[Bug 1426600] /etc/logrotate.d/rabbitmq-server leads to "Password: su: Authentication failure"

Sun, 05 Mar 2017 02:26:57 -0800 

https://bugzilla.redhat.com/show_bug.cgi?id=1426600

Gerald Vogt <v...@spamcop.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |v...@spamcop.net



--- Comment #1 from Gerald Vogt <v...@spamcop.net> ---
Same here. The problem is the su in the rabbitmqctl script. To reproduce you
can set up a simple cron job:

/etc/cron.d/test:
* * * * * root /root/test.sh

/root/test.sh:
#! /bin/bash
    echo "id: `id`"
    echo "id -r -u: `id -r -u`"
    echo "id -r -g: `id -r -g`"
su rabbitmq -s /bin/sh -c "id"
---------

Set context of test.sh to system_u:object_r:logrotate_exec_t:s0.

Output of cronjob:
id: uid=0(root) gid=0(root) groups=0(root)
context=system_u:system_r:logrotate_t:s0-s0:c0.c1023
id -r -u: 0
id -r -g: 0
Password: su: Authentication information cannot be recovered
---------

audit.log contains:
type=USER_AVC msg=audit(1488708062.169:189724): pid=21967 uid=0 auid=0 ses=5787
subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 msg='avc:  denied  { passwd }
for  scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tclass=passwd 
exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'
---------

This happens even if a local policy has been added to allow it:
# audit2allow < /var/log/audit/audit.log


#============= logrotate_t ==============

#!!!! This avc is allowed in the current policy
allow logrotate_t self:passwd passwd;
---------

I have modified /etc/pam.d/su to enable debug output for rootok:
auth        sufficient    pam_rootok.so debug

and /var/log/secure also contains the following message then:
su: pam_rootok(su:auth): root check failed

If the test script is bin_t instead of logrotate_exec_t it works.

sudo instead of su also works.

Thus, either selinux needs to be adjusted or the rabbitmqctl script should use
sudo instead of su to change from root to rabbitmq user.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
erlang mailing list -- erlang@lists.fedoraproject.org
To unsubscribe send an email to erlang-le...@lists.fedoraproject.org

Reply via email to