Bug 1480791

Summary: /usr/libexec/sesh -> /usr/libexec/sudo/sesh needs policy update
Product: Red Hat Enterprise Linux 7 Reporter: Chris Cheney <ccheney>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: ccheney, dkopecek, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 12:38:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
rhel-7.3 -> rhel-7.4 files section changes none

Description Chris Cheney 2017-08-11 21:47:14 UTC 
sudo was rebased between 7.3 and 7.4 one of the changes was the following:

  2013-02-06  Todd C. Miller  <Todd.Miller>

        * configure, configure.in, doc/UPGRADE, mkpkg, src/Makefile.in,
        src/load_plugins.c, sudo.pp:
        Sudo now stores its libexec files in a "sudo" subdirectory instead
        of in libexec itself. For backwards compatibility, if the plugin is
        not found in the default plugin directory, sudo will check the
        parent directory default directory ends in "/sudo".
        [5de67de76489]

This moved the following files into a sub directory and the patch for selinux-policy was not updated to match:

ls -al /usr/libexec/sudo
total 524
drwxr-xr-x.  2 root root    156 Aug 11 16:05 .
drwxr-xr-x. 42 root root  12288 Aug 11 16:05 ..
-rw-r--r--.  1 root root  11104 Jun  7 06:38 group_file.so
lrwxrwxrwx.  1 root root     21 Aug 11 16:05 libsudo_util.so.0 -> libsudo_util.so.0.0.0
-rw-r--r--.  1 root root  82120 Jun  7 06:38 libsudo_util.so.0.0.0
-rwxr-xr-x.  1 root root  15376 Jun  7 06:38 sesh
-rw-r--r--.  1 root root 388104 Jun  7 06:38 sudoers.so
-rw-r--r--.  1 root root   6880 Jun  7 06:38 sudo_noexec.so
-rw-r--r--.  1 root root   6928 Jun  7 06:38 system_group.so


policy-rhel-7.4-base.patch

-/usr/libexec/sesh              --      gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/libexec/cockpit-agent      --  gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/cockpit-bridge         -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/libexec/sesh                      --      gen_context(system_u:object_r:shell_exec_t,s0)


This should be changed to:

+/usr/libexec/sudo/sesh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
Comment 2 Chris Cheney 2017-08-11 21:48:58 UTC 
Looks like this has happened before with a prior move from /usr/sbin bz#848693
Comment 3 Daniel Kopeček 2017-08-14 10:40:47 UTC 
Created attachment 1313041 [details]
rhel-7.3 -> rhel-7.4 files section changes
Comment 9 errata-xmlrpc 2018-04-10 12:38:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763