Back out changes to enable SELinux by default.
This may return in a future release in a different form.
This commit is contained in:
Todd C. Miller
6
NEWS
6
NEWS
@@ -59,12 +59,6 @@ What's new in Sudo 1.9.9
|
||||
in Generalized Time format. This affected the NOTBEFORE and
|
||||
NOTAFTER options in sudoers. Bug #1006
|
||||
|
||||
* On systems where SELinux is enabled and sudo is built with SELinux
|
||||
support, if the user's role is not "unconfined_r" sudo will always
|
||||
execute commands via the "sesh" helper program. Previously, commands
|
||||
were only executed via "sesh" if a role was specified in the sudoers
|
||||
file rule or by the user on the command line.
|
||||
|
||||
* Added the -O and -P options to visudo, which can be used to check
|
||||
or set the owner and permissions. This can be used in conjunction
|
||||
with the -c option to check that the sudoers file ownership and
|
||||
|
||||
@@ -3,13 +3,6 @@ Notes on upgrading from an older release
|
||||
|
||||
* Upgrading from a version prior to 1.9.9:
|
||||
|
||||
On systems where SELinux is enabled and sudo is built with
|
||||
SELinux support, if the user's role is not "unconfined_r" sudo
|
||||
will always execute commands via the "sesh" helper program.
|
||||
Previously, commands were only executed via "sesh" if a role
|
||||
was specified in the sudoers file rule or by the user on the
|
||||
command line.
|
||||
|
||||
Sudo now runs commands with the core limit resource limit set
|
||||
to 0 by default. While most operating systems restrict core
|
||||
dumps of set-user-ID programs like sudo, this protection is
|
||||
|
||||
@@ -632,7 +632,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
|
||||
}
|
||||
|
||||
/* Increase the length of command_info as needed, it is *not* checked. */
|
||||
command_info = calloc(69, sizeof(char *));
|
||||
command_info = calloc(68, sizeof(char *));
|
||||
if (command_info == NULL)
|
||||
goto oom;
|
||||
|
||||
@@ -941,9 +941,6 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
|
||||
}
|
||||
#endif /* HAVE_LOGIN_CAP_H */
|
||||
#ifdef HAVE_SELINUX
|
||||
if (asprintf(&command_info[info_len++], "selinux_rbac=%s",
|
||||
def_selinux ? "true" : "false") == -1)
|
||||
goto oom;
|
||||
if (def_selinux && user_role != NULL) {
|
||||
if ((command_info[info_len++] = sudo_new_key_val("selinux_role", user_role)) == NULL)
|
||||
goto oom;
|
||||
|
||||
@@ -308,37 +308,21 @@ bad:
|
||||
/*
|
||||
* Determine the new security context based on the old context and the
|
||||
* specified role and type.
|
||||
* Returns 0 on success, 1 if SELinux is not needed, and -1 on failure.
|
||||
* Returns 0 on success, and -1 on failure.
|
||||
*/
|
||||
static int
|
||||
get_exec_context(const char *role, const char *type)
|
||||
{
|
||||
char *rolebuf = NULL, *typebuf = NULL;
|
||||
char *new_context = NULL;
|
||||
context_t context = NULL;
|
||||
char *typebuf = NULL;
|
||||
int ret = -1;
|
||||
debug_decl(get_exec_context, SUDO_DEBUG_SELINUX);
|
||||
|
||||
/*
|
||||
* Expand old_context into a context_t so that we can extract and modify
|
||||
* its components easily.
|
||||
*/
|
||||
if ((context = context_new(se_state.old_context)) == NULL) {
|
||||
sudo_warn("%s", U_("failed to get new context"));
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (role == NULL) {
|
||||
rolebuf = strdup(context_role_get(context));
|
||||
if (rolebuf == NULL)
|
||||
goto done;
|
||||
role = rolebuf;
|
||||
|
||||
/* Skip SELinux role change for unconfined_r. */
|
||||
if (strcmp(rolebuf, "unconfined_r") == 0 && type == NULL) {
|
||||
ret = 1;
|
||||
goto done;
|
||||
}
|
||||
sudo_warnx(U_("you must specify a role for type %s"), type);
|
||||
errno = EINVAL;
|
||||
goto done;
|
||||
}
|
||||
if (type == NULL) {
|
||||
if (get_default_type(role, &typebuf)) {
|
||||
@@ -349,6 +333,15 @@ get_exec_context(const char *role, const char *type)
|
||||
type = typebuf;
|
||||
}
|
||||
|
||||
/*
|
||||
* Expand old_context into a context_t so that we can extract and modify
|
||||
* its components easily.
