Pass status of selinux sudoers setting to front-end as selinux-rbac.

The front-end uses this to decide whether or not to enable SELinux.
If selinux-rbac is true _or_ if it is not present and selinux_role or
selinux_type are set, SELinux support is enabled.
Previously, SELinux support was only enabled if a role was specified.

plugins/sudoers/policy.c

@@ -632,7 +632,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
     }
 
     /* Increase the length of command_info as needed, it is *not* checked. */
-    command_info = calloc(57, sizeof(char *));
+    command_info = calloc(58, sizeof(char *));
     if (command_info == NULL)
 	goto oom;
 
@@ -897,6 +897,9 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
     }
 #endif /* HAVE_LOGIN_CAP_H */
 #ifdef HAVE_SELINUX
+    if (asprintf(&command_info[info_len++], "selinux_rbac=%s",
+	    def_selinux ? "true" : "false") == -1)
+	goto oom;
     if (def_selinux && user_role != NULL) {
 	if ((command_info[info_len++] = sudo_new_key_val("selinux_role", user_role)) == NULL)
 	    goto oom;

src/selinux.c

@@ -309,28 +309,13 @@ bad:
  * specified role and type.
  */
 static char *
-get_exec_context(char * old_context, const char *role, const char *type)
+get_exec_context(char *old_context, const char *role, const char *type)
 {
-    char * new_context = NULL;
+    char *rolebuf = NULL, *typebuf = NULL;
+    char *new_context = NULL;
     context_t context = NULL;
-    char *typebuf = NULL;
     debug_decl(get_exec_context, SUDO_DEBUG_SELINUX);
 
-    /* We must have a role, the type is optional (we can use the default). */
-    if (role == NULL) {
-	sudo_warnx(U_("you must specify a role for type %s"), type);
-	errno = EINVAL;
-	goto bad;
-    }
-    if (type == NULL) {
-	if (get_default_type(role, &typebuf)) {
-	    sudo_warnx(U_("unable to get default type for role %s"), role);
-	    errno = EINVAL;
-	    goto bad;
-	}
-	type = typebuf;
-    }
-    
     /*
      * Expand old_context into a context_t so that we can extract and modify
      * its components easily.
@@ -340,6 +325,22 @@ get_exec_context(char * old_context, const char *role, const char *type)
 	goto bad;
     }
 
+    if (role == NULL) {
+	/* TODO: if role is unconfined_r and type is NULL, disable SELinux */
+	rolebuf = strdup(context_role_get(context));
+	if (rolebuf == NULL)
+	    goto bad;
+	role = rolebuf;
+    }
+    if (type == NULL) {
+	if (get_default_type(role, &typebuf)) {
+	    sudo_warnx(U_("unable to get default type for role %s"), role);
+	    errno = EINVAL;
+	    goto bad;
+	}
+	type = typebuf;
+    }
+
     /*
      * Replace the role and type in "context" with the role and
      * type we will be running the command as.
@@ -370,6 +371,7 @@ get_exec_context(char * old_context, const char *role, const char *type)
     debug_return_str(new_context);
 
 bad:
+    free(rolebuf);
     free(typebuf);
     context_free(context);
     freecon(new_context);

src/sudo.c

@@ -647,7 +647,7 @@ bad:
 static void
 command_info_to_details(char * const info[], struct command_details *details)
 {
-    int i;
+    int i, selinux_rbac = -1;
     id_t id;
     char *cp;
     const char *errstr;
@@ -822,6 +822,14 @@ command_info_to_details(char * const info[], struct command_details *details)
 		SET_STRING("runas_user=", runas_user)
 		break;
 	    case 's':
+		if (strncmp("selinux_rbac=", info[i], sizeof("selinux_rbac=") - 1) == 0) {
+		    selinux_rbac = sudo_strtobool(info[i] + sizeof("selinux_rbac=") - 1);
+		    if (selinux_rbac == -1) {
+			sudo_debug_printf(SUDO_DEBUG_ERROR,
+			    "invalid boolean value for %s", info[i]);
+		    }
+		    break;
+		}
 		SET_STRING("selinux_role=", selinux_role)
 		SET_STRING("selinux_type=", selinux_type)
 		SET_FLAG("set_utmp=", CD_SET_UTMP)
@@ -876,7 +884,10 @@ command_info_to_details(char * const info[], struct command_details *details)
 	sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 
 #ifdef HAVE_SELINUX
-    if (details->selinux_role != NULL && is_selinux_enabled() > 0)
+    /* Newer sudoers plugin sets selinux_rbac, older only sets role/type. */
+    if (selinux_rbac == -1)
+	selinux_rbac = details->selinux_role || details->selinux_type;
+    if (selinux_rbac && is_selinux_enabled() > 0)
 	SET(details->flags, CD_RBAC_ENABLED);
 #endif
     debug_return;