From c4b62490714ea849cedfe07d4b9a6aebf1f815c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <cjeanner@redhat.com>
Date: Tue, 30 Apr 2019 16:11:46 +0200
Subject: [PATCH] Drop systemd support from PAM

The line being removed is the cause of audit.log spam with a
SELinux enforcing (and permissive) system. They are due to the
fact we're calling "sudo" from within some containers, and PAM
wants to connect to the host "dbus" socket (mounted in /run).
This action is obviously denied by SELinux.

The "-" prefix makes this module optional anyway, but apparently
PAM does see it and tries to use it.

Dropping this module has no consequences other than preventing
log spamming.

Change-Id: I3e0e86026f5a4a78473bed824cd1682d3a020cd5
Co-Authored-By: Michele Baldessari <mbaldess@redhat.com>
Resolves-Bug: #1819461
---
 docker/base/Dockerfile.j2 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docker/base/Dockerfile.j2 b/docker/base/Dockerfile.j2
index a26ba63fce..135f4ea4a9 100644
--- a/docker/base/Dockerfile.j2
+++ b/docker/base/Dockerfile.j2
@@ -402,6 +402,10 @@ RUN sed -i \
 {# endif base_package_type deb #}
 {% endif %}
 
+{% if base_distro == 'centos' or base_distro == 'rhel' %}
+RUN sed -ri '/-session(\s+)optional(\s+)pam_systemd.so/d' /etc/pam.d/system-auth
+{% endif %}
+
 COPY set_configs.py /usr/local/bin/kolla_set_configs
 COPY start.sh /usr/local/bin/kolla_start
 COPY sudoers /etc/sudoers