millert
commented
2 months ago In this case I think it would make more sense to just include the SELinux role and type in the options array directly. This is what is done for the LDIF and CSV conversions.
Closed es-fabricemarie closed 2 months ago
millert
commented
2 months ago In this case I think it would make more sense to just include the SELinux role and type in the options array directly. This is what is done for the LDIF and CSV conversions.
millert
commented
2 months ago That would look like this:
{
"User_Specs": [
{
"User_List": [
{ "netgroup": "usernetgroup" },
{
"username": "fabrice",
"negated": true
}
],
"Host_List": [
{ "netgroup": "hostnetgroup" },
{
"hostname": "localhost",
"negated": true
}
],
"Cmnd_Specs": [
{
"runasusers": [
{ "username": "operator1" },
{
"username": "operator2",
"negated": true
},
{ "usergroup": "wheel" }
],
"runasgroups": [
{ "usergroup": "operator3" },
{
"usergroup": "operator4",
"negated": true
},
{ "usergroup": "root" }
],
"Options": [
{ "runchroot": "/root/chroot" },
{ "runcwd": "/root/cwd" },
{ "command_timeout": 30 },
{ "notbefore": "20170214080000Z" },
{ "notafter": "20170214090000Z" },
{ "noexec": false },
{ "sudoedit_follow": true },
{ "log_input": true },
{ "role": "selinuxRole1" },
{ "type": "selinuxType1" }
],
"Commands": [
{ "command": "/bin/test102" },
{ "command": "/usr/bin/test102" }
]
}
]
}
]
}
es-fabricemarie
commented
2 months ago In this case I think it would make more sense to just include the SELinux role and type in the options array directly.
@millert agreed. Definitely makes more sense.
millert
commented
2 months ago Fixed by 7c2204d
Using the following sudoers file in
/etc/sudoers.d/test6:Using the command:
We get the following invalid JSON output:
The
SELinux_Specoptions should be added as object, similarly to the options above it.