Drop systemd support from PAM

The line being removed is the cause of audit.log spam with a SELinux enforcing (and permissive) system. They are due to the fact we're calling "sudo" from within some containers, and PAM wants to connect to the host "dbus" socket (mounted in /run). This action is obviously denied by SELinux. The "-" prefix makes this module optional anyway, but apparently PAM does see it and tries to use it. Dropping this module has no consequences other than preventing log spamming. Change-Id: I3e0e86026f5a4a78473bed824cd1682d3a020cd5 Co-Authored-By: Michele Baldessari <mbaldess@redhat.com> Resolves-Bug: #1819461 (cherry picked from commit c4b6249071)
2019-04-30 16:11:46 +02:00 · 2019-04-30 16:11:46 +02:00 · c56ee10d21
parent 2648c12c8d
commit c56ee10d21
1 changed files with 4 additions and 0 deletions
--- a/docker/base/Dockerfile.j2
+++ b/docker/base/Dockerfile.j2
@ -402,6 +402,10 @@ RUN sed -i \
 {# endif base_package_type deb #}
 {% endif %}

+{% if base_distro == 'centos' or base_distro == 'rhel' %}
+RUN sed -ri '/-session(\s+)optional(\s+)pam_systemd.so/d' /etc/pam.d/system-auth
+{% endif %}
+
 COPY set_configs.py /usr/local/bin/kolla_set_configs
 COPY start.sh /usr/local/bin/kolla_start
 COPY sudoers /etc/sudoers