isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Separate out the code to compute the context from selinux_setup().

Browse Source 
This makes it possible to determine whether we really need to execute
the command via the sesh helper.  What was left of selinux_setup()
is now selinux_relabel_tty() and selinux_audit_role_change().
This commit is contained in:
Todd C. Miller
2021-11-05 12:33:20 -06:00
parent a336a8422f
commit e97fb5fd0b
6 changed files with 61 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/sudo.c
View File

@@ -887,8 +887,19 @@ command_info_to_details(char * const info[], struct command_details *details)
/* Newer sudoers plugin sets selinux_rbac, older only sets role/type. */
if (selinux_rbac == -1)
selinux_rbac = details->selinux_role || details->selinux_type;
if (selinux_rbac && is_selinux_enabled() > 0)
SET(details->flags, CD_RBAC_ENABLED);
if (selinux_rbac && is_selinux_enabled() > 0) {
i = selinux_getexeccon(details->selinux_role, details->selinux_type);
switch (i) {
case 0:
SET(details->flags, CD_RBAC_ENABLED);
break;
case 1:
/* No role change needed. */
break;
default:
exit(EXIT_FAILURE);
}
}
#endif
debug_return;
}