如何在非root C代码中运行dracut命令?

时间:2019-06-15 01:35:40

标签: c

我正在开发一个修改LUKS分区和磁盘的工具。 一切都很好。直到现在...

为了以非root用户身份正确处理磁盘,我添加了一些polkit规则来更改密码,打开分区,更改crypttab等。

但是,当我更改crypttab时遇到了问题,我需要运行dracut来应用一些dracut模块(dracut --force)。特别是最后一个。

我的用户是admin组的成员,我在sudoers文件中添加了一条规则,以在执行应用程序时不询问sudo密码。

因此,我决定使用此代码:

gchar *dracut[] = {"/usr/bin/sudo", "/usr/bin/dracut", "--force", NULL};

if ((child = fork()) > 0) {
    waitpid(child, NULL, 0);
} else if (!child) {
    execvp("/usr/bin/sudo", dracut);
}

它不起作用,因为SELinux阻止运行此命令:

SELinux is preventing /usr/bin/sudo from getattr access on the chr_file /dev/hpet.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sudo should be allowed getattr access on the hpet chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sudo' --raw | audit2allow -M my-sudo
# semodule -X 300 -i my-sudo.pp


Additional Information:
Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Context                system_u:object_r:clock_device_t:s0
Target Objects                /dev/hpet [ chr_file ]
Source                        sudo
Source Path                   /usr/bin/sudo
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           sudo-1.8.25p1-4.el8.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.1-61.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     jcfaracco@hostname
Platform                      Linux jcfaracco@hostname 4.18.0-80.el8.x86_64 #1
                              SMP Wed Mar 13 12:02:46 UTC 2019 x86_64 x86_64
Alert Count                   9
First Seen                    2019-06-14 19:32:42 -03
Last Seen                     2019-06-14 19:42:46 -03
Local ID                      772b2c41-2302-4ee0-8886-52789eb63e22

Raw Audit Messages
type=AVC msg=audit(1560552166.658:199): avc:  denied  { getattr } for  pid=2291 comm="sudo" path="/dev/hpet" dev="devtmpfs" ino=10776 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:clock_device_t:s0 tclass=chr_file permissive=0


type=SYSCALL msg=audit(1560552166.658:199): arch=x86_64 syscall=stat success=no exit=EACCES a0=7ffd4a6dffb0 a1=7ffd4a6def20 a2=7ffd4a6def20 a3=7fe845a73181 items=0 ppid=1756 pid=2291 auid=4294967295 uid=982 gid=980 euid=0 suid=0 fsuid=0 egid=980 sgid=980 fsgid=980 tty=tty1 ses=4294967295 comm=sudo exe=/usr/bin/sudo subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=stat AUID=unset UID=gnome-initial-setup GID=gnome-initial-setup EUID=root SUID=root FSUID=root EGID=gnome-initial-setup SGID=gnome-initial-setup FSGID=gnome-initial-setup

Hash: sudo,xdm_t,clock_device_t,chr_file,getattr

您知道如何解决此问题吗?也欢迎任何其他在C代码中调用dracut的想法。如果有其他聪明的方法可以解决此问题。

0 个答案:

没有答案