Selinux /usr/bin/sudo from lock access on the file /run/sudo/ts/apache

perrymil · July 21, 2023, 10:28pm

I tried testing setting selinux to permissive, and it didn’t resolve this unfortunately. Any idea on how to resolve this?

Jul 21 18:22:28 openondemanddev setroubleshoot[3582]: SELinux is preventing /usr/bin/sudo from create access on the file /(null).#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that sudo should be allowed create access on the (null) file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sudo' --raw | audit2allow -M my-sudo#012# semodule -X 300 -i my-sudo.pp#012
Jul 21 18:22:28 openondemanddev setroubleshoot[3582]: SELinux is preventing /usr/bin/sudo from 'read, write, open' accesses on the file /run/sudo/ts/apache. For complete SELinux messages run: sealert -l 5d97e663-f3d8-4480-a3b7-1324e9e5d464
Jul 21 18:22:28 openondemanddev setroubleshoot[3582]: SELinux is preventing /usr/bin/sudo from 'read, write, open' accesses on the file /run/sudo/ts/apache.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that sudo should be allowed read write open access on the apache file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sudo' --raw | audit2allow -M my-sudo#012# semodule -X 300 -i my-sudo.pp#012
Jul 21 18:22:28 openondemanddev setroubleshoot[3582]: SELinux is preventing /usr/bin/sudo from lock access on the file /run/sudo/ts/apache. For complete SELinux messages run: sealert -l 9fb66a26-2472-4345-988f-9d1a4af61e51
Jul 21 18:22:28 openondemanddev setroubleshoot[3582]: SELinux is preventing /usr/bin/sudo from lock access on the file /run/sudo/ts/apache.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that sudo should be allowed lock access on the apache file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sudo' --raw | audit2allow -M my-sudo#012# semodule -X 300 -i my-sudo.pp#012
Jul 21 18:22:38 openondemanddev systemd[1]: dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@4.service: Deactivated successfully.
Jul 21 18:22:39 openondemanddev systemd[1]: setroubleshootd.service: Deactivated successfully.

jeff.ohrstrom · July 25, 2023, 6:15pm

Have you installed the selinux package we provide as well? That should have setup the appropriate policy for OnDemand.

perrymil · July 25, 2023, 6:32pm

yes,

Jul 25 14:29:55 openondemanddev.ohsu.edu sudo[10612]:   apache : user NOT in sudoers ; PWD=/ ; USER=root ; COMMAND=/opt/ood/nginx_stage/sbin/nginx_stage pun -u perrymil -a https%3a%2f%2fopenondema>
Jul 25 14:29:56 openondemanddev.ohsu.edu sudo[10615]: pam_unix(sudo:auth): conversation failed
Jul 25 14:29:56 openondemanddev.ohsu.edu sudo[10615]: pam_unix(sudo:auth): auth could not identify password for [apache]
Jul 25 14:29:58 openondemanddev.ohsu.edu sudo[10615]:   apache : user NOT in sudoers ; PWD=/ ; USER=root ; COMMAND=/opt/ood/nginx_stage/sbin/nginx_stage pun -u perrymil -a https%3a%2f%2fopenondema>
Jul 25 14:29:59 openondemanddev.ohsu.edu sudo[10618]: pam_unix(sudo:auth): conversation failed
Jul 25 14:29:59 openondemanddev.ohsu.edu sudo[10618]: pam_unix(sudo:auth): auth could not identify password for [apache]
Jul 25 14:30:00 openondemanddev.ohsu.edu sudo[10618]:   apache : user NOT in sudoers ; PWD=/ ; USER=root ; COMMAND=/opt/ood/nginx_stage/sbin/nginx_stage pun -u perrymil -a https%3a%2f%2fopenondema>
Jul 25 14:30:01 openondemanddev.ohsu.edu sudo[10622]: pam_unix(sudo:auth): conversation failed
Jul 25 14:30:01 openondemanddev.ohsu.edu sudo[10622]: pam_unix(sudo:auth): auth could not identify password for [apache]
Jul 25 14:30:04 openondemanddev.ohsu.edu sudo[10622]:   apache : user NOT in sudoers ; PWD=/ ; USER=root ; COMMAND=/opt/ood/nginx_stage/sbin/nginx_stage pun -u perrymil -a https%3a%2f%2fopenondema>

Interestingly, the output information changed since I last looked at it. Now it appears its an issue with the apache user…

jeff.ohrstrom · July 25, 2023, 6:45pm

Odd - the package should have installed a sudoers file for apache.

Specifically this file - https://github.com/OSC/ondemand/blob/e2dfdcc1dd5e4376bda17a5bd8f05bdbbd7ebe1d/packaging/files/sudo.erb

Can you check your /etc/sudoers.d directory for the ood file?

perrymil · July 25, 2023, 6:52pm

Strangely it wasn’t present there.

I added a new sudoers file with the following contents and it fixed it:

apache ALL=(root) NOPASSWD: /opt/ood/nginx_stage/sbin/nginx_stage

But it looks like there are a few other bits in that template.

jeff.ohrstrom · July 25, 2023, 10:42pm

That’s super strange. I wonder if the original file permissions were off or something?