Can't use intercept or log_subcmds with SELinux RBAC.

SELinux policy will prevent the inherited socket from sudo from being used and may also restrict the ability to connect back to the sudo process.
2021-09-01 11:09:17 -06:00
parent 242e4d070f
commit f40afd73fe
3 changed files with 28 additions and 4 deletions
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "August 20, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "September 1, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -6330,8 +6330,10 @@ Currently,
 \fBsudo\fR's
 \fIintercept\fR
 functionality only works for programs that use the
+\fBexecv\fR()
+and
 \fBexecve\fR()
-system call to run the new command.
+library functions to run the new command.
 This may be expanded in a future release of
 \fBsudo\fR.
 Because most dynamic loaders ignore
@@ -6353,6 +6355,11 @@ Check your operating system's manual pages for the dynamic linker
 (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
 \fRLD_PRELOAD\fR
 is supported.
+It is
+\fInot\fR
+supported when
+\fBsudo\fR's
+SELinux RBAC support is in use due to a fundamental incompatibility.
 .sp
 To enable intercept mode on a per-command basis, use the
 \fRINTERCEPT\fR
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd August 20, 2021
+.Dd September 1, 2021
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -5851,8 +5851,10 @@ Currently,
 .Nm sudo Ns 's
 .Em intercept
 functionality only works for programs that use the
+.Fn execv
+and
 .Fn execve
-system call to run the new command.
+library functions to run the new command.
 This may be expanded in a future release of
 .Nm sudo .
 Because most dynamic loaders ignore
@@ -5874,6 +5876,11 @@ Check your operating system's manual pages for the dynamic linker
 (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
 .Ev LD_PRELOAD
 is supported.
+It is
+.Em not
+supported when
+.Nm sudo Ns 's
+SELinux RBAC support is in use due to a fundamental incompatibility.
 .Pp
 To enable intercept mode on a per-command basis, use the
 .Li INTERCEPT
--- a/plugins/sudoers/parse.c
+++ b/plugins/sudoers/parse.c
@@ -227,6 +227,16 @@ apply_cmndspec(struct cmndspec *cs)
 		    "user_type -> %s", user_type);
 	    }
 	}
+	if (user_role != NULL || user_type != NULL) {
+	    if (def_intercept) {
+		sudo_warnx(U_("SELinux RBAC is not supported when intercept mode is enabled"));
+		debug_return_bool(false);
+	    }
+	    if (def_log_subcmds) {
+		sudo_warnx(U_("SELinux RBAC is not supported when the log_subcmds flag is enabled"));
+		debug_return_bool(false);
+	    }
+	}
 #endif /* HAVE_SELINUX */
 #ifdef HAVE_PRIV_SET
 	/* Set Solaris privilege sets */