I'm fairly new to SELinux, and I am trying to get a server set up with
SELinux running. I use Ansible for configuration management, and I am
having some trouble getting it working with SELinux in Enforcing mode.
Most stuff is working fine, with the major exception of controlling
OpenRC services.
Ansible connects to the server as an unprivileged user (typically the
user running it) over SSH and then executes all change commands via
sudo. This works for most things, like copying files, etc., but if it
has to restart a service after making a configuration change, it fails.
I am not sure how to configure SELinux policy and/or sudo to get the
user into the correct context to be able to restart arbitrary services.
I cannot use run_init because Ansible does not know how to do so.
Here's what I've tried so far:
Create local user 'dustin':
useradd -m dustin
Authorize 'dustin' to run commands with sudo:
test-3238ec ~ # cat /etc/sudoers.d/dustin
dustin ALL = (ALL) ALL
Test dustin's sudo access:
dustin@test-3238ec ~ $ sudo id
Password:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
context=user_u:user_r:user_t
Map dustin to staff_u SELinux User:
semanage login -a -s staff_u dustin
chcon -R -u staff_u -r object_r /home/dustin
Test dustin's sudo access again:
dustin@test-3238ec ~ $ sudo id
Password:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
context=staff_u:staff_r:staff_t
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
context=staff_u:sysadm_r:sysadm_t
Okay, dustin can now run system commands:
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t mv /etc/fstab{,.bak}
dustin@test-3238ec ~ $ ls /etc/fstab*
/etc/fstab.bak
dustin is not able to control services without run_init and the root
password:
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t rc-service nfsmount
restart
Authenticating root.
Cannot find your entry in the shadow passwd file.
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t run_init rc-service
nfsmount restart
Authenticating root.
Password:
* Unmounting NFS filesystems ... [ ok ]
* Starting NFS sm-notify ... [ ok ]
* Mounting NFS filesystems ... [ ok ]
Add pam_rootok to pam.d/run_init:
test-3238ec ~ # cat /etc/pam.d/run_init
#%PAM-1.0
auth sufficient pam_rootok.so
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
This allows dustin to control services using run_init without knowing
the root password:
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t run_init rc-service
nfsmount restart
Authenticating root.
* Unmounting NFS filesystems ... [ ok ]
* Starting NFS sm-notify ... [ ok ]
* Mounting NFS filesystems ... [ ok ]
My understanding is that in order to be able to control services, one
needs to have the system_r role[1]. I don't know how to get there, though:
dustin@test-3238ec ~ $ sudo -r system_r rc-service nfsmount restart
Password:
sudo: unable to get default type for role system_r
sudo: unable to execute /sbin/rc-service: Invalid argument
dustin@test-3238ec ~ $ sudo -r system_r -t sysadm_t rc-service nfsmount
restart
sudo: staff_u:system_r:sysadm_t is not a valid context
sudo: unable to execute /sbin/rc-service: Invalid argument
dustin@test-3238ec ~ $ sudo -r system_r -t run_init_t rc-service
nfsmount restart
sudo: staff_u:system_r:run_init_t is not a valid context
sudo: unable to execute /sbin/rc-service: Invalid argument
I tried a policy change that should allow OpenRC to make the transition
for me[2] but it did not work:
test-3238ec ~ # make -f /usr/share/selinux/strict/include/Makefile
localruninit.pp
Compiling strict localruninit module
/usr/bin/checkmodule: loading policy configuration from
tmp/localruninit.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 16) to
tmp/localruninit.mod
Creating strict localruninit.pp policy package
rm tmp/localruninit.mod tmp/localruninit.mod.fc
test-3238ec ~ # semodule -i localruninit.pp
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t rc-service nfsmount
restart
Password:
Authenticating root.
Cannot find your entry in the shadow passwd file.
I'm not sure where to go from here. Any help would be appreciated.
[1]
http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-seven-su-newrole.html
[2]
http://blog.siphos.be/2013/04/not-needing-run_init-for-password-less-service-management/
--
♫Dustin
http://dustin.hatch.name/
SELinux running. I use Ansible for configuration management, and I am
having some trouble getting it working with SELinux in Enforcing mode.
