sudo can use the ROLE= and TYPE= commands to change selinux role.
we should support this with FreeIPA
As per dan example wih file based sudoers:
<dwalsh> dwalsh ROLE=webadm_r TYPE=webadm_t ALL=(ALL) ALL
<dwalsh> ## Allows people in group wheel to run all commands
<dwalsh> %wheel ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t ALL
<dwalsh> %wheel ALL=(ALL) ROLE=webadm_r TYPE=webadm_t /bin/ksh
This actually works fine, they need to be added as options:
ipa sudorule-add-option sysadmin_sudo --sudooption "type=unconfined_t"
ipa sudorule-add-option sysadmin_sudo --sudooption "role=unconfined_r"
Scope of ticket is just to update sudorule plugin documentation and
user guide, etc.
I updated https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO Common Questions to mention this.
Metadata Update from @simo:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.5
to comment on this ticket.