#3461 [RFE] Extend freeipa's sudo to support selinux transition roles
Closed: Fixed None Opened 5 years ago by simo.

sudo can use the ROLE= and TYPE= commands to change selinux role.
we should support this with FreeIPA

As per dan example wih file based sudoers:

<dwalsh> dwalsh ROLE=webadm_r TYPE=webadm_t ALL=(ALL) ALL
<dwalsh> ## Allows people in group wheel to run all commands
<dwalsh> %wheel  ALL=(ALL)       ROLE=unconfined_r TYPE=unconfined_t ALL
<dwalsh> %wheel  ALL=(ALL)       ROLE=webadm_r TYPE=webadm_t /bin/ksh

Taking ownership.

This actually works fine, they need to be added as options:

ipa sudorule-add-option sysadmin_sudo --sudooption "type=unconfined_t"
ipa sudorule-add-option sysadmin_sudo --sudooption "role=unconfined_r"

Scope of ticket is just to update sudorule plugin documentation and
user guide, etc.


  • ff490b6 sudorule: add SELinux transition examples to plugin doc

Metadata Update from @simo:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.5

2 years ago

Login to comment on this ticket.