Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RPM packages do not install SELinux module #70

Closed
mfischer-zd opened this issue Oct 20, 2015 · 9 comments
Closed

RPM packages do not install SELinux module #70

mfischer-zd opened this issue Oct 20, 2015 · 9 comments

Comments

@mfischer-zd
Copy link

The pam_duo RPM generated by the spec file needs to generate and install the SELinux module on supported EL servers.
@mschwager
Copy link
Contributor

Thanks for the heads up! We're aware of this issue and working on it :)

@mfischer-zd
Copy link
Author

ETA?

@mschwager
Copy link
Contributor

Should be soon. This is part of a larger effort to release the newest version of all the Duo Unix packages. In the mean time, if you need your SELinux policies updated immediately the following commands should do the trick:

$ curl https://raw.githubusercontent.com/duosecurity/duo_unix/master/pam_duo/authlogin_duo.te > authlogin_duo.te
$ checkmodule -M -m -o authlogin_duo.mod authlogin_duo.te
$ semodule_package -o authlogin_duo.pp -m authlogin_duo.mod
$ semodule -i authlogin_duo.pp

@mfischer-zd
Copy link
Author

Great to hear. While you're at it, do you plan to add the pam_duo and other RPMs to your official repo?

@mschwager
Copy link
Contributor

The duo_unix RPM should already contain pam_duo:

$ wget http://pkg.duosecurity.com/CentOS/7/x86_64/duo_unix-1.9.13-0.x86_64.rpm
2015-10-23 09:41:00 (479 KB/s) - ‘duo_unix-1.9.13-0.x86_64.rpm’ saved [303050/303050]
$ rpm -qlp duo_unix-1.9.13-0.x86_64.rpm
warning: duo_unix-1.9.13-0.x86_64.rpm: Header V3 DSA/SHA1 Signature, key ID 15d32efc: NOKEY
/etc/duo/login_duo.conf
/etc/duo/pam_duo.conf
/lib64/security/pam_duo.la
/lib64/security/pam_duo.so
/usr/include/duo.h
/usr/include/util.h
/usr/lib64/libduo.a
/usr/lib64/libduo.la
/usr/lib64/libduo.so
/usr/lib64/libduo.so.3
/usr/lib64/libduo.so.3.0.0
/usr/lib64/pkgconfig/libduo.pc
/usr/sbin/login_duo
/usr/share/doc/duo_unix/AUTHORS
/usr/share/doc/duo_unix/CHANGES
/usr/share/doc/duo_unix/LICENSE
/usr/share/doc/duo_unix/README
/usr/share/man/man3/duo.3
/usr/share/man/man8/login_duo.8
/usr/share/man/man8/pam_duo.8

@mschwager
Copy link
Contributor

This issue should be fixed with the latest RPM package. Can you confirm?

@henry-spanka
Copy link

Auth log throws error.

Solution:
Execute the following command in postinstall script
semodule -i /usr/share/selinux/packages/authlogin_duo.pp.bz2

Tested on CentOS 7.1

@mschwager
Copy link
Contributor

Our postinstall should enable the SELinux module:

$ wget -q http://pkg.duosecurity.com/CentOS/7/x86_64/duo_unix-1.9.17-0.x86_64.rpm
$ rpm -qp --scripts duo_unix-1.9.17-0.x86_64.rpm 
postinstall scriptlet (using /bin/sh):
chown sshd:root /etc/duo/login_duo.conf; chmod 4755 /usr/sbin/login_duo; /sbin/ldconfig; command -v selinuxenabled > /dev/null 2>&1 && selinuxenabled && semodule -i /usr/share/selinux/packages/authlogin_duo.pp.bz2; /bin/true
...

Does one of the following commands return false:

command -v selinuxenabled > /dev/null 2>&1

selinuxenabled

@henry-spanka
Copy link

Seems like it only happens when upgrading from an old version.
Maybe you should also exec semodule on upgrade(postupgrade).

@willthelaw willthelaw mentioned this issue Mar 30, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mfischer-zd @mschwager @henry-spanka