Added SELinux support for sudo logging#376

Merged

EthanHeilman merged 1 commit into

openpubkey:mainfrom

descensus:patch-1

Oct 19, 2025

Contributor

descensus commented Oct 18, 2025

For security reasons, allow opkssh sudo commands to be logged to the optionally specified "logfile" in sudoers.
Without this, opkssh writes to /var/log/opkssh.log with the following warning:

"[...] got output sudo: unable to open log file: /var/log/sudo.log: Permission denied"


          Added SELinux support for sudo logging

7eff495

For security reasons, allow opkssh sudo commands to be logged to the optionally specified "logfile" in sudoers.

Without this, opkssh writes to /var/log/opkssh.log with the following warning:

"[...] got output sudo: unable to open log file: /var/log/sudo.log: Permission denied"

Signed-off-by: ▖ ▀ ▞▒ ▓ ░ descensus▒ ░ ▓ ▚ ▀ ▗ ▒ ░ ▓ ▚ ▀ ▗ ▒ ░ ▓ ▚ ▀ ▗ ▒ ░ ▓ ▚ ▀ ▗  <134628590+descensus@users.noreply.github.com>

EthanHeilman approved these changes

View reviewed changes

Member

EthanHeilman left a comment

LGTM

Member

EthanHeilman commented Oct 19, 2025

Thanks, got catch, I didn't notice the warnings since I typically test on ubuntu

EthanHeilman merged commit 6fa6e38 into openpubkey:main

14 checks passed

renovate Bot added a commit to sdwilsh/ansible-playbooks that referenced this pull request


          chore(deps): update dependency openpubkey/opkssh to v0.11.0

e5d091e

##### [\`v0.11.0\`](https://github.com/openpubkey/opkssh/releases/tag/v0.11.0)

##### 🚀 Features

- Add support for custom group claims [@mvanderlee](https://github.com/mvanderlee) ([#133](openpubkey/opkssh#133))
- feat: Flag to print SSH cert and private key rather than FS [@EthanHeilman](https://github.com/EthanHeilman) ([#437](openpubkey/opkssh#437))
- feat: Process extra arguments to the verify command [@justincmoy](https://github.com/justincmoy) ([#436](openpubkey/opkssh#436))
- Add warning message when email claim is missing from ID token @[copilot-swe-agent\[bot\]](https://github.com/apps/copilot-swe-agent) ([#374](openpubkey/opkssh#374))
- \[feat] Add new "inspect" subcommand [@stmcginnis](https://github.com/stmcginnis) ([#349](openpubkey/opkssh#349))
- Add CLI reference documentation [@stmcginnis](https://github.com/stmcginnis) ([#365](openpubkey/opkssh#365))
- Include signature JSON in `inspect` output [@stmcginnis](https://github.com/stmcginnis) ([#358](openpubkey/opkssh#358))
- - docs: Add Amazon Cognito as tested provider [@Foorack](https://github.com/Foorack) ([#414](openpubkey/opkssh#414))
- docs: Add documentation for opkssh and sssd integration [@vigneshmanick](https://github.com/vigneshmanick) ([#409](openpubkey/opkssh#409))
- Added SELinux support for sudo logging [@descensus](https://github.com/descensus) ([#376](openpubkey/opkssh#376))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#368](openpubkey/opkssh#368))

##### 🐛 Bug Fixes

- Fix race condition in ReadHome [@gcorrall](https://github.com/gcorrall) ([#391](openpubkey/opkssh#391))
- \[fix] Use lowercase for positional argument placeholders [@t38miwa](https://github.com/t38miwa) ([#361](openpubkey/opkssh#361))
- fix typo in commands/verify.go [@DevRockstarZ](https://github.com/DevRockstarZ) ([#336](openpubkey/opkssh#336))
- Doc: fix small errors in policy plugin doc [@PotatoesMaster](https://github.com/PotatoesMaster) ([#344](openpubkey/opkssh#344))
- Correct macOS name [@stmcginnis](https://github.com/stmcginnis) ([#341](openpubkey/opkssh#341))

