On Sun, Jan 12, 2014 at 12:30:57PM +0100, Sven Vermeulen wrote:
> > dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t rc-service nfsmount
> > restart
> > Password:
> > Authenticating root.
> > Cannot find your entry in the shadow passwd file.
> >
> > I'm not sure where to go from here. Any help would be appreciated.
>
> I'll look into it (it's reproduceable).
>
> Seems that the trick from the blog post doesn't work for sudo. As far as I
> can see, the transition to the sysadm_r role and sysadm_t domain work
> nicely, and rc-service is a regular bin_t (so it's not about mismatching
> transitions).
I think I found it. It seemed that the integrated run_init support, provided
through the runscript_selinux.so library that we provide (for OpenRC) didn't
use PAM authentication, even when policycoreutils was built with USE="pam".
This is because the ebuild didn't use the python-r1.eclass BUILD_DIR
location (where the files were compiled earlier in the phase) but the
"normal" ${S} location (which contains the sources). As a result, the "make
install" phase started building the code, without taking the various USE
flags into account, and then installing those files.
I've pushed out policycoreutils-2.2.5-r2 which should fix this, and the
following sudoers like allowed me to check the status of the SSH service
without root password request, and without the error on shadow entries:
oper ALL=(root) ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: /sbin/rc-service
~$ sudo rc-service sshd status
Authenticating root.
* status: started
Previously, this also gave the mentioned "Cannot find your entry in the
shadow passwd file." error.
Wkr,
Sven Vermeulen
