| 1 |
On 01/12/2014 07:54 AM, Sven Vermeulen wrote: |
| 2 |
> On Sun, Jan 12, 2014 at 12:30:57PM +0100, Sven Vermeulen wrote: |
| 3 |
>>> dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t rc-service nfsmount |
| 4 |
>>> restart |
| 5 |
>>> Password: |
| 6 |
>>> Authenticating root. |
| 7 |
>>> Cannot find your entry in the shadow passwd file. |
| 8 |
>>> |
| 9 |
>>> I'm not sure where to go from here. Any help would be appreciated. |
| 10 |
>> |
| 11 |
>> I'll look into it (it's reproduceable). |
| 12 |
>> |
| 13 |
>> Seems that the trick from the blog post doesn't work for sudo. As far as I |
| 14 |
>> can see, the transition to the sysadm_r role and sysadm_t domain work |
| 15 |
>> nicely, and rc-service is a regular bin_t (so it's not about mismatching |
| 16 |
>> transitions). |
| 17 |
> |
| 18 |
> I think I found it. It seemed that the integrated run_init support, provided |
| 19 |
> through the runscript_selinux.so library that we provide (for OpenRC) didn't |
| 20 |
> use PAM authentication, even when policycoreutils was built with USE="pam". |
| 21 |
> |
| 22 |
> This is because the ebuild didn't use the python-r1.eclass BUILD_DIR |
| 23 |
> location (where the files were compiled earlier in the phase) but the |
| 24 |
> "normal" ${S} location (which contains the sources). As a result, the "make |
| 25 |
> install" phase started building the code, without taking the various USE |
| 26 |
> flags into account, and then installing those files. |
| 27 |
> |
| 28 |
> I've pushed out policycoreutils-2.2.5-r2 which should fix this, and the |
| 29 |
> following sudoers like allowed me to check the status of the SSH service |
| 30 |
> without root password request, and without the error on shadow entries: |
| 31 |
> |
| 32 |
> oper ALL=(root) ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: /sbin/rc-service |
| 33 |
> |
| 34 |
> ~$ sudo rc-service sshd status |
| 35 |
> Authenticating root. |
| 36 |
> * status: started |
| 37 |
> |
| 38 |
> Previously, this also gave the mentioned "Cannot find your entry in the |
| 39 |
> shadow passwd file." error. |
| 40 |
> |
| 41 |
> Wkr, |
| 42 |
> Sven Vermeulen |
| 43 |
> |
| 44 |
Cool, I've kicked off a catalyst rebuild of my SELinux stage[1234] and |
| 45 |
will deploy a new test VM as soon as its done. I'll let you know how it |
| 46 |
goes. |
| 47 |
|
| 48 |
Thanks again for your help. |
| 49 |
|
| 50 |
-- |
| 51 |
♫Dustin |
| 52 |
http://dustin.hatch.name/ |
Archives