Back out changes to enable SELinux by default.

This may return in a future release in a different form.
2021-12-22 11:13:22 -07:00
parent 0ed92e6165
commit e22cc72530
5 changed files with 24 additions and 73 deletions
--- a/src/sudo.c
+++ b/src/sudo.c
@@ -647,7 +647,7 @@ bad:
 static void
 command_info_to_details(char * const info[], struct command_details *details)
 {
-    int i, selinux_rbac = -1;
+    int i;
    id_t id;
    char *cp;
    const char *errstr;
@@ -826,14 +826,6 @@ command_info_to_details(char * const info[], struct command_details *details)
 		SET_STRING("runas_user=", runas_user)
 		break;
 	    case 's':
-		if (strncmp("selinux_rbac=", info[i], sizeof("selinux_rbac=") - 1) == 0) {
-		    selinux_rbac = sudo_strtobool(info[i] + sizeof("selinux_rbac=") - 1);
-		    if (selinux_rbac == -1) {
-			sudo_debug_printf(SUDO_DEBUG_ERROR,
-			    "invalid boolean value for %s", info[i]);
-		    }
-		    break;
-		}
 		SET_STRING("selinux_role=", selinux_role)
 		SET_STRING("selinux_type=", selinux_type)
 		SET_FLAG("set_utmp=", CD_SET_UTMP)
@@ -888,21 +880,11 @@ command_info_to_details(char * const info[], struct command_details *details)
 	sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));

 #ifdef HAVE_SELINUX
-    /* Newer sudoers plugin sets selinux_rbac, older only sets role/type. */
-    if (selinux_rbac == -1)
-	selinux_rbac = details->selinux_role || details->selinux_type;
-    if (selinux_rbac && is_selinux_enabled() > 0) {
+    if (details->selinux_role != NULL && is_selinux_enabled() > 0) {
+	SET(details->flags, CD_RBAC_ENABLED);
 	i = selinux_getexeccon(details->selinux_role, details->selinux_type);
-	switch (i) {
-	case 0:
-	    SET(details->flags, CD_RBAC_ENABLED);
-	    break;
-	case 1:
-	    /* No role change needed. */
-	    break;
-	default:
+	if (i != 0)
 	    exit(EXIT_FAILURE);
-	}
    }
 #endif
    debug_return;