Description of problem: 1. I am reporting this against FC5test1/development/rawhide although FC4 has the problem also. 2. I am leaving this a normal severity although there is a good argument (to me) that it is really a security problem. sudo 1.6.8 added a capability to suppress "shelling out" of a program such as vi with the NOEXEC option. This is an important security feature since it prohibits a sudo user from getting general access to root. With the selinux patch applied, you get the message: /usr/sbin/sesh: Error execing /bin/vi: Permission denied if NOEXEC is specified in the /etc/sudoers file (e.g., Defaults noexec). If the sudo package is rebuilt without the selinux patch, then the NOEXEC capability works as it should ... "sudo vi" can edit a file but ":!bash" does not work.
I think that based on prior discussions of separating SELinux role changes from Unix user identity changes on selinux list and the removal of pam_selinux from su's pam config, I would recommend dropping the sudo selinux patch altogether. Ditto for the corresponding pieces of SELinux code in usermode/userhelper. As to the severity of this bug, IIUC, the current selinux patch is merely preventing this new 'feature' of sudo from working, not creating a security hole itself. Admittedly, preventing people from using this new 'feature' might yield a security hole if the admin then proceeds to authorize some user to perform a sudo vi w/o NOEXEC without fully trusting the user, but that seems fairly broken to me anyway (I'd never rely on sudo to prevent such privilege escalation).
Agreed that sudo and the sudo NOEXEC capabilities are not really good solutions but I need something which will work across mutiple system types (Solaris, xBSD, RHEL, FC, etc.) and which will at least raise the security barrier a little. Sudo looked like a "good enough" fix but then we realized that there was the shell-out escape ... NOEXEC looked like a fix for that.
Fixed. The selinux patch has been removed from the devel branch.
Worth making this a FC4 update? Ref: https://www.redhat.com/archives/fedora-selinux-list/2006-January/msg00180.html