1 |
I'm fairly new to SELinux, and I am trying to get a server set up with |
2 |
SELinux running. I use Ansible for configuration management, and I am |
3 |
having some trouble getting it working with SELinux in Enforcing mode. |
4 |
Most stuff is working fine, with the major exception of controlling |
5 |
OpenRC services. |
6 |
|
7 |
Ansible connects to the server as an unprivileged user (typically the |
8 |
user running it) over SSH and then executes all change commands via |
9 |
sudo. This works for most things, like copying files, etc., but if it |
10 |
has to restart a service after making a configuration change, it fails. |
11 |
I am not sure how to configure SELinux policy and/or sudo to get the |
12 |
user into the correct context to be able to restart arbitrary services. |
13 |
I cannot use run_init because Ansible does not know how to do so. |
14 |
|
15 |
Here's what I've tried so far: |
16 |
|
17 |
Create local user 'dustin': |
18 |
useradd -m dustin |
19 |
|
20 |
Authorize 'dustin' to run commands with sudo: |
21 |
test-3238ec ~ # cat /etc/sudoers.d/dustin |
22 |
dustin ALL = (ALL) ALL |
23 |
|
24 |
Test dustin's sudo access: |
25 |
dustin@test-3238ec ~ $ sudo id |
26 |
Password: |
27 |
uid=0(root) gid=0(root) |
28 |
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video) |
29 |
context=user_u:user_r:user_t |
30 |
|
31 |
Map dustin to staff_u SELinux User: |
32 |
semanage login -a -s staff_u dustin |
33 |
chcon -R -u staff_u -r object_r /home/dustin |
34 |
|
35 |
Test dustin's sudo access again: |
36 |
dustin@test-3238ec ~ $ sudo id |
37 |
Password: |
38 |
uid=0(root) gid=0(root) |
39 |
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video) |
40 |
context=staff_u:staff_r:staff_t |
41 |
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t id |
42 |
uid=0(root) gid=0(root) |
43 |
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video) |
44 |
context=staff_u:sysadm_r:sysadm_t |
45 |
|
46 |
Okay, dustin can now run system commands: |
47 |
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t mv /etc/fstab{,.bak} |
48 |
dustin@test-3238ec ~ $ ls /etc/fstab* |
49 |
/etc/fstab.bak |
50 |
|
51 |
dustin is not able to control services without run_init and the root |
52 |
password: |
53 |
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t rc-service nfsmount |
54 |
restart |
55 |
Authenticating root. |
56 |
Cannot find your entry in the shadow passwd file. |
57 |
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t run_init rc-service |
58 |
nfsmount restart |
59 |
Authenticating root. |
60 |
Password: |
61 |
* Unmounting NFS filesystems ... [ ok ] |
62 |
* Starting NFS sm-notify ... [ ok ] |
63 |
* Mounting NFS filesystems ... [ ok ] |
64 |
|
65 |
Add pam_rootok to pam.d/run_init: |
66 |
test-3238ec ~ # cat /etc/pam.d/run_init |
67 |
#%PAM-1.0 |
68 |
auth sufficient pam_rootok.so |
69 |
auth include system-auth |
70 |
account include system-auth |
71 |
password include system-auth |
72 |
session include system-auth |
73 |
session optional pam_xauth.so |
74 |
|
75 |
This allows dustin to control services using run_init without knowing |
76 |
the root password: |
77 |
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t run_init rc-service |
78 |
nfsmount restart |
79 |
Authenticating root. |
80 |
* Unmounting NFS filesystems ... [ ok ] |
81 |
* Starting NFS sm-notify ... [ ok ] |
82 |
* Mounting NFS filesystems ... [ ok ] |
83 |
|
84 |
My understanding is that in order to be able to control services, one |
85 |
needs to have the system_r role[1]. I don't know how to get there, though: |
86 |
dustin@test-3238ec ~ $ sudo -r system_r rc-service nfsmount restart |
87 |
Password: |
88 |
sudo: unable to get default type for role system_r |
89 |
sudo: unable to execute /sbin/rc-service: Invalid argument |
90 |
dustin@test-3238ec ~ $ sudo -r system_r -t sysadm_t rc-service nfsmount |
91 |
restart |
92 |
sudo: staff_u:system_r:sysadm_t is not a valid context |
93 |
sudo: unable to execute /sbin/rc-service: Invalid argument |
94 |
dustin@test-3238ec ~ $ sudo -r system_r -t run_init_t rc-service |
95 |
nfsmount restart |
96 |
sudo: staff_u:system_r:run_init_t is not a valid context |
97 |
sudo: unable to execute /sbin/rc-service: Invalid argument |
98 |
|
99 |
I tried a policy change that should allow OpenRC to make the transition |
100 |
for me[2] but it did not work: |
101 |
test-3238ec ~ # make -f /usr/share/selinux/strict/include/Makefile |
102 |
localruninit.pp |
103 |
Compiling strict localruninit module |
104 |
/usr/bin/checkmodule: loading policy configuration from |
105 |
tmp/localruninit.tmp |
106 |
/usr/bin/checkmodule: policy configuration loaded |
107 |
/usr/bin/checkmodule: writing binary representation (version 16) to |
108 |
tmp/localruninit.mod |
109 |
Creating strict localruninit.pp policy package |
110 |
rm tmp/localruninit.mod tmp/localruninit.mod.fc |
111 |
test-3238ec ~ # semodule -i localruninit.pp |
112 |
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t rc-service nfsmount |
113 |
restart |
114 |
Password: |
115 |
Authenticating root. |
116 |
Cannot find your entry in the shadow passwd file. |
117 |
|
118 |
I'm not sure where to go from here. Any help would be appreciated. |
119 |
|
120 |
[1] |
121 |
http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-seven-su-newrole.html |
122 |
[2] |
123 |
http://blog.siphos.be/2013/04/not-needing-run_init-for-password-less-service-management/ |
124 |
|
125 |
-- |
126 |
♫Dustin |
127 |
http://dustin.hatch.name/ |