Issue #3461: [RFE] Extend freeipa's sudo to support selinux transition roles - freeipa

freeipa

#3461 [RFE] Extend freeipa's sudo to support selinux transition roles

Closed: Fixed None Opened 12 years ago by simo.

sudo can use the ROLE= and TYPE= commands to change selinux role.
we should support this with FreeIPA

As per dan example wih file based sudoers:

<dwalsh> dwalsh ROLE=webadm_r TYPE=webadm_t ALL=(ALL) ALL
<dwalsh> ## Allows people in group wheel to run all commands
<dwalsh> %wheel  ALL=(ALL)       ROLE=unconfined_r TYPE=unconfined_t ALL
<dwalsh> %wheel  ALL=(ALL)       ROLE=webadm_r TYPE=webadm_t /bin/ksh

ftweedal commented 8 years ago

Taking ownership.

This actually works fine, they need to be added as options:

ipa sudorule-add-option sysadmin_sudo --sudooption "type=unconfined_t"
ipa sudorule-add-option sysadmin_sudo --sudooption "role=unconfined_r"

Scope of ticket is just to update sudorule plugin documentation and
user guide, etc.

pbrezina commented 8 years ago

I updated https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO Common Questions to mention this.

mbasti commented 8 years ago

master:

ff490b6 sudorule: add SELinux transition examples to plugin doc

Metadata Update from @simo:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.5

8 years ago

Metadata

Assignee

ftweedal

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.5

None

affects_doc

None

source

None

knownissue

None

type

enhancement

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

https://github.com/freeipa/freeipa/pull/109

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

tester

None

changelog

None

design

None

rhbz

todo

freeipa

Source Code

#3461 [RFE] Extend freeipa's sudo to support selinux transition roles Closed: Fixed None Opened 12 years ago by simo.

Metadata

#3461 [RFE] Extend freeipa's sudo to support selinux transition roles

Closed: Fixed None Opened 12 years ago by simo.