---- sudo-1.6.7p5/Makefile.in.selinux 2003-04-15 20:39:10.000000000 -0400
-+++ sudo-1.6.7p5/Makefile.in 2004-01-02 20:18:14.000000000 -0500
-@@ -59,7 +59,8 @@
- # Libraries
- LIBS = @LIBS@
- NET_LIBS = @NET_LIBS@
--SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ $(LIBS) $(NET_LIBS)
-+SELINUX_LIBS = -lselinux
-+SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ $(LIBS) $(NET_LIBS) $(SELINUX_LIBS)
-
- # C preprocessor flags
- CPPFLAGS = -I. -I$(srcdir) @CPPFLAGS@
-@@ -105,7 +106,7 @@
- sudoers_mode = @SUDOERS_MODE@
-
- # Pass in paths and uid/gid + OS dependent defined
--DEFS = @OSDEFS@ -D_PATH_SUDOERS=\"$(sudoersdir)/sudoers\" -D_PATH_SUDOERS_TMP=\"$(sudoersdir)/sudoers.tmp\" -DSUDOERS_UID=$(sudoers_uid) -DSUDOERS_GID=$(sudoers_gid) -DSUDOERS_MODE=$(sudoers_mode)
-+DEFS = @OSDEFS@ -D_PATH_SUDOERS=\"$(sudoersdir)/sudoers\" -D_PATH_SUDOERS_TMP=\"$(sudoersdir)/sudoers.tmp\" -DSUDOERS_UID=$(sudoers_uid) -DSUDOERS_GID=$(sudoers_gid) -DSUDOERS_MODE=$(sudoers_mode) -DWITH_SELINUX
-
- #### End of system configuration section. ####
-
---- sudo-1.6.7p5/sudo.c.selinux 2003-04-15 20:39:14.000000000 -0400
-+++ sudo-1.6.7p5/sudo.c 2004-01-13 21:38:54.668372568 -0500
-@@ -101,6 +101,16 @@
+--- sudo-1.6.7p5/sesh.c.selinux 2004-07-08 13:18:28.000000000 -0400
++++ sudo-1.6.7p5/sesh.c 2004-07-08 13:18:28.000000000 -0400
+@@ -0,0 +1,50 @@
++#include <stdio.h>
++#include <unistd.h>
++#include <limits.h>
++#include <sys/types.h>
++#include <sys/wait.h>
++#include <errno.h>
++
++main (int argc, char **argv) {
++ char buf[PATH_MAX];
++ pid_t pid;
++ if ( argc < 2 ) {
++ fprintf(stderr,"%s: Requires at least one argument\n", argv[0]);
++ exit(-1);
++ }
++ if ( argv[1][0] != '/' ) {
++ fprintf(stderr,"%s: First argument must have a full path\n", argv[0]);
++ exit(-1);
++ }
++
++ if ((pid = fork()) < 0) {
++ snprintf(buf, sizeof(buf), "%s: Couldn't fork");
++ perror(buf);
++ exit(-1);
++ } else if (pid > 0) {
++ /* Parent */
++ int status;
++ int ret;
++
++ do {
++ if ((ret = waitpid(pid, &status, 0)) < 0 && errno == EINTR)
++ continue;
++ else if (ret < 0) {
++ perror("waitpid failed");
++ exit(1);
++ }
++ } while (0);
++
++ if (WIFEXITED(status))
++ exit(WEXITSTATUS(status));
++ else
++ exit(1);
++ } else {
++ /* Child */
++ execv(argv[1], &argv[1]);
++
++ snprintf(buf, sizeof(buf), "%s: Error execing %s", argv[0], argv[1]);
++ perror(buf);
++ exit(-1);
++ }
++}
+--- sudo-1.6.7p5/configure.in.selinux 2003-05-06 11:22:36.000000000 -0400
++++ sudo-1.6.7p5/configure.in 2004-07-08 13:18:28.000000000 -0400
+@@ -90,7 +90,7 @@
+ dnl Initial values for Makefile variables listed above
+ dnl May be overridden by environment variables..
+ dnl
+-PROGS="sudo visudo"
++PROGS="sudo visudo sesh"
+ test -n "$MANTYPE" || MANTYPE="man"
+ test -n "$mansrcdir" || mansrcdir="."
+ test -n "$SUDOERS_MODE" || SUDOERS_MODE=0440
+--- sudo-1.6.8/sudo.c.orig 2004-08-07 01:42:52.000000000 +0200
++++ sudo-1.6.8/sudo.c 2004-08-29 20:45:31.556903000 +0200
+@@ -92,6 +92,17 @@
#include "interfaces.h"
#include "version.h"
+#include <selinux/get_default_type.h>
+char *role_s = NULL; /* role spec'd by user in argv[] */
+char *type_s = NULL; /* type spec'd by user in argv[] */
-+char *ttyn = NULL; /* tty path */
++security_context_t new_tty_context=NULL; /* security context to change to while running command*/
++security_context_t tty_context=NULL; /* current security context of tty */
+#endif
+
#ifndef lint
- static const char rcsid[] = "$Sudo: sudo.c,v 1.334 2003/04/01 15:02:49 millert Exp $";
+ static const char rcsid[] = "$Sudo: sudo.c,v 1.369 2004/08/06 23:42:52 millert Exp $";
#endif /* lint */
-@@ -414,10 +424,195 @@
- (void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
+@@ -141,7 +152,151 @@
+ sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld;
+ void (*set_perms) __P((int));
- #ifndef PROFILING
-- if ((sudo_mode & MODE_BACKGROUND) && fork() > 0)
-+ if ((sudo_mode & MODE_BACKGROUND) && fork() > 0) {
-+ exit(0);
-+ }
+#ifdef WITH_SELINUX
-+ if( is_selinux_enabled() >0) {
-+ security_context_t old_context=NULL; /* our original securiy ID ("old_context") */
-+ security_context_t new_context=NULL; /* our target security ID ("sid") */
-+ security_context_t tty_context=NULL; /* current sid of tty */
-+ security_context_t new_tty_context=NULL; /* sid to change to while running command*/
-+
-+ /*
-+ *
-+ * Step 1: Handle command-line arguments.
-+ *
-+ */
++security_context_t setup_tty_context(int fd, char *ttyn, security_context_t new_context) {
++ security_context_t tty_context=NULL; /* current sid of tty */
+
-+ security_context_t context_s; /* our security context as a string */
-+ int context_length;
-+ context_t context; /* manipulatable form of context_s */
++ tty_context = NULL;
++ if (fgetfilecon(fd,&tty_context) <0 )
++ fprintf(stderr, "Warning! Could not get current context for %s, not relabeling.\n", ttyn);
+
-+
-+ /* Fill in a default type if one hasn't been specified */
-+ if( role_s && !type_s ) {
-+ if( get_default_type(role_s,&type_s) )
-+ {
-+ fprintf(stderr,"Couldn't get default type.\n");
-+ exit(-1);
-+ }
+#ifdef CANTSPELLGDB
-+ printf( "Your type will be %s.\n", type_s );
-+#endif
-+ }
-+
-+
-+ /*
-+ * Get the SID and context of the caller, and extract
-+ * the username from the context. Don't rely on the Linux
-+ * uid information - it isn't trustworthy.
-+ */
-+
-+ /* Put the caller's SID into `old_context'. */
-+ if( 0!=(getprevcon(&old_context)) ) {
-+ fprintf(stderr,"failed to get old_context.\n");
-+ exit(-1);
-+ }
-+
++ if (tty_context)
++ printf("Your tty %s was labeled with context %s\n", ttyn, tty_context);
++#endif
++
++ new_tty_context = NULL;
++ if (tty_context && security_compute_relabel(new_context,tty_context,SECCLASS_CHR_FILE,&new_tty_context) < 0)
++ fprintf(stderr, "Warning! Could not get new context for %s, not relabeling.\n", ttyn);
++
+#ifdef CANTSPELLGDB
-+ printf( "Your old context was %s\n", old_context );
++ if (new_tty_context)
++ printf("Relabeling tty %s to context %s\n", ttyn, new_tty_context);
+#endif
-+ /*
-+ * Create a context structure so that we extract and modify
-+ * components easily.
-+ */
-+ context=context_new(old_context);
++
++ if (new_tty_context) {
++ if( fsetfilecon(fd,new_tty_context)!=0 ) {
++ fprintf(stderr,"sudo: error: setfilecon on %s to %s",ttyn,new_tty_context);
++ }
++ }
++ return tty_context;
++}
++security_context_t get_exec_context(char *role_s, char *type_s) {
++
++ security_context_t old_context=NULL; /* our original securiy ID ("old_context") */
++ security_context_t new_context=NULL; /* our target security ID ("sid") */
+
-+ /*
-+ *
-+ * Step 3: Construct a new SID based on our old SID and the
-+ * arguments specified on the command line.
-+ *
-+ */
-+
-+ /* The first step in constructing a new SID for the new shell we *
-+ * plan to exec is to take our old context in `context' as a *
-+ * starting point, and modify it according to the options the user *
-+ * specified on the command line. */
-+
-+ /* If the user specified a new role on the command line (if `role_s' *
-+ * is set), then replace the old role in `context' with this new role. */
-+ if( role_s ) {
-+ if( context_role_set(context,role_s)) {
-+ fprintf(stderr,"failed to set new role %s\n",role_s);
-+ exit(-1);
-+ }
++ /*
++ *
++ * Step 1: Handle command-line arguments.
++ *
++ */
++
++ security_context_t context_s; /* our security context as a string */
++ int context_length;
++ context_t context; /* manipulatable form of context_s */
++
++
++ /*
++ * Get the SID and context of the caller, and extract
++ * the username from the context. Don't rely on the Linux
++ * uid information - it isn't trustworthy.
++ */
++
++ /* Put the caller's SID into `old_context'. */
++ if( 0!=(getprevcon(&old_context)) ) {
++ fprintf(stderr,"failed to get old_context.\n");
++ exit(-1);
++ }
++
+#ifdef CANTSPELLGDB
-+ printf("Your new role is %s\n",context_role_get(context));
++ printf( "Your old context was %s\n", old_context );
+#endif
-+ } /* if user specified new role */
-+
-+ /* If the user specified a new type on the command line (if `type_s' *
-+ * is set), then replace the old type in `context' with this new type. */
-+ if( type_s ) {
-+ if( context_type_set(context,type_s)) {
-+ fprintf(stderr,"failed to set new type %s\n",type_s);
-+ exit(-1);
-+ }
++ /*
++ * Create a context structure so that we extract and modify
++ * components easily.
++ */
++ context=context_new(old_context);
++
++ /*
++ *
++ * Step 3: Construct a new SID based on our old SID and the
++ * arguments specified on the command line.
++ *
++ */
++
++ /* The first step in constructing a new SID for the new shell we *
++ * plan to exec is to take our old context in `context' as a *
++ * starting point, and modify it according to the options the user *
++ * specified on the command line. */
++
++ /* Set the SELinux user identity to root */
++ context_user_set(context, "root");
++
++ /* If the user specified a new role on the command line (if `role_s' *
++ * is set), then replace the old role in `context' with this new role. */
++ if( role_s ) {
++ if( !type_s ) {
++ if( get_default_type(role_s,&type_s) )
++ {
++ fprintf(stderr,"Couldn't get default type.\n");
++ exit(-1);
++ }
+#ifdef CANTSPELLGDB
-+ printf("Your new type is %s\n",context_type_get(context));
-+#endif
-+ } /* if user specified new type */
-+
-+ /* The second step in creating the new SID is to convert our modified *
-+ * `context' structure back to a context string and then to a SID. */
-+
-+ /* Make `context_s' point to a string version of the new `context'. */
-+ if( !(new_context=context_str(context))) {
-+ fprintf(stderr,"failed to convert new context to string\n" );
-+ exit(-1);
-+ }
-+
++ printf( "Your type will be %s.\n", type_s );
++#endif
++ }
++
++ if( context_role_set(context,role_s)) {
++ fprintf(stderr,"failed to set new role %s\n",role_s);
++ exit(-1);
++ }
+#ifdef CANTSPELLGDB
-+ printf("Your new context is %s\n",new_context);
++ printf("Your new role is %s\n",context_role_get(context));
+#endif
-+
-+ /*
-+ *
-+ * Step 4: Handle relabeling of the tty.