##### 🧰 Maintenance

- chore: document upstream nix usage & remove nix flake [@datosh](https://github.com/datosh) ([#383](openpubkey/opkssh#383))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#438](openpubkey/opkssh#438))
- Stop hash pinning docker images [@EthanHeilman](https://github.com/EthanHeilman) ([#421](openpubkey/opkssh#421))
- \[fix] Fix ssh version integration test [@EthanHeilman](https://github.com/EthanHeilman) ([#362](openpubkey/opkssh#362))
- Fix integration tests failing due to pacman keys [@EthanHeilman](https://github.com/EthanHeilman) ([#432](openpubkey/opkssh#432))
- fix(deps): Update docker/setup-buildx-action action to v3.12.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#426](openpubkey/opkssh#426))
- fix(deps): Update zizmorcore/zizmor-action action to v0.3.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#413](openpubkey/opkssh#413))
- fix(deps): Update peter-evans/create-pull-request action to v8 @[renovate\[bot\]](https://github.com/apps/renovate) ([#418](openpubkey/opkssh#418))
- fix(deps): Update zizmorcore/zizmor-action action to v0.2.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#335](openpubkey/opkssh#335))
- fix(deps): Update peter-evans/create-pull-request action to v7.0.9 @[renovate\[bot\]](https://github.com/apps/renovate) ([#407](openpubkey/opkssh#407))

sdwilsh pushed a commit to sdwilsh/ansible-playbooks that referenced this pull request


          chore(deps): update dependency openpubkey/opkssh to v0.11.0

a7acc4b

##### [\`v0.11.0\`](https://github.com/openpubkey/opkssh/releases/tag/v0.11.0)

##### 🚀 Features

- Add support for custom group claims [@mvanderlee](https://github.com/mvanderlee) ([#133](openpubkey/opkssh#133))
- feat: Flag to print SSH cert and private key rather than FS [@EthanHeilman](https://github.com/EthanHeilman) ([#437](openpubkey/opkssh#437))
- feat: Process extra arguments to the verify command [@justincmoy](https://github.com/justincmoy) ([#436](openpubkey/opkssh#436))
- Add warning message when email claim is missing from ID token @[copilot-swe-agent\[bot\]](https://github.com/apps/copilot-swe-agent) ([#374](openpubkey/opkssh#374))
- \[feat] Add new "inspect" subcommand [@stmcginnis](https://github.com/stmcginnis) ([#349](openpubkey/opkssh#349))
- Add CLI reference documentation [@stmcginnis](https://github.com/stmcginnis) ([#365](openpubkey/opkssh#365))
- Include signature JSON in `inspect` output [@stmcginnis](https://github.com/stmcginnis) ([#358](openpubkey/opkssh#358))
- - docs: Add Amazon Cognito as tested provider [@Foorack](https://github.com/Foorack) ([#414](openpubkey/opkssh#414))
- docs: Add documentation for opkssh and sssd integration [@vigneshmanick](https://github.com/vigneshmanick) ([#409](openpubkey/opkssh#409))
- Added SELinux support for sudo logging [@descensus](https://github.com/descensus) ([#376](openpubkey/opkssh#376))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#368](openpubkey/opkssh#368))

##### 🐛 Bug Fixes

- Fix race condition in ReadHome [@gcorrall](https://github.com/gcorrall) ([#391](openpubkey/opkssh#391))
- \[fix] Use lowercase for positional argument placeholders [@t38miwa](https://github.com/t38miwa) ([#361](openpubkey/opkssh#361))
- fix typo in commands/verify.go [@DevRockstarZ](https://github.com/DevRockstarZ) ([#336](openpubkey/opkssh#336))
- Doc: fix small errors in policy plugin doc [@PotatoesMaster](https://github.com/PotatoesMaster) ([#344](openpubkey/opkssh#344))
- Correct macOS name [@stmcginnis](https://github.com/stmcginnis) ([#341](openpubkey/opkssh#341))

##### 🧰 Maintenance

- chore: document upstream nix usage & remove nix flake [@datosh](https://github.com/datosh) ([#383](openpubkey/opkssh#383))
- Update CLI documentation @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#438](openpubkey/opkssh#438))
- Stop hash pinning docker images [@EthanHeilman](https://github.com/EthanHeilman) ([#421](openpubkey/opkssh#421))
- \[fix] Fix ssh version integration test [@EthanHeilman](https://github.com/EthanHeilman) ([#362](openpubkey/opkssh#362))
- Fix integration tests failing due to pacman keys [@EthanHeilman](https://github.com/EthanHeilman) ([#432](openpubkey/opkssh#432))
- fix(deps): Update docker/setup-buildx-action action to v3.12.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#426](openpubkey/opkssh#426))
- fix(deps): Update zizmorcore/zizmor-action action to v0.3.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#413](openpubkey/opkssh#413))
- fix(deps): Update peter-evans/create-pull-request action to v8 @[renovate\[bot\]](https://github.com/apps/renovate) ([#418](openpubkey/opkssh#418))
- fix(deps): Update zizmorcore/zizmor-action action to v0.2.0 @[renovate\[bot\]](https://github.com/apps/renovate) ([#335](openpubkey/opkssh#335))
- fix(deps): Update peter-evans/create-pull-request action to v7.0.9 @[renovate\[bot\]](https://github.com/apps/renovate) ([#407](openpubkey/opkssh#407))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet