Sudoers cannot do command sudo

Issues related to applications and software problems and general support
Post Reply
Bnux
Posts: 5
Joined: 2022/10/27 08:34:28

Sudoers cannot do command sudo

Post by Bnux » 2022/10/27 08:50:13

Hi all,
I am new here, my server has CentOS 8, actually i can't login as root by console or ssh, then i boot as single user mode and chroot /sysroot. Since change password root, eventhough success but still permission denied
Then i add user for sudoers and already done for user id, also verify it on wheel group and its okay
But when I login at console or ssh, sudo command is problem with error :
Sudo:pam_open_session:permission denied
Sudo: policy plugin failed session initialization

Please help me if any advised

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Sudoers cannot do command sudo

Post by TrevorH » 2022/10/27 09:13:44

As root: restorecon -RFv /etc/passwd /etc/shadow
or
touch /.autorelabel then reboot.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Bnux
Posts: 5
Joined: 2022/10/27 08:34:28

Re: Sudoers cannot do command sudo

Post by Bnux » 2022/10/27 09:22:41

Could you explained more about restorecon ? Please Why should I do it ? I have already did touch /.autorelabel before

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Sudoers cannot do command sudo

Post by TrevorH » 2022/10/27 09:55:51

It resets the selinux context on /etc/passwd and /etc/shadow. Access to those files will fail if the context is wrong and logins will fail. Editing the file from a rescue boot will corrupt the context and require it to be reset. Theoretically the restorecon should be quicker than the autorelabel as it processes just those 2 files where autorelabel does ALL files.

You could also append 'enforcing=0' (without quotes) to the end of the kernel command line so that it boots in permissive mode - if that works then it will confirm that the problem is selinux related.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Bnux
Posts: 5
Joined: 2022/10/27 08:34:28

Re: Sudoers cannot do command sudo

Post by Bnux » 2022/10/28 01:57:16

i am still curious why the issue occured since last time other team doing cp to this server and failed
i didnt yet visit the server installed room but with the ssh getting like below
------------
$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
------------
is the enforcing targeted make this happened ? as i know it is default setting...
why the root login can be done before ?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Sudoers cannot do command sudo

Post by TrevorH » 2022/10/28 02:49:48

i boot as single user mode and chroot /sysroot
Doing this causes the files to get the wrong context.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Bnux
Posts: 5
Joined: 2022/10/27 08:34:28

Re: Sudoers cannot do command sudo

Post by Bnux » 2022/10/28 21:09:49

TrevorH wrote:
2022/10/27 09:13:44
As root: restorecon -RFv /etc/passwd /etc/shadow
or
touch /.autorelabel then reboot.
after do this, i cant login to all account
i will try again with touch /.autorelabel then reboot
will share the result after that

Bnux
Posts: 5
Joined: 2022/10/27 08:34:28

Re: Sudoers cannot do command sudo

Post by Bnux » 2022/10/28 22:22:18

Bnux wrote:
2022/10/28 21:09:49
TrevorH wrote:
2022/10/27 09:13:44
As root: restorecon -RFv /etc/passwd /etc/shadow
or
touch /.autorelabel then reboot.
after do this, i cant login to all account
i will try again with touch /.autorelabel then reboot
will share the result after that
yes did touch /.autorelabel, i can login directly with sudo user locally but still like previous, i cannot do sudo command
with same error message

is there any other idea ? please give me advise

Post Reply