isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Can't use intercept or log_subcmds with SELinux RBAC.

Browse Source 
SELinux policy will prevent the inherited socket from sudo from
being used and may also restrict the ability to connect back to the
sudo process.
This commit is contained in:
Todd C. Miller
2021-09-01 11:09:17 -06:00
parent 242e4d070f
commit f40afd73fe
3 changed files with 28 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
plugins/sudoers/parse.c
View File

@@ -227,6 +227,16 @@ apply_cmndspec(struct cmndspec *cs)
"user_type -> %s", user_type);
}
}
if (user_role != NULL || user_type != NULL) {
if (def_intercept) {
sudo_warnx(U_("SELinux RBAC is not supported when intercept mode is enabled"));
debug_return_bool(false);
}
if (def_log_subcmds) {
sudo_warnx(U_("SELinux RBAC is not supported when the log_subcmds flag is enabled"));
debug_return_bool(false);
}
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_PRIV_SET
/* Set Solaris privilege sets */