|
||||
*/
|
||||
if ((context = context_new(se_state.old_context)) == NULL) {
|
||||
sudo_warn("%s", U_("failed to get new context"));
|
||||
goto done;
|
||||
}
|
||||
|
||||
/*
|
||||
* Replace the role and type in "context" with the role and
|
||||
* type we will be running the command as.
|
||||
@@ -380,7 +373,6 @@ get_exec_context(const char *role, const char *type)
|
||||
ret = 0;
|
||||
|
||||
done:
|
||||
free(rolebuf);
|
||||
free(typebuf);
|
||||
context_free(context);
|
||||
freecon(new_context);
|
||||
@@ -389,7 +381,7 @@ done:
|
||||
|
||||
/*
|
||||
* Determine the exec and tty contexts the command will run in.
|
||||
* Returns 0 on success, 1 if SELinux is not needed, and -1 on failure.
|
||||
* Returns 0 on success and -1 on failure.
|
||||
*/
|
||||
int
|
||||
selinux_getexeccon(const char *role, const char *type)
|
||||
@@ -412,20 +404,13 @@ selinux_getexeccon(const char *role, const char *type)
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: old context %s", __func__,
|
||||
se_state.old_context);
|
||||
ret = get_exec_context(role, type);
|
||||
switch (ret) {
|
||||
case 0:
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: new context %s", __func__,
|
||||
se_state.new_context);
|
||||
break;
|
||||
case 1:
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: no context change required",
|
||||
__func__);
|
||||
break;
|
||||
default:
|
||||
if (ret == -1) {
|
||||
/* Audit role change failure (success is logged later). */
|
||||
selinux_audit_role_change();
|
||||
break;
|
||||
goto done;
|
||||
}
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: new context %s", __func__,
|
||||
se_state.new_context);
|
||||
|
||||
done:
|
||||
debug_return_int(ret);
|
||||
|
||||
26
src/sudo.c
26
src/sudo.c
@@ -647,7 +647,7 @@ bad:
|
||||
static void
|
||||
command_info_to_details(char * const info[], struct command_details *details)
|
||||
{
|
||||
int i, selinux_rbac = -1;
|
||||
int i;
|
||||
id_t id;
|
||||
char *cp;
|
||||
const char *errstr;
|
||||
@@ -826,14 +826,6 @@ command_info_to_details(char * const info[], struct command_details *details)
|
||||
SET_STRING("runas_user=", runas_user)
|
||||
break;
|
||||
case 's':
|
||||
if (strncmp("selinux_rbac=", info[i], sizeof("selinux_rbac=") - 1) == 0) {
|
||||
selinux_rbac = sudo_strtobool(info[i] + sizeof("selinux_rbac=") - 1);
|
||||
if (selinux_rbac == -1) {
|
||||
sudo_debug_printf(SUDO_DEBUG_ERROR,
|
||||
"invalid boolean value for %s", info[i]);
|
||||
}
|
||||
break;
|
||||
}
|
||||
SET_STRING("selinux_role=", selinux_role)
|
||||
SET_STRING("selinux_type=", selinux_type)
|
||||
SET_FLAG("set_utmp=", CD_SET_UTMP)
|
||||
@@ -888,21 +880,11 @@ command_info_to_details(char * const info[], struct command_details *details)
|
||||
sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
|
||||
|
||||
#ifdef HAVE_SELINUX
|
||||
/* Newer sudoers plugin sets selinux_rbac, older only sets role/type. */
|
||||
if (selinux_rbac == -1)
|
||||
selinux_rbac = details->selinux_role || details->selinux_type;
|
||||
if (selinux_rbac && is_selinux_enabled() > 0) {
|
||||
if (details->selinux_role != NULL && is_selinux_enabled() > 0) {
|
||||
SET(details->flags, CD_RBAC_ENABLED);
|
||||
i = selinux_getexeccon(details->selinux_role, details->selinux_type);
|
||||
switch (i) {
|
||||
case 0:
|
||||
SET(details->flags, CD_RBAC_ENABLED);
|
||||
break;
|
||||
case 1:
|
||||
/* No role change needed. */
|
||||
break;
|
||||
default:
|
||||
if (i != 0)
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
debug_return;
|
||||
|
||||
Reference in New Issue
Block a user