Can't use intercept or log_subcmds with SELinux RBAC.
SELinux policy will prevent the inherited socket from sudo from being used and may also restrict the ability to connect back to the sudo process.
This commit is contained in:
@@ -25,7 +25,7 @@
|
||||
.nr BA @BAMAN@
|
||||
.nr LC @LCMAN@
|
||||
.nr PS @PSMAN@
|
||||
.TH "SUDOERS" "@mansectform@" "August 20, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||
.TH "SUDOERS" "@mansectform@" "September 1, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||
.nh
|
||||
.if n .ad l
|
||||
.SH "NAME"
|
||||
@@ -6330,8 +6330,10 @@ Currently,
|
||||
\fBsudo\fR's
|
||||
\fIintercept\fR
|
||||
functionality only works for programs that use the
|
||||
\fBexecv\fR()
|
||||
and
|
||||
\fBexecve\fR()
|
||||
system call to run the new command.
|
||||
library functions to run the new command.
|
||||
This may be expanded in a future release of
|
||||
\fBsudo\fR.
|
||||
Because most dynamic loaders ignore
|
||||
@@ -6353,6 +6355,11 @@ Check your operating system's manual pages for the dynamic linker
|
||||
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
|
||||
\fRLD_PRELOAD\fR
|
||||
is supported.
|
||||
It is
|
||||
\fInot\fR
|
||||
supported when
|
||||
\fBsudo\fR's
|
||||
SELinux RBAC support is in use due to a fundamental incompatibility.
|
||||
.sp
|
||||
To enable intercept mode on a per-command basis, use the
|
||||
\fRINTERCEPT\fR
|
||||
|
@@ -24,7 +24,7 @@
|
||||
.nr BA @BAMAN@
|
||||
.nr LC @LCMAN@
|
||||
.nr PS @PSMAN@
|
||||
.Dd August 20, 2021
|
||||
.Dd September 1, 2021
|
||||
.Dt SUDOERS @mansectform@
|
||||
.Os Sudo @PACKAGE_VERSION@
|
||||
.Sh NAME
|
||||
@@ -5851,8 +5851,10 @@ Currently,
|
||||
.Nm sudo Ns 's
|
||||
.Em intercept
|
||||
functionality only works for programs that use the
|
||||
.Fn execv
|
||||
and
|
||||
.Fn execve
|
||||
system call to run the new command.
|
||||
library functions to run the new command.
|
||||
This may be expanded in a future release of
|
||||
.Nm sudo .
|
||||
Because most dynamic loaders ignore
|
||||
@@ -5874,6 +5876,11 @@ Check your operating system's manual pages for the dynamic linker
|
||||
(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
|
||||
.Ev LD_PRELOAD
|
||||
is supported.
|
||||
It is
|
||||
.Em not
|
||||
supported when
|
||||
.Nm sudo Ns 's
|
||||
SELinux RBAC support is in use due to a fundamental incompatibility.
|
||||
.Pp
|
||||
To enable intercept mode on a per-command basis, use the
|
||||
.Li INTERCEPT
|
||||
|
@@ -227,6 +227,16 @@ apply_cmndspec(struct cmndspec *cs)
|
||||
"user_type -> %s", user_type);
|
||||
}
|
||||
}
|
||||
if (user_role != NULL || user_type != NULL) {
|
||||
if (def_intercept) {
|
||||
sudo_warnx(U_("SELinux RBAC is not supported when intercept mode is enabled"));
|
||||
debug_return_bool(false);
|
||||
}
|
||||
if (def_log_subcmds) {
|
||||
sudo_warnx(U_("SELinux RBAC is not supported when the log_subcmds flag is enabled"));
|
||||
debug_return_bool(false);
|
||||
}
|
||||
}
|
||||
#endif /* HAVE_SELINUX */
|
||||
#ifdef HAVE_PRIV_SET
|
||||
/* Set Solaris privilege sets */
|
||||
|
Reference in New Issue
Block a user