From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Thu, 3 Jun 2010 14:26:21 +0000 (-0400)
Subject: Document per-command SELinux settings
X-Git-Tag: SUDO_1_7_3~124
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5a4e4c7b9d75e7249879d4ac061e639deac38e45;p=sudo

Document per-command SELinux settings

--HG--
branch : 1.7
---

diff --git a/sudoers.pod b/sudoers.pod
index 88060d45e..560ac428a 100644
--- a/sudoers.pod
+++ b/sudoers.pod
@@ -275,10 +275,12 @@ See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
  Cmnd_Spec_List ::= Cmnd_Spec |
 		    Cmnd_Spec ',' Cmnd_Spec_List
 
- Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+ Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
 
  Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
 
+ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+
  Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
 	       'SETENV:' | 'NOSETENV:' | 'TRANSCRIPT:' | 'NOTRANSCRIPT:')
 
@@ -338,6 +340,14 @@ only the group will be set, the command still runs as user B<tcm>.
  tcm	boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
 	/usr/local/bin/minicom
 
+=head2 SELinux_Spec
+
+On systems with SELinux support, I<sudoers> entries may optionally have
+an SELinux role and/or type associated with a command.  If a role or
+type is specified with the command it will override any default values
+specified in I<sudoers>.  A role or type specified on the command line,
+however, will supercede the values in I<sudoers>.
+
 =head2 Tag_Spec
 
 A command may have zero or more tags associated with it.  There are