1 |
On 01/12/2014 08:44 AM, Dustin C. Hatch wrote: |
2 |
> On 01/12/2014 07:54 AM, Sven Vermeulen wrote: |
3 |
>> On Sun, Jan 12, 2014 at 12:30:57PM +0100, Sven Vermeulen wrote: |
4 |
>>>> dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t rc-service nfsmount |
5 |
>>>> restart |
6 |
>>>> Password: |
7 |
>>>> Authenticating root. |
8 |
>>>> Cannot find your entry in the shadow passwd file. |
9 |
>>>> |
10 |
>>>> I'm not sure where to go from here. Any help would be appreciated. |
11 |
>>> |
12 |
>>> I'll look into it (it's reproduceable). |
13 |
>>> |
14 |
>>> Seems that the trick from the blog post doesn't work for sudo. As far as I |
15 |
>>> can see, the transition to the sysadm_r role and sysadm_t domain work |
16 |
>>> nicely, and rc-service is a regular bin_t (so it's not about mismatching |
17 |
>>> transitions). |
18 |
>> |
19 |
>> I think I found it. It seemed that the integrated run_init support, provided |
20 |
>> through the runscript_selinux.so library that we provide (for OpenRC) didn't |
21 |
>> use PAM authentication, even when policycoreutils was built with USE="pam". |
22 |
>> |
23 |
>> This is because the ebuild didn't use the python-r1.eclass BUILD_DIR |
24 |
>> location (where the files were compiled earlier in the phase) but the |
25 |
>> "normal" ${S} location (which contains the sources). As a result, the "make |
26 |
>> install" phase started building the code, without taking the various USE |
27 |
>> flags into account, and then installing those files. |
28 |
>> |
29 |
>> I've pushed out policycoreutils-2.2.5-r2 which should fix this, and the |
30 |
>> following sudoers like allowed me to check the status of the SSH service |
31 |
>> without root password request, and without the error on shadow entries: |
32 |
>> |
33 |
>> oper ALL=(root) ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: /sbin/rc-service |
34 |
>> |
35 |
>> ~$ sudo rc-service sshd status |
36 |
>> Authenticating root. |
37 |
>> * status: started |
38 |
>> |
39 |
>> Previously, this also gave the mentioned "Cannot find your entry in the |
40 |
>> shadow passwd file." error. |
41 |
>> |
42 |
>> Wkr, |
43 |
>> Sven Vermeulen |
44 |
>> |
45 |
> Cool, I've kicked off a catalyst rebuild of my SELinux stage[1234] and |
46 |
> will deploy a new test VM as soon as its done. I'll let you know how it |
47 |
> goes. |
48 |
> |
49 |
> Thanks again for your help. |
50 |
> |
51 |
It is indeed working now, thank you. Is there any chance this can be |
52 |
backported to 2.1? |
53 |
|
54 |
-- |
55 |
♫Dustin |
56 |
http://dustin.hatch.name/ |