在初始化脚本中我尝试运行一个命令:
su - user -c "/home/user/bin/command”
但 SELinux 阻止了这一点:
systemd[1]: Starting LSB: Start the my_script at boot...
su[5941]: pam_unix(su-l:auth): auth could not identify password for [user]
su[5941]: FAILED SU (to user) root on none
my_script[5939]: Password: Password: su: Authentication has failed
我已经应用了setsebool -P domain_can_mmap_files 1,并且还生成并应用了策略ausearch -c 'su' --raw | audit2allow -M my-su:
module my-su 1.0;
require {
type init_t;
type su_exec_t;
class file map;
}
#============= init_t ==============
allow init_t su_exec_t:file map;
我收到一条消息/var/log/audit.log:
type=USER_AVC msg=audit(1607611267.156:176): pid=6376 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { rootok } for scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=passwd permissive=0 exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'UID="root" AUID="unset" SAUID="root"
并且后续使用ausearch […]不会产生适当的政策。
有谁成功解决过类似的问题吗?
答案1
刚刚找到解决方案,缺少了allow init_t self:passwd rootok;。有效策略如下:
module my-su 1.0;
require {
type init_t;
type su_exec_t;
class file map;
class passwd rootok;
}
#============= init_t ==============
allow init_t su_exec_t:file map;
allow init_t self:passwd rootok;