Le 17/07/17 à 01:59, Michael Biebl a écrit :
Am 17.07.2017 um 01:46 schrieb Bdale Garbee:
Sure, sounds good. I'm personally ambivalent about selinux since I
don't use it, but I'm always in favor of making things work for as many
users in as many contexts as possible.
bigon, is there a way sudo could do the selinux relabeling itself when
creating /run/sudo/ts so we don't need an init script/tmpfile to do
that? That would be a more elegant solution. I see sudo does already
link againt libselinux. So having that dependency is not a concern.
There are multiple ways of doing that:
1. via policy: this should be already the case for confined users, but
apparently not for unconfined ones. This might be a bug in the
policy, I'll poke upstream about that.
2. via an explicit call to libselinux: call selabel_lookup_raw() to
retrieve which context should be used and then call
setfscreatecon_raw() so the next file create will atomically have
the correct context. sudo is already selinux-aware so that could be
a solution as well.
3. Pre-create the directory during the startup with the correct context.
The easiest being of course 3)
