[tacacs]: Fix tcpdump report error when tacacs enabled (#16372)
Fix tcpdump report error when tacacs enabled. Why I did it Fix tcpdump report error when tacacs enabled: Sep 1 09:25:18.189395 vlab-01 ERR tcpdump: nss_tacplus: /etc/tacplus_nss.conf fopen failed Sep 1 09:25:18.189606 vlab-01 ERR tcpdump: nss_tacplus: bad config or server line for nss_tacplus This is because debian add a patch create AppArmor profile for resource access control. The profile need update to allow tcpdump access /etc/tacplus_nss.conf. Work item tracking Microsoft ADO: 17667308 How I did it Modify tcpdump AppArmor profile, add new line to allow tcpdump access TACACS config file: /etc/tacplus_nss.conf r,
This commit is contained in:
parent
ac39220a77
commit
11f5a75425
@ -407,6 +407,10 @@ LogsDirectory=audit
|
|||||||
LogsDirectoryMode=0750
|
LogsDirectoryMode=0750
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
|
# latest tcpdump control resource access with AppArmor.
|
||||||
|
# override tcpdump profile to allow tcpdump access TACACS config file.
|
||||||
|
sudo cp files/apparmor/usr.bin.tcpdump $FILESYSTEM_ROOT/etc/apparmor.d/local/usr.bin.tcpdump
|
||||||
|
|
||||||
if [[ $CONFIGURED_ARCH == amd64 ]]; then
|
if [[ $CONFIGURED_ARCH == amd64 ]]; then
|
||||||
## Pre-install the fundamental packages for amd64 (x86)
|
## Pre-install the fundamental packages for amd64 (x86)
|
||||||
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install \
|
||||||
|
2
files/apparmor/usr.bin.tcpdump
Normal file
2
files/apparmor/usr.bin.tcpdump
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# tcpdump will call getpwnam get current user information, the NSS plugin nss_tacplus hook this API and need access tacacs config file.
|
||||||
|
/etc/tacplus_nss.conf r,
|
Loading…
Reference in New Issue
Block a user