Bug 1917879
Summary: | Cannot sudo passwordless from staff_u/sysadm_u when using pam_ssh_agent_auth | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> | ||||
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 8.3 | CC: | apeetham, lvrabec, mmalik, pkoncity, plautrba, ssekidde, zpytela | ||||
Target Milestone: | rc | Keywords: | Triaged | ||||
Target Release: | 8.6 | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.14.3-86.el8 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2022-05-10 15:14:56 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1778780 | ||||||
Attachments: |
|
Description
Renaud Métrich
2021-01-19 15:04:35 UTC
Additional missing rules: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- allow sudodomain user_tmp_t:sock_file { write getattr append open }; allow sudodomain ssh_agent_tmp_t:sock_file { write getattr append open }; -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Created attachment 1750851 [details]
SELinux denials gathered during testing of staff_u and sysadm_u users
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/976 To backport: commit 901ac5314982f5600ef11691969b9af89aeba772 Author: Zdenek Pytela <zpytela> Date: Mon Dec 20 14:21:33 2021 +0100 Allow userdomains use pam_ssh_agent_auth for passwordless sudo The pam_ssh_agent_auth module can be used for granting permissions based on SSH agent requests. When configured for using in the sudo pam module, it requires permissions for sudodomain to use the user socket file and stream connect to its corresponding userdomain. Resolves: rhbz#1917879 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1995 |