-+ *
-+ */
-+
-+ /* Fetch TTY information */
-+ ttyn=ttyname(0);
-+ if (! ( ttyn==NULL || *ttyn=='\0')) {
-+ if (getfilecon(ttyn,&tty_context) <0 ) {
-+ fprintf(stderr, "Could not retrieve tty information.\n");
-+ } else {
-+
++
++ /* If the user specified a new type on the command line (if `type_s' *
++ * is set), then replace the old type in `context' with this new type. */
++ if( type_s ) {
++ if( context_type_set(context,type_s)) {
++ fprintf(stderr,"failed to set new type %s\n",type_s);
++ exit(-1);
++ }
+#ifdef CANTSPELLGDB
-+ printf("Your tty %s was labeled with SID %d\n", ttyn, tty_context);
++ printf("Your new type is %s\n",context_type_get(context));
+#endif
++ } /* if user specified new type */
++
++ /* The second step in creating the new SID is to convert our modified *
++ * `context' structure back to a context string and then to a SID. */
++
++ /* Make `context_s' point to a string version of the new `context'. */
++ if( !(new_context=strdup(context_str(context)))) {
++ fprintf(stderr,"failed to convert new context to string\n" );
++ exit(-1);
++ }
++
++ } /* if user specified new role */
++ else {
++ if (get_default_context(context_user_get(context),
++ NULL,
++ &new_context)) {
++ fprintf(stderr,"failed to get default context\n" );
++ exit(-1);
++ }
++ }
++ context_free(context);
++ freecon(old_context);
+
-+ new_tty_context = NULL;
-+ if (security_compute_relabel(new_context,tty_context,SECCLASS_CHR_FILE,&new_tty_context) < 0)
-+ fprintf(stderr, "Warning! Could not get new context for %s, not relabeling.\n", ttyn);
-+ else
-+ {
++ if (security_check_context(new_context) < 0) {
++ fprintf(stderr, "%s is not a valid context\n", new_context);
++ exit(-1);
++ }
+
-+#ifdef CANTSPELLGDB
-+ printf("Relabeling tty %s to context %s\n", ttyn, new_tty_context);
++ return new_context;
++}
+
+#endif
+ int
+ main(argc, argv, envp)
+ int argc;
+@@ -149,10 +304,10 @@
+ char **envp;
+ {
+ int validated;
+- int fd;
+ int cmnd_status;
+ int sudo_mode;
+ int pwflag;
++ int fd;
+ char **new_environ;
+ sigaction_t sa;
+ extern int printmatches;
+@@ -203,9 +358,6 @@
+ /* Setup defaults data structures. */
+ init_defaults();
+
+- /* Load the list of local ip addresses and netmasks. */
+- load_interfaces();
+-
+ pwflag = 0;
+ if (ISSET(sudo_mode, MODE_SHELL))
+ user_cmnd = "shell";
+@@ -219,6 +371,8 @@
+ putchar('\n');
+ dump_auth_methods();
+ dump_defaults();
++ /* Load the list of local ip addresses and netmasks. */
++ load_interfaces();
+ dump_interfaces();
+ }
+ exit(0);
+@@ -445,7 +599,43 @@
+ #ifndef PROFILING
+ if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)
+ exit(0);
+- else
++#ifdef WITH_SELINUX
++ if(is_selinux_enabled() > 0) {
++ int fd;
++ char *ttyn = NULL; /* tty path */
