On 01/12/2014 08:44 AM, Dustin C. Hatch wrote:
> On 01/12/2014 07:54 AM, Sven Vermeulen wrote:
>> On Sun, Jan 12, 2014 at 12:30:57PM +0100, Sven Vermeulen wrote:
>>>> dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t rc-service nfsmount
>>>> restart
>>>> Password:
>>>> Authenticating root.
>>>> Cannot find your entry in the shadow passwd file.
>>>>
>>>> I'm not sure where to go from here. Any help would be appreciated.
>>>
>>> I'll look into it (it's reproduceable).
>>>
>>> Seems that the trick from the blog post doesn't work for sudo. As far as I
>>> can see, the transition to the sysadm_r role and sysadm_t domain work
>>> nicely, and rc-service is a regular bin_t (so it's not about mismatching
>>> transitions).
>>
>> I think I found it. It seemed that the integrated run_init support, provided
>> through the runscript_selinux.so library that we provide (for OpenRC) didn't
>> use PAM authentication, even when policycoreutils was built with USE="pam".
>>
>> This is because the ebuild didn't use the python-r1.eclass BUILD_DIR
>> location (where the files were compiled earlier in the phase) but the
>> "normal" ${S} location (which contains the sources). As a result, the "make
>> install" phase started building the code, without taking the various USE
>> flags into account, and then installing those files.
>>
>> I've pushed out policycoreutils-2.2.5-r2 which should fix this, and the
>> following sudoers like allowed me to check the status of the SSH service
>> without root password request, and without the error on shadow entries:
>>
>> oper ALL=(root) ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: /sbin/rc-service
>>
>> ~$ sudo rc-service sshd status
>> Authenticating root.
>> * status: started
>>
>> Previously, this also gave the mentioned "Cannot find your entry in the
>> shadow passwd file." error.
>>
>> Wkr,
>> Sven Vermeulen
>>
> Cool, I've kicked off a catalyst rebuild of my SELinux stage[1234] and
> will deploy a new test VM as soon as its done. I'll let you know how it
> goes.
>
> Thanks again for your help.
>
It is indeed working now, thank you. Is there any chance this can be
backported to 2.1?
--
♫Dustin
http://dustin.hatch.name/
