RHEL7.6: sudo'ing from confined user takes 25 seconds (d-bus timeout) then succeeds
Environment
- Red Hat Enterprise Linux 7.6
- sudo
- confined users with sudo privileges
- selinux-policy < 3.13.1-229.el7_6.10
Issue
-
sudo'ing from confined user (e.g. staff_u) takes 25 seconds (d-bus timeout) then succeeds
$ id -Z staff_u:staff_r:staff_t:s0-s0:c0.c1023 $ time sudo true real 0m25.106s user 0m0.013s sys 0m0.058s
Resolution
-
Please update the
selinux-policy
packages toselinux-policy-3.13.1-229.el7_6.10
shipped with Advisory RHBA-2019:0811 or later -
If this is not possible, consider applying the solution below
-
Create the custom SELinux module by creating the
sudo-bz1687452.te
file with following contentmodule sudo-bz1687452 1.0; require { type systemd_logind_sessions_t; attribute sudodomain; class fifo_file write; } allow sudodomain systemd_logind_sessions_t:fifo_file write;
-
Compile the
sudo-bz1687452
module# yum -y install selinux-policy-devel # make -f /usr/share/selinux/devel/Makefile sudo-bz1687452.pp
-
Install the
sudo-bz1687452
module# semodule -i sudo-bz1687452.pp
Root Cause
Previously sudodomain
wasn't allowed to write to systemd_logind_sessions_t
pipes and therefore d-bus
timeout occurred.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments