From 0fac1aa45c677d82b413d429dae37f51ad1d67f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Fri, 8 Jan 2021 05:21:19 +0100
Subject: [PATCH] Fix sudo SELinux settings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

By settinf Defaults role/type parameters, sudo starts asking for
password when called as root. It isn't clear why this happens, but
rollback that change. Instead, set ROLE/TYPE just for the rule for the
'qubes' group, which already has NOPASSWD option.

Fixes 3bcc1c3 "“sudo” must remove SELinux restrictions"
---
 passwordless-root/qubes.sudoers | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/passwordless-root/qubes.sudoers b/passwordless-root/qubes.sudoers
index cf185eb..060e4c8 100644
--- a/passwordless-root/qubes.sudoers
+++ b/passwordless-root/qubes.sudoers
@@ -1,5 +1,5 @@
-Defaults role=unconfined_r, type=unconfined_t, !requiretty
-%qubes ALL=(ALL) NOPASSWD: ALL
+Defaults !requiretty
+%qubes ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t NOPASSWD: ALL
 
 # WTF?! Have you lost your mind?!
 #