Most stuff is working fine, with the major exception of controlling
OpenRC services.
Ansible connects to the server as an unprivileged user (typically the
user running it) over SSH and then executes all change commands via
sudo. This works for most things, like copying files, etc., but if it
has to restart a service after making a configuration change, it fails.
I am not sure how to configure SELinux policy and/or sudo to get the
user into the correct context to be able to restart arbitrary services.
I cannot use run_init because Ansible does not know how to do so.
Here's what I've tried so far:
Create local user 'dustin':
useradd -m dustin
Authorize 'dustin' to run commands with sudo:
test-3238ec ~ # cat /etc/sudoers.d/dustin
dustin ALL = (ALL) ALL
Test dustin's sudo access:
dustin@test-3238ec ~ $ sudo id
Password:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
context=user_u:user_r:user_t
Map dustin to staff_u SELinux User:
semanage login -a -s staff_u dustin
chcon -R -u staff_u -r object_r /home/dustin
Test dustin's sudo access again:
dustin@test-3238ec ~ $ sudo id
Password:
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
context=staff_u:staff_r:staff_t
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video)
context=staff_u:sysadm_r:sysadm_t
Okay, dustin can now run system commands:
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t mv /etc/fstab{,.bak}
dustin@test-3238ec ~ $ ls /etc/fstab*
/etc/fstab.bak
dustin is not able to control services without run_init and the root
password:
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t rc-service nfsmount
restart
Authenticating root.
Cannot find your entry in the shadow passwd file.
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t run_init rc-service
nfsmount restart
Authenticating root.
Password:
* Unmounting NFS filesystems ... [ ok ]
* Starting NFS sm-notify ... [ ok ]
* Mounting NFS filesystems ... [ ok ]
Add pam_rootok to pam.d/run_init:
test-3238ec ~ # cat /etc/pam.d/run_init
#%PAM-1.0
auth sufficient pam_rootok.so
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
This allows dustin to control services using run_init without knowing
the root password:
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t run_init rc-service
nfsmount restart
Authenticating root.
* Unmounting NFS filesystems ... [ ok ]
* Starting NFS sm-notify ... [ ok ]
* Mounting NFS filesystems ... [ ok ]
My understanding is that in order to be able to control services, one
needs to have the system_r role[1]. I don't know how to get there, though:
dustin@test-3238ec ~ $ sudo -r system_r rc-service nfsmount restart
Password:
sudo: unable to get default type for role system_r
sudo: unable to execute /sbin/rc-service: Invalid argument
dustin@test-3238ec ~ $ sudo -r system_r -t sysadm_t rc-service nfsmount
restart
sudo: staff_u:system_r:sysadm_t is not a valid context
sudo: unable to execute /sbin/rc-service: Invalid argument
dustin@test-3238ec ~ $ sudo -r system_r -t run_init_t rc-service
nfsmount restart
sudo: staff_u:system_r:run_init_t is not a valid context
sudo: unable to execute /sbin/rc-service: Invalid argument
I tried a policy change that should allow OpenRC to make the transition
for me[2] but it did not work:
test-3238ec ~ # make -f /usr/share/selinux/strict/include/Makefile
localruninit.pp
Compiling strict localruninit module
/usr/bin/checkmodule: loading policy configuration from
tmp/localruninit.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 16) to
tmp/localruninit.mod
Creating strict localruninit.pp policy package
rm tmp/localruninit.mod tmp/localruninit.mod.fc
test-3238ec ~ # semodule -i localruninit.pp
dustin@test-3238ec ~ $ sudo -r sysadm_r -t sysadm_t rc-service nfsmount
restart
Password:
Authenticating root.
Cannot find your entry in the shadow passwd file.
I'm not sure where to go from here. Any help would be appreciated.
[1]
http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-seven-su-newrole.html
[2]
http://blog.siphos.be/2013/04/not-needing-run_init-for-password-less-service-management/
--
♫Dustin
http://dustin.hatch.name/