From 5a4e4c7b9d75e7249879d4ac061e639deac38e45 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 3 Jun 2010 10:26:21 -0400 Subject: [PATCH] Document per-command SELinux settings --HG-- branch : 1.7 --- sudoers.pod | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/sudoers.pod b/sudoers.pod index 88060d45e..560ac428a 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -275,10 +275,12 @@ See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters. Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec ',' Cmnd_Spec_List - Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd + Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' + SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') + Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | 'SETENV:' | 'NOSETENV:' | 'TRANSCRIPT:' | 'NOTRANSCRIPT:') @@ -338,6 +340,14 @@ only the group will be set, the command still runs as user B. tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ /usr/local/bin/minicom +=head2 SELinux_Spec + +On systems with SELinux support, I entries may optionally have +an SELinux role and/or type associated with a command. If a role or +type is specified with the command it will override any default values +specified in I. A role or type specified on the command line, +however, will supercede the values in I. + =head2 Tag_Spec A command may have zero or more tags associated with it. There are -- 2.40.0