1 |
On Sun, Jan 12, 2014 at 12:30:57PM +0100, Sven Vermeulen wrote: |
2 |
> > dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t rc-service nfsmount |
3 |
> > restart |
4 |
> > Password: |
5 |
> > Authenticating root. |
6 |
> > Cannot find your entry in the shadow passwd file. |
7 |
> > |
8 |
> > I'm not sure where to go from here. Any help would be appreciated. |
9 |
> |
10 |
> I'll look into it (it's reproduceable). |
11 |
> |
12 |
> Seems that the trick from the blog post doesn't work for sudo. As far as I |
13 |
> can see, the transition to the sysadm_r role and sysadm_t domain work |
14 |
> nicely, and rc-service is a regular bin_t (so it's not about mismatching |
15 |
> transitions). |
16 |
|
17 |
I think I found it. It seemed that the integrated run_init support, provided |
18 |
through the runscript_selinux.so library that we provide (for OpenRC) didn't |
19 |
use PAM authentication, even when policycoreutils was built with USE="pam". |
20 |
|
21 |
This is because the ebuild didn't use the python-r1.eclass BUILD_DIR |
22 |
location (where the files were compiled earlier in the phase) but the |
23 |
"normal" ${S} location (which contains the sources). As a result, the "make |
24 |
install" phase started building the code, without taking the various USE |
25 |
flags into account, and then installing those files. |
26 |
|
27 |
I've pushed out policycoreutils-2.2.5-r2 which should fix this, and the |
28 |
following sudoers like allowed me to check the status of the SSH service |
29 |
without root password request, and without the error on shadow entries: |
30 |
|
31 |
oper ALL=(root) ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: /sbin/rc-service |
32 |
|
33 |
~$ sudo rc-service sshd status |
34 |
Authenticating root. |
35 |
* status: started |
36 |
|
37 |
Previously, this also gave the mentioned "Cannot find your entry in the |
38 |
shadow passwd file." error. |
39 |
|
40 |
Wkr, |
41 |
Sven Vermeulen |