<html><body bgcolor="#FFFFFF"><span class="Apple-style-span" style="font-size: 15px; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); "><span>I'm seeing these SELinux messages, and have been trying to learn how to</span><br><span>config SELinux to allow the script to sudo. CLI works fine with sudo.</span><br><span></span><br><span>"SELinux is preventing /bin/bash "execute" access on /usr/bin/sudo." </span><br><span>"SELinux is preventing /bin/bash "getattr" access on /usr/bin/sudo."</span><br><span></span><br><span>It seems I must create a "local policy module". Anyone know this stuff and</span><br><span>can confirm? I've been Googling up a storm looking for others that have</span><br><span>already done this but have not found anything. I found the</span><br><span>/usr/share/selinux/ dir structure with some existing ones, but nothing with</span><br><span>sudo in the name. Will need to figure out how to create it.</span><br><span></span><br><span>I also tried setting the -r (role) and -t (type) arguments to the sudo</span><br><span>command before embarking on a policy module. So I'm not sure if that should</span><br><span>work on its own (maybe using incorrect values or something) or selinux needs</span><br><span>config with or without the sudo args too?</span><br><span></span><br><span>Or is there a better way to invoke a privileged command as non-root user</span><br><span>than sudo?</span></span><div></div><div><span class="Apple-style-span" style="font-size: 15px; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); -webkit-composition-fill-color: rgba(175, 192, 227, 0.226562); -webkit-composition-frame-color: rgba(77, 128, 180, 0.226562);"><br></span></div><div><span class="Apple-style-span" style="font-size: 15px; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.289062); -webkit-composition-fill-color: rgba(175, 192, 227, 0.222656); -webkit-composition-frame-color: rgba(77, 128, 180, 0.222656);">----------------</span></div><div><span class="Apple-style-span" style="font-size: 15px; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.285156); -webkit-composition-fill-color: rgba(175, 192, 227, 0.21875); -webkit-composition-frame-color: rgba(77, 128, 180, 0.21875);"><br></span></div><div><span class="Apple-style-span" style="font-size: 15px; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.28125); -webkit-composition-fill-color: rgba(175, 192, 227, 0.214844); -webkit-composition-frame-color: rgba(77, 128, 180, 0.214844);">You can create a local selinux module by using audit2allow as root. </span></div><div><span class="Apple-style-span" style="font-size: 15px; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.277344); -webkit-composition-fill-color: rgba(175, 192, 227, 0.210938); -webkit-composition-frame-color: rgba(77, 128, 180, 0.210938);"><br></span></div><div><span class="Apple-style-span" style="font-size: 15px; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.273438); -webkit-composition-fill-color: rgba(175, 192, 227, 0.207031); -webkit-composition-frame-color: rgba(77, 128, 180, 0.207031);">1) grep "sudo" /var/log/audit/audit.log | audit2allow -M sudobashfix</span></div><div><span class="Apple-style-span" style="font-size: 15px; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.269531); -webkit-composition-fill-color: rgba(175, 192, 227, 0.203125); -webkit-composition-frame-color: rgba(77, 128, 180, 0.203125);">2) semodule -i sudobashfix.pp</span></div><div><span class="Apple-style-span" style="font-size: 15px; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.265625); -webkit-composition-fill-color: rgba(175, 192, 227, 0.199219); -webkit-composition-frame-color: rgba(77, 128, 180, 0.199219);"><br></span></div><div><span class="Apple-style-span" style="font-size: 15px; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.261719); -webkit-composition-fill-color: rgba(175, 192, 227, 0.195312); -webkit-composition-frame-color: rgba(77, 128, 180, 0.195312);">Regards,</span></div><div><span class="Apple-style-span" style="font-size: 15px; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.257812); -webkit-composition-fill-color: rgba(175, 192, 227, 0.191406); -webkit-composition-frame-color: rgba(77, 128, 180, 0.191406);"><br></span></div><div><span class="Apple-style-span" style="font-size: 15px; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.253906); -webkit-composition-fill-color: rgba(175, 192, 227, 0.1875); -webkit-composition-frame-color: rgba(77, 128, 180, 0.1875);">Dan</span></div></body></html>