Red Hat Bugzilla – Bug 178429
selinux patch breaks sudo NOEXEC capability
Last modified: 2007-11-30 17:11:21 EST
Description of problem:
1. I am reporting this against FC5test1/development/rawhide although FC4 has the
2. I am leaving this a normal severity although there is a good argument (to me)
that it is really a security problem.
sudo 1.6.8 added a capability to suppress "shelling out" of a program such as vi
with the NOEXEC option. This is an important security feature since it
prohibits a sudo user from getting general access to root.
With the selinux patch applied, you get the message:
/usr/sbin/sesh: Error execing /bin/vi: Permission denied
if NOEXEC is specified in the /etc/sudoers file (e.g., Defaults noexec).
If the sudo package is rebuilt without the selinux patch, then the NOEXEC
capability works as it should ... "sudo vi" can edit a file but ":!bash" does
I think that based on prior discussions of separating SELinux role changes from
Unix user identity changes on selinux list and the removal of pam_selinux from
su's pam config, I would recommend dropping the sudo selinux patch altogether.
Ditto for the corresponding pieces of SELinux code in usermode/userhelper.
As to the severity of this bug, IIUC, the current selinux patch is merely
preventing this new 'feature' of sudo from working, not creating a security hole
itself. Admittedly, preventing people from using this new 'feature' might yield
a security hole if the admin then proceeds to authorize some user to perform a
sudo vi w/o NOEXEC without fully trusting the user, but that seems fairly broken
to me anyway (I'd never rely on sudo to prevent such privilege escalation).
Agreed that sudo and the sudo NOEXEC capabilities are not really good solutions
but I need something which will work across mutiple system types (Solaris, xBSD,
RHEL, FC, etc.) and which will at least raise the security barrier a little.
Sudo looked like a "good enough" fix but then we realized that there was the
shell-out escape ... NOEXEC looked like a fix for that.
Fixed. The selinux patch has been removed from the devel branch.
Worth making this a FC4 update?