Red Hat Bugzilla – Bug 966549
Sudo auditing problems when selinux is enforced
Last modified: 2013-08-06 03:06:50 EDT
Description of problem:
I have a web application that use the exec() function to call "sudo -H -u amavis amavisd-release" (see attached test file for an example). When selinux is enforced, sudo correctly completes but also return this error:
"sudo: unable to send audit message: Permission denied"
Searching in the /var/log/audit/audit.log show no useful information (I already modified the default selinux policy to allow the execution of an external script and a sudo session from within an httpd process).
If I use selinux in permissive mode, the error message is not returned, but in the /var/log/audit/audit.log file I can not see any "denied" message.
Curiously, if I execute the command from a bash shell using the apache user (I change apache's user to launch /bin/bash for testing purpose) I can not see any error.
In the sudo debug log, I can see a message stating "May 23 14:44:16 sudo unable to send audit message: Permission denied @ linux_audit_command() ./linux_audit.c:93"
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. setup sudo to don't require a tty
2. load the attached selinux custom policy
3. launch the attached php file from within apache
4. you will have a "sudo: unable to send audit message: Permission denied" error.
While sudo correctly completes, you have an error stating "sudo: unable to send audit message: Permission denied"
Sudo should execute without error. On the other side, if the selinux policy somehow deny sudo to send an audit message, this should be logged somewhere.
I attached four files:
1) the php test file
2) the selinux custom policy template
3) the selinux custom binary policy
4) the complete sudo debug log.
Created attachment 752201 [details]
PHP test file
Created attachment 752202 [details]
Selinux policy template
Created attachment 752203 [details]
Selinux binary policy
Created attachment 752204 [details]
Sudo debug log
Can you turn off the dontaudit rules.
Will allow your domain to send audit messages.
Thank you very much Daniel!
I simply ignored the don't audit facility and so I were stumbled in this problem.
After disabling the don't audit rules, I was able to find the offending messages and to grant the specific permission needed to run sudo without issues.
Thank you again :)