++ security_context_t new_context=NULL; /* our target security ID ("sid") */
++ security_context_t chk_tty_context= NULL;
+
-+ /* Relabel it */
-+ if( setfilecon(ttyn,new_tty_context)!=0 ) {
-+ fprintf(stderr,"sudo: error: setfilecon on %s to %s",ttyn,new_tty_context);
-+ }
-+ freecon(new_tty_context);
-+ }
-+ }
-+ }
-+ /* Fork, allowing parent to clean up after shell has executed */
-+ pid_t childPid=fork();
-+ if( childPid<0 ) {
-+ int errsv=errno;
-+
-+ fprintf(stderr,"sudo: failure forking: %s",strerror(errsv));
-+ exit(-1);
-+ } else if (childPid) {
-+ /* PARENT */
-+ wait(NULL);
-+
-+ if (tty_context!=NULL) {
++ new_context=get_exec_context(role_s,type_s);
+#ifdef CANTSPELLGDB
-+ printf("Restoring tty %s back to SID %d\n", ttyn, tty_context);
++ printf("Your new context is %s\n",new_context);
+#endif
+
-+ /* Cleanup TTY Context */
-+ setfilecon(ttyn,tty_context);
-+ freecon(tty_context);
-+ }
-+
-+ /* Done! */
- exit(0);
-- else
-- EXEC(safe_cmnd, NewArgv); /* run the command */
-+ }
+ if (setexeccon(new_context) < 0) {
+ fprintf(stderr, "Could not set exec context to %s.\n", new_context);
+ exit(-1);
+ }
+ freecon(new_context);
-+ /* Close and reopen descriptors 0 through 2 */
-+ if( close(0) || close(1) || close(2) )
-+ {
-+ fprintf(stderr,"Could not close descriptors.\n");
-+ exit(-1);
-+ }
-+ fd = open(ttyn,O_RDWR);
-+ if (fd != 0) {
-+ exit(-1);
-+ }
-+ fd = open(ttyn,O_RDWR);
-+ if (fd != 1) {
-+ exit(-1);
-+ }
-+ fd = open(ttyn,O_RDWR);
-+ if (fd != 2) {
-+ exit(-1);
++ {
++ /*
++ SELinux will only not transition properly with the following
++ code. Basically if the user chooses to use a different security
++ context. We need to start the selinux shell, before executing
++ the command. This way the process transition will happen
++ correctly. For example if they user wants to run rpm from
++ sysadm_r. Sudo will exec the /usr/sbin/sesh followed by the
++ specified command.*/
++ char **dst, **src = NewArgv+1;
++ NewArgv = (char **) emalloc2((++NewArgc + 1), sizeof(char *));
++ NewArgv[0] = estrdup("sesh");
++ NewArgv[1] = safe_cmnd;
++ safe_cmnd = estrdup("/usr/sbin/sesh");
++ /* copy the args from Argv */
++ for (dst = NewArgv + 2; (*dst = *src) != NULL; ++src, ++dst)
++ ;
+ }
+ }
+#endif
-+ EXEC(safe_cmnd, NewArgv); /* run the command */
+ EXECV(safe_cmnd, NewArgv); /* run the command */
#else
exit(0);
- #endif /* PROFILING */
-@@ -693,6 +888,30 @@
+@@ -729,6 +919,30 @@
NewArgv++;
break;
#endif
#ifdef HAVE_LOGIN_CAP_H
case 'c':
/* Must have an associated login class. */
-@@ -1063,6 +1282,9 @@
- #ifdef HAVE_BSD_AUTH_H
- (void) fprintf(stderr, "[-a auth_type] ");
+@@ -1111,6 +1325,9 @@
+ #ifdef HAVE_LOGIN_CAP_H
+ " [-c class|-]",
#endif
+#ifdef WITH_SELINUX
-+ (void) fprintf(stderr, "[-r role] [-t type] ");
