From 188ea74993a23fae5b38adce4c9a9d88e6f427ba Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <athena@invisiblethingslab.com>
Date: Mon, 11 Jan 2021 04:23:38 -0500
Subject: [PATCH] =?UTF-8?q?sudo=20isn=E2=80=99t=20always=20built=20with=20?=
 =?UTF-8?q?SELinux=20support?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Red Hat- and Debian- derived distributions support SELinux, and so their
sudo packages are built with SELinux support.  However, other
distributions (notably Arch) build sudo without SELinux.  Such sudo
builds will fail to parse the `ROLE=unconfined_r TYPE=unconfined_t`
string added in 0fac1aa45c677d82b413d429dae37f51ad1d67f4.  They *can*
parse `role=unconfined_r, type=unconfined_t` in `Defaults`, but that
causes problems on some Fedora 33 systems if SELinux is turned off and
the root account is locked.

To solve both of these problems at once, we install a different
`/etc/sudoers.d/qubes` file depending on the distribution.  As a
heuristic, we use the presents of `/etc/redhat-release` or
`/etc/debian_version`.  If either is present, sudo probably supports
SELinux, and we should include the corresponding entries.  If both are
missing, then we shouldn’t risk it.  The `qubes.sudoers` file in the git
repository includes the full file (with SELinux); we use `sed` to strip
the SELinux portion when needed.
---
 passwordless-root/Makefile | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/passwordless-root/Makefile b/passwordless-root/Makefile
index d9fba25..eff5c44 100644
--- a/passwordless-root/Makefile
+++ b/passwordless-root/Makefile
@@ -8,7 +8,12 @@ PAMCONFIGSDIR = /usr/share/pam-configs/
 
 install:
 	install -d -m 0750 $(DESTDIR)$(SUDOERSDIR)
-	install -D -m 0440 qubes.sudoers $(DESTDIR)$(SUDOERSDIR)/qubes
+	if [ -f /etc/redhat-release ] || [ -f /etc/debian_version ]; then \
+		exec install -D -m 0440 qubes.sudoers $(DESTDIR)$(SUDOERSDIR)/qubes; \
+	else \
+		sed -E '/^[^#]/s/\<(ROLE|TYPE)=[A-Za-z0-9_]+[[:space:]]+//g' qubes.sudoers | \
+		install -D -m 0440 /dev/stdin $(DESTDIR)$(SUDOERSDIR)/qubes; \
+	fi
 	install -D -m 0644 polkit-1-qubes-allow-all.pkla $(DESTDIR)$(POLKIT1DIR)/localauthority/50-local.d/qubes-allow-all.pkla
 	install -d -m 0750 $(DESTDIR)$(POLKIT1DIR)/rules.d
 	install -D -m 0644 polkit-1-qubes-allow-all.rules $(DESTDIR)$(POLKIT1DIR)/rules.d/00-qubes-allow-all.rules