| 1 |
I'm fairly new to SELinux, and I am trying to get a server set up with |
| 2 |
SELinux running. I use Ansible for configuration management, and I am |
| 3 |
having some trouble getting it working with SELinux in Enforcing mode. |
| 4 |
Most stuff is working fine, with the major exception of controlling |
| 5 |
OpenRC services. |
| 6 |
|
| 7 |
Ansible connects to the server as an unprivileged user (typically the |
| 8 |
user running it) over SSH and then executes all change commands via |
| 9 |
sudo. This works for most things, like copying files, etc., but if it |
| 10 |
has to restart a service after making a configuration change, it fails. |
| 11 |
I am not sure how to configure SELinux policy and/or sudo to get the |
| 12 |
user into the correct context to be able to restart arbitrary services. |
| 13 |
I cannot use run_init because Ansible does not know how to do so. |
| 14 |
|
| 15 |
Here's what I've tried so far: |
| 16 |
|
| 17 |
Create local user 'dustin': |
| 18 |
useradd -m dustin |
| 19 |
|
| 20 |
Authorize 'dustin' to run commands with sudo: |
| 21 |
test-3238ec ~ # cat /etc/sudoers.d/dustin |
| 22 |
dustin ALL = (ALL) ALL |
| 23 |
|
| 24 |
Test dustin's sudo access: |
| 25 |
dustin@test-3238ec ~ $ sudo id |
| 26 |
Password: |
| 27 |
uid=0(root) gid=0(root) |
| 28 |
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video) |
| 29 |
context=user_u:user_r:user_t |
| 30 |
|
| 31 |
Map dustin to staff_u SELinux User: |
| 32 |
semanage login -a -s staff_u dustin |
| 33 |
chcon -R -u staff_u -r object_r /home/dustin |
| 34 |
|
| 35 |
Test dustin's sudo access again: |
| 36 |
dustin@test-3238ec ~ $ sudo id |
| 37 |
Password: |
| 38 |
uid=0(root) gid=0(root) |
| 39 |
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video) |
| 40 |
context=staff_u:staff_r:staff_t |
| 41 |
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t id |
| 42 |
uid=0(root) gid=0(root) |
| 43 |
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video) |
| 44 |
context=staff_u:sysadm_r:sysadm_t |
| 45 |
|
| 46 |
Okay, dustin can now run system commands: |
| 47 |
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t mv /etc/fstab{,.bak} |
| 48 |
dustin@test-3238ec ~ $ ls /etc/fstab* |
| 49 |
/etc/fstab.bak |
| 50 |
|
| 51 |
dustin is not able to control services without run_init and the root |
| 52 |
password: |
| 53 |
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t rc-service nfsmount |
| 54 |
restart |
| 55 |
Authenticating root. |
| 56 |
Cannot find your entry in the shadow passwd file. |
| 57 |
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t run_init rc-service |
| 58 |
nfsmount restart |
| 59 |
Authenticating root. |
| 60 |
Password: |
| 61 |
* Unmounting NFS filesystems ... [ ok ] |
| 62 |
* Starting NFS sm-notify ... [ ok ] |
| 63 |
* Mounting NFS filesystems ... [ ok ] |
| 64 |
|
| 65 |
Add pam_rootok to pam.d/run_init: |
| 66 |
test-3238ec ~ # cat /etc/pam.d/run_init |
| 67 |
#%PAM-1.0 |
| 68 |
auth sufficient pam_rootok.so |
| 69 |
auth include system-auth |
| 70 |
account include system-auth |
| 71 |
password include system-auth |
| 72 |
session include system-auth |
| 73 |
session optional pam_xauth.so |
| 74 |
|
| 75 |
This allows dustin to control services using run_init without knowing |
| 76 |
the root password: |
| 77 |
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t run_init rc-service |
| 78 |
nfsmount restart |
| 79 |
Authenticating root. |
| 80 |
* Unmounting NFS filesystems ... [ ok ] |
| 81 |
* Starting NFS sm-notify ... [ ok ] |
| 82 |
* Mounting NFS filesystems ... [ ok ] |
| 83 |
|
| 84 |
My understanding is that in order to be able to control services, one |
| 85 |
needs to have the system_r role[1]. I don't know how to get there, though: |
| 86 |
dustin@test-3238ec ~ $ sudo -r system_r rc-service nfsmount restart |
| 87 |
Password: |
| 88 |
sudo: unable to get default type for role system_r |
| 89 |
sudo: unable to execute /sbin/rc-service: Invalid argument |
| 90 |
dustin@test-3238ec ~ $ sudo -r system_r -t sysadm_t rc-service nfsmount |
| 91 |
restart |
| 92 |
sudo: staff_u:system_r:sysadm_t is not a valid context |
| 93 |
sudo: unable to execute /sbin/rc-service: Invalid argument |
| 94 |
dustin@test-3238ec ~ $ sudo -r system_r -t run_init_t rc-service |
| 95 |
nfsmount restart |
| 96 |
sudo: staff_u:system_r:run_init_t is not a valid context |
| 97 |
sudo: unable to execute /sbin/rc-service: Invalid argument |
| 98 |
|
| 99 |
I tried a policy change that should allow OpenRC to make the transition |
| 100 |
for me[2] but it did not work: |
| 101 |
test-3238ec ~ # make -f /usr/share/selinux/strict/include/Makefile |
| 102 |
localruninit.pp |
| 103 |
Compiling strict localruninit module |
| 104 |
/usr/bin/checkmodule: loading policy configuration from |
| 105 |
tmp/localruninit.tmp |
| 106 |
/usr/bin/checkmodule: policy configuration loaded |
| 107 |
/usr/bin/checkmodule: writing binary representation (version 16) to |
| 108 |
tmp/localruninit.mod |
| 109 |
Creating strict localruninit.pp policy package |
| 110 |
rm tmp/localruninit.mod tmp/localruninit.mod.fc |
| 111 |
test-3238ec ~ # semodule -i localruninit.pp |
| 112 |
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t rc-service nfsmount |
| 113 |
restart |
| 114 |
Password: |
| 115 |
Authenticating root. |
| 116 |
Cannot find your entry in the shadow passwd file. |
| 117 |
|
| 118 |
I'm not sure where to go from here. Any help would be appreciated. |
| 119 |
|
| 120 |
[1] |
| 121 |
http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-seven-su-newrole.html |
| 122 |
[2] |
| 123 |
http://blog.siphos.be/2013/04/not-needing-run_init-for-password-less-service-management/ |
| 124 |
|
| 125 |
-- |
| 126 |
♫Dustin |
| 127 |
http://dustin.hatch.name/ |
Archives