configure selinux to allow sudoers on nfs share

Question

our system is as follows:

CentOS7
NIS for auth
home folders on nfs share
single sudoers file on NFS share for all machines.

so far, item one and two work fine. but, when I change my sudo.conf file to point to the global sudo file

/fs/global is a mountpoint for an NFS share

inside the /etc/sudo.conf file:

Plugin sudoers_policy sudoers.so sudoers_file=/fs/global/sudo/common/etc/sudoers

whenever i try to do visudo, i get permission denied (doing it logged into console as root)

I think i have narrowed the problem down to SELinux not being happy. I know this because if i disable SELinux, it works. but for this particular group of servers, the apps I'm loading require SELinux. So, what magic do i have to perform to make this work?

the authconfig i use

/sbin/authconfig --enablenis
          --nisdomain="{{ pan_nis_domain }}"
          --nisserver="{{ pan_nis_fqdn }}"
          --passalgo="md5"
          --enablecache
          --update

and the ansibles for SELinux i have so far

- name: Set ypbind to allow NIS to run
  seboolean:
    name: allow_ypbind
    state: yes
    persistent: yes

- name: Allow home folders mapped across NFS drives
  seboolean:
    name: use_nfs_home_dirs
    state: yes
    persistent: yes

edit:

The audit log doesn't show any errors

[root@cent1 audit]# tail -5 audit.log
type=CRYPTO_KEY_USER msg=audit(1553186275.802:2494): pid=26871 uid=0 auid=800 ses=5 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:79:94:71:c9:57:85:a7:cf:86:7c:ae:f7:29:7c:4c:16:75:33:a5:6f:17:e8:5e:f6:1c:73:75:56:e8:f1:91:17 direction=? spid=26875 suid=800  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_AUTH msg=audit(1553186296.734:2495): pid=26893 uid=800 auid=800 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/bin/su" hostname=cent1.mycompany.com addr=? terminal=pts/0 res=success'
type=USER_ACCT msg=audit(1553186296.736:2496): pid=26893 uid=800 auid=800 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/su" hostname=cent1.mycompany.com addr=? terminal=pts/0 res=success'
type=CRED_ACQ msg=audit(1553186296.765:2497): pid=26893 uid=800 auid=800 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/su" hostname=cent1.mycompany.com addr=? terminal=pts/0 res=success'
type=USER_START msg=audit(1553186296.776:2498): pid=26893 uid=800 auid=800 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="root" exe="/usr/bin/su" hostname=cent1.mycompany.com addr=? terminal=pts/0 res=success'
[root@cent1 audit]# visudo
visudo: /fs/global/sudo/common/etc/sudoers: Permission denied
[root@cent1 audit]# tail -5 audit.log
type=CRYPTO_KEY_USER msg=audit(1553186275.802:2494): pid=26871 uid=0 auid=800 ses=5 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:79:94:71:c9:57:85:a7:cf:86:7c:ae:f7:29:7c:4c:16:75:33:a5:6f:17:e8:5e:f6:1c:73:75:56:e8:f1:91:17 direction=? spid=26875 suid=800  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_AUTH msg=audit(1553186296.734:2495): pid=26893 uid=800 auid=800 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/bin/su" hostname=cent1.mycompany.com addr=? terminal=pts/0 res=success'
type=USER_ACCT msg=audit(1553186296.736:2496): pid=26893 uid=800 auid=800 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/bin/su" hostname=cent1.mycompany.com addr=? terminal=pts/0 res=success'
type=CRED_ACQ msg=audit(1553186296.765:2497): pid=26893 uid=800 auid=800 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/su" hostname=cent1.mycompany.com addr=? terminal=pts/0 res=success'
type=USER_START msg=audit(1553186296.776:2498): pid=26893 uid=800 auid=800 ses=5 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_xauth acct="root" exe="/usr/bin/su" hostname=cent1.mycompany.com addr=? terminal=pts/0 res=success'
[root@cent1 audit]#

`/var/log/audit/audit.log` should tell you what is being denied by SELinux. — bodgit, Mar 21 '19 at 16:26
`visudo` will want to create a `/fs/global/sudo/common/etc/sudoers.tmp` lock file so it needs to be able to write there — bodgit, Mar 21 '19 at 17:29
i don't think its a root_squash issue because i have thousands of other machines that mount to that and work just fine. — scphantm, Mar 21 '19 at 17:47

score 0 · Answer 1 · answered Mar 22 '19 at 16:25

@Michael Hampton, turns out you were right. I'm new to this network and still learning, turns out the custom version of sudo they use here stripped out all the security features, like access to the sudoers file. using stock sudo, if fails, using the custom version, it works. so i configured everything to use our internal custom version. Thanks

configure selinux to allow sudoers on nfs share

1 Answers1