1 |
I have been struggling to get my hardened systems managed by Ansible for |
2 |
quite some time now. I have almost everything working well now, except |
3 |
service control. It seems like the run_init stuff in OpenRC behaves |
4 |
strangely when /sbin/rc-service is called via exec(), |
5 |
stdin/stdout/stderr are connected to pipes, and the whole thing is run |
6 |
through sudo. I suspect it has something to do with the way run_init |
7 |
tries to prompt for credentials (even though I have that "disabled"). |
8 |
|
9 |
Here's what I've got set up: |
10 |
|
11 |
----------------- |
12 |
|
13 |
test-bd06fe ~ # grep -Ev '^#|^$' /etc/selinux/config |
14 |
SELINUX=permissive |
15 |
SELINUXTYPE=strict |
16 |
|
17 |
test-bd06fe ~ # getenforce |
18 |
Permissive |
19 |
|
20 |
test-bd06fe ~ # cat /etc/pam.d/run_init |
21 |
#%PAM-1.0 |
22 |
# Uncomment the next line if you do not want to enter your passwd everytime |
23 |
auth sufficient pam_rootok.so |
24 |
auth include system-auth |
25 |
account include system-auth |
26 |
password include system-auth |
27 |
session include system-auth |
28 |
session optional pam_xauth.so |
29 |
|
30 |
test-bd06fe ~ # cat /etc/sudoers.d/root |
31 |
root ALL = (ALL) ROLE=sysadm_r TYPE=sysadm_t ALL |
32 |
|
33 |
test-bd06fe ~ # cat test2.py |
34 |
import subprocess |
35 |
|
36 |
p = subprocess.Popen(['/sbin/rc-service', 'nfsmount', 'restart'], |
37 |
stdin=subprocess.PIPE, |
38 |
stdout=subprocess.PIPE, |
39 |
stderr=subprocess.PIPE) |
40 |
o, e = p.communicate() |
41 |
print('exitcode: {}'.format(p.returncode)) |
42 |
print('stdout: {}'.format(o)) |
43 |
print('stderr: {}'.format(e)) |
44 |
|
45 |
test-bd06fe ~ # python2.7 test2.py |
46 |
exitcode: 0 |
47 |
stdout: * Starting NFS sm-notify ... [ ok ] |
48 |
* Mounting NFS filesystems ... [ ok ] |
49 |
|
50 |
stderr: |
51 |
|
52 |
test-bd06fe ~ # rc-service nfsmount status |
53 |
* status: started |
54 |
|
55 |
test-bd06fe ~ # rc-service nfsmount stop |
56 |
* Unmounting NFS filesystems ... |
57 |
[ ok ] |
58 |
|
59 |
test-bd06fe ~ # sudo python2.7 test2.py |
60 |
exitcode: 0 |
61 |
stdout: |
62 |
stderr: |
63 |
|
64 |
test-bd06fe ~ # rc-service nfsmount status |
65 |
* status: stopped |
66 |
|
67 |
----------------- |
68 |
|
69 |
As you can see, this happens even when SELinux is not enforcing, so I |
70 |
don't think it is policy related. I wonder if there is some way to stop |
71 |
run_init from trying to prompt for authentication altogether, especially |
72 |
when stdin/stdout/stderr is not a tty. |
73 |
|
74 |
Any thoughts or pointers would be appreciated. |
75 |
|
76 |
Thanks, |
77 |
|
78 |
-- |
79 |
♫Dustin |
80 |
http://dustin.hatch.name/ |