Bug 218922
Summary: | RIT107328 - LSPP - Run_init fails to run if spawned by Expect as sysadm | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Eduardo M. Fleury <efleury> | ||||||
Component: | policycoreutils | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | Ben Levenson <benl> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 5.0 | CC: | iboverma, linda.knippers, sgrubb | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2006-12-13 14:10:01 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Eduardo M. Fleury
2006-12-08 14:35:43 UTC
Created attachment 143150 [details]
Audit log messages for success and fail cases.
Created attachment 143151 [details]
Test script used to reproduce this bug.
This script tries to execute "run_init service" and send the user password when
asked to do so.
Usage: ./expri <user_password>
Requires "Expect" to be installed (it's installed by default in the LSPP
config).
Potential work around, does adding pam_rootok to /etc/pam.d/run_init fix this problem? Hi Daniel, I'm sorry I'm not used to pam configuration. How you suggest I include that in order to perform the test? I've tried adding it as: "auth sufficient pam_rootok.so" but that makes it skip the password check at all, which is not what we want. Adding as "include" instead of "sufficent" will make run_init stop from working even if manually called. Thanks! Sorry, I thought you wanted to test service startups. But if you want to test that run_init asks the questions, you do not want to add pam_rootok. I am not sure we want to add policy to make your test work. In order to make it work, we would need to allow init scripts access to open fd's and fifo_pipes created by the sysadm_t. You could create your own policy module to go along with this test, via audit2allow -M mytest < /var/log/audit/audit.log. This is what our qa team is doing when the test actually causes SELinux problems. |