -839,11 +839,11 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[], } #endif /* HAVE_LOGIN_CAP_H */ #ifdef HAVE_SELINUX - if (user_role != NULL) { + if (def_selinux && user_role != NULL) { if ((command_info[info_len++] = sudo_new_key_val("selinux_role", user_role)) == NULL) goto oom; } - if (user_type != NULL) { + if (def_selinux && user_type != NULL) { if ((command_info[info_len++] = sudo_new_key_val("selinux_type", user_type)) == NULL) goto oom; }