Bug 1480791 - /usr/libexec/sesh -> /usr/libexec/sudo/sesh needs policy update
/usr/libexec/sesh -> /usr/libexec/sudo/sesh needs policy update
Status: VERIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
All Linux
high Severity high
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-11 17:47 EDT by Chris Cheney
Modified: 2017-12-08 15:25 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
rhel-7.3 -> rhel-7.4 files section changes (763 bytes, patch)
2017-08-14 06:40 EDT, Daniel Kopeček
no flags Details | Diff

  None (edit)
Description Chris Cheney 2017-08-11 17:47:14 EDT
sudo was rebased between 7.3 and 7.4 one of the changes was the following:

  2013-02-06  Todd C. Miller  <Todd.Miller@courtesan.com>

        * configure, configure.in, doc/UPGRADE, mkpkg, src/Makefile.in,
        src/load_plugins.c, sudo.pp:
        Sudo now stores its libexec files in a "sudo" subdirectory instead
        of in libexec itself. For backwards compatibility, if the plugin is
        not found in the default plugin directory, sudo will check the
        parent directory default directory ends in "/sudo".
        [5de67de76489]

This moved the following files into a sub directory and the patch for selinux-policy was not updated to match:

ls -al /usr/libexec/sudo
total 524
drwxr-xr-x.  2 root root    156 Aug 11 16:05 .
drwxr-xr-x. 42 root root  12288 Aug 11 16:05 ..
-rw-r--r--.  1 root root  11104 Jun  7 06:38 group_file.so
lrwxrwxrwx.  1 root root     21 Aug 11 16:05 libsudo_util.so.0 -> libsudo_util.so.0.0.0
-rw-r--r--.  1 root root  82120 Jun  7 06:38 libsudo_util.so.0.0.0
-rwxr-xr-x.  1 root root  15376 Jun  7 06:38 sesh
-rw-r--r--.  1 root root 388104 Jun  7 06:38 sudoers.so
-rw-r--r--.  1 root root   6880 Jun  7 06:38 sudo_noexec.so
-rw-r--r--.  1 root root   6928 Jun  7 06:38 system_group.so


policy-rhel-7.4-base.patch

-/usr/libexec/sesh              --      gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/libexec/cockpit-agent      --  gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/cockpit-bridge         -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/libexec/sesh                      --      gen_context(system_u:object_r:shell_exec_t,s0)


This should be changed to:

+/usr/libexec/sudo/sesh                      --      gen_context(system_u:object_r:shell_exec_t,s0)
Comment 2 Chris Cheney 2017-08-11 17:48:58 EDT
Looks like this has happened before with a prior move from /usr/sbin bz#848693
Comment 3 Daniel Kopeček 2017-08-14 06:40 EDT
Created attachment 1313041 [details]
rhel-7.3 -> rhel-7.4 files section changes

Note You need to log in before you can comment on or make changes to this bug.