++ " [-r role] [-t type]",
+#endif
- (void) fprintf(stderr, "-s | <command>\n");
- exit(exit_val);
- }
---- sudo-1.6.7p5/sudo.man.in.selinux 2003-04-15 20:39:14.000000000 -0400
-+++ sudo-1.6.7p5/sudo.man.in 2004-01-02 20:18:14.000000000 -0500
-@@ -174,7 +174,7 @@
+ " [-p prompt]",
+ " [-u username|#uid]",
+ " { -e file [...] | -i | -s | <command> }",
+--- sudo-1.6.8/sudo.man.in.orig 2004-08-17 20:53:39.000000000 +0200
++++ sudo-1.6.8/sudo.man.in 2004-08-29 20:48:39.189378528 +0200
+@@ -156,7 +156,7 @@
.IX Header "SYNOPSIS"
- \&\fBsudo\fR \fB\-V\fR | \fB\-h\fR | \fB\-l\fR | \fB\-L\fR | \fB\-v\fR | \fB\-k\fR | \fB\-K\fR | \fB\-s\fR |
- [ \fB\-H\fR ] [\fB\-P\fR ] [\fB\-S\fR ] [ \fB\-b\fR ] | [ \fB\-p\fR \fIprompt\fR ]
--[ \fB\-c\fR \fIclass\fR|\fI\-\fR ] [ \fB\-a\fR \fIauth_type\fR ]
-+[ \fB\-c\fR \fIclass\fR|\fI\-\fR ] [ \fB\-a\fR \fIauth_type\fR ] [\fB\-r\fR \fIrole\fR ] [\fB\-t\fR \fItype\fR ]
- [ \fB\-u\fR \fIusername\fR|\fI#uid\fR ] \fIcommand\fR
- .SH "DESCRIPTION"
- .IX Header "DESCRIPTION"
-@@ -327,6 +327,16 @@
- the group vector to the list of groups the target user is in.
- The real and effective group IDs, however, are still set to match
- the target user.
+ \&\fBsudo\fR \fB\-K\fR | \fB\-L\fR | \fB\-V\fR | \fB\-h\fR | \fB\-k\fR | \fB\-l\fR | \fB\-v\fR
+ .PP
+-\&\fBsudo\fR [\fB\-HPSb\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
++\&\fBsudo\fR [\fB\-HPSb\fR] [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-r\fR \fIrole\fR ] [\fB\-t\fR \fItype\fR ]
+ [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
+ {\fB\-e\fR\ file\ [...]\ |\ \fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR}
+ .PP
+@@ -235,6 +235,16 @@
+ \&\fBsudo\fR will initialize the group vector to the list of groups the
+ target user is in. The real and effective group IDs, however, are
+ still set to match the target user.
+.IP "\-r" 4
+.IX Item "-r"
+The \fB\-r\fR (\fRrole\fR) option causes the new (SELinux) security context to have the role specified by
.IP "\-S" 4
.IX Item "-S"
The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
---- sudo-1.6.7p5/sudoers.selinux 2001-12-16 23:45:52.000000000 -0500
-+++ sudo-1.6.7p5/sudoers 2004-01-02 20:18:14.000000000 -0500
-@@ -14,7 +14,8 @@
- # Defaults specification
+--- sudo-1.6.8/Makefile.in.orig 2004-05-28 22:27:59.000000000 +0200
++++ sudo-1.6.8/Makefile.in 2004-08-29 20:49:03.393698912 +0200
+@@ -43,7 +43,8 @@
+ # Libraries
+ LIBS = @LIBS@
+ NET_LIBS = @NET_LIBS@
+-SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ $(LIBS) $(NET_LIBS)
++SELINUX_LIBS = -lselinux
++SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ $(LIBS) $(NET_LIBS) $(SELINUX_LIBS)
+
+ # C preprocessor flags
+ CPPFLAGS = -I. -I$(srcdir) @CPPFLAGS@
+@@ -90,7 +91,7 @@
+ sudoers_mode = @SUDOERS_MODE@
+
+ # Pass in paths and uid/gid + OS dependent defined
+-DEFS = @OSDEFS@ -D_PATH_SUDOERS=\"$(sudoersdir)/sudoers\" -D_PATH_SUDOERS_TMP=\"$(sudoersdir)/sudoers.tmp\" -DSUDOERS_UID=$(sudoers_uid) -DSUDOERS_GID=$(sudoers_gid) -DSUDOERS_MODE=$(sudoers_mode)
++DEFS = @OSDEFS@ -D_PATH_SUDOERS=\"$(sudoersdir)/sudoers\" -D_PATH_SUDOERS_TMP=\"$(sudoersdir)/sudoers.tmp\" -DSUDOERS_UID=$(sudoers_uid) -DSUDOERS_GID=$(sudoers_gid) -DSUDOERS_MODE=$(sudoers_mode) -DWITH_SELINUX
+
+ #### End of system configuration section. ####
+
+@@ -104,7 +105,7 @@
+ parse.lex parse.yacc set_perms.c sigaction.c snprintf.c strcasecmp.c \
+ strerror.c strlcat.c strlcpy.c sudo.c sudo_noexec.c sudo.tab.c \
+ sudo_edit.c testsudoers.c tgetpass.c utime.c visudo.c zero_bytes.c \
+- $(AUTH_SRCS)
++ $(AUTH_SRCS) sesh.c
+
+ AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \
+ auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \
+@@ -126,6 +127,8 @@
+
+ VISUDOBJS = visudo.o fileops.o goodpath.o find_path.o $(PARSEOBJS)
+
++SESH_OBJS = sesh.o
++
+ TESTOBJS = interfaces.o testsudoers.o $(PARSEOBJS)
+
+ LIBOBJS = @LIBOBJS@ @ALLOCA@
+@@ -145,7 +148,7 @@
+ BINFILES= BUGS CHANGES HISTORY LICENSE README TODO TROUBLESHOOTING \
+ UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \
+ sudo sudo.cat sudo.man sudo.pod sudoers sudoers.cat sudoers.man \
+- sudoers.pod visudo visudo.cat visudo.man visudo.pod
++ sudoers.pod visudo visudo.cat visudo.man visudo.pod sesh
+
+ BINSPECIAL= INSTALL.binary Makefile.binary
+
+@@ -177,6 +180,9 @@
+ visudo: $(VISUDOBJS) $(LIBOBJS)
+ $(CC) -o $@ $(VISUDOBJS) $(LIBOBJS) $(LDFLAGS) $(LIBS) $(NET_LIBS)
+
++sesh: $(SESH_OBJS)
++ $(CC) -o $@ $(SESH_OBJS) $(LDFLAGS) $(LIBS)
++
+ testsudoers: $(TESTOBJS) $(LIBOBJS)
+ $(CC) -o $@ $(TESTOBJS) $(LIBOBJS) $(LDFLAGS) $(LIBS) $(NET_LIBS)
+
+@@ -215,6 +221,7 @@
+ set_perms.o: set_perms.c $(SUDODEP)
+ tgetpass.o: tgetpass.c $(SUDODEP)
+ visudo.o: visudo.c $(SUDODEP) version.h
++sesh.o: sesh.c
+ sudo.o: sudo.c $(SUDODEP) interfaces.h version.h
+ interfaces.o: interfaces.c $(SUDODEP) interfaces.h
+ testsudoers.o: testsudoers.c $(SUDODEP) parse.h interfaces.h
+@@ -305,6 +312,7 @@
+ ln -f $(DESTDIR)$(sudodir)/sudo $(DESTDIR)$(sudodir)/sudoedit
- # User privilege specification
--root ALL=(ALL) ALL
-+#You should not use sudo as root in an SELinux environment
-+#root ALL=(ALL) ALL
+ $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s visudo $(DESTDIR)$(visudodir)/visudo
++ $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s sesh $(DESTDIR)$(visudodir)/sesh
- # Uncomment to allow people in group wheel to run all commands
- # %wheel ALL=(ALL) ALL
+ install-noexec: sudo_noexec.la
+ $(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la $(DESTDIR)$(noexecdir)