One of the more important things that is currently broken on my system
when I switch on enforcing mode for SELinux is the su command. Mostly
likely I've overlooked something so am asking here first before filing a
bug on it. I did a search or two on google, but didn't find anything
that looked really useful (or current). Here are some details. I'll
start with the output from the terminal window:
siren /home/stan $su
Password:
Would you like to enter a security context? [N]
su: Authentication failure
Here are the lines from my syslog:
Nov 25 19:23:58 siren su[3016]: Successful su for root by stan
Nov 25 19:23:58 siren su[3016]: + /dev/pts/1 stan:root
Nov 25 19:23:58 siren kernel: type=1400 audit(1322274238.237:826): avc:
denied { search } for pid=3016 comm="su" name="root" dev=sda1
ino=4290561 scontext=stan:staff_r:staff_su_t
tcontext=root
bject_r:user_home_dir_t tclass=dir
Nov 25 19:23:58 siren kernel: type=1400 audit(1322274238.240:827): avc:
denied { compute_user } for pid=3016 comm="su"
scontext=stan:staff_r:staff_su_t tcontext=system_u
bject_r:security_t
tclass=security
Nov 25 19:24:00 siren su[3016]: pam_selinux(su:session): Unable to get
valid context for root
Nov 25 19:24:00 siren pam_ssh[3016]: can't write to /root/.ssh/agent-siren
Nov 25 19:24:00 siren kernel: type=1400 audit(1322274240.440:828): avc:
denied { search } for pid=3016 comm="su" name="root" dev=sda1
ino=4290561 scontext=stan:staff_r:staff_su_t
tcontext=root
bject_r:user_home_dir_t tclass=dir
Nov 25 19:24:00 siren kernel: type=1400 audit(1322274240.440:829): avc:
denied { search } for pid=3016 comm="su" name="root" dev=sda1
ino=4290561 scontext=stan:staff_r:staff_su_t
tcontext=root
bject_r:user_home_dir_t tclass=dir
Nov 25 19:24:00 siren su[3016]: pam_unix(su:session): session opened for
user root by (uid=500)
Nov 25 19:24:00 siren su[3016]: pam_open_session: Authentication failure
Here is the /etc/pam.d/su file:
#%PAM-1.0
auth sufficient pam_rootok.so
# If you want to restrict users begin allowed to su even more,
# create /etc/security/suauth.allow (or to that matter) that is only
# writable by root, and add users that are allowed to su to that
# file, one per line.
#auth required pam_listfile.so item=ruser sense=allow
onerr=fail file=/etc/security/suauth.allow
# Uncomment this to allow users in the wheel group to su without
# entering a passwd.
#auth sufficient pam_wheel.so use_uid trust
# Alternatively to above, you can implement a list of users that do
# not need to supply a passwd with a list.
#auth sufficient pam_listfile.so item=ruser sense=allow
onerr=fail file=/etc/security/suauth.nopass
# Comment this to allow any user, even those not in the 'wheel'
# group to su
auth required pam_wheel.so use_uid
auth required pam_tally2.so deny=5 unlock_time=300 magic_root
auth include system-auth
account required pam_tally2.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session optional pam_xauth.so
session required pam_selinux.so multiple open verbose
session include system-auth
And, here is the system-auth file:
auth sufficient pam_ldap.so use_first_pass
ignore_authinfo_unavail
auth required pam_unix.so try_first_pass likeauth
account sufficient pam_ldap.so
account required pam_unix.so
password required pam_cracklib.so (****** specific
requrements masked ******)
password sufficient pam_ldap.so use_authtok
password required pam_unix.so use_authtok sha512 shadow
session required pam_limits.so
#session required pam_env.so
session optional pam_ssh.so
session sufficient pam_ldap.so
session required pam_unix.so
I tried adding the following rule to a local policy, but all that did
was make the avc denial for compute_user go away in the logs, everything
else was still the same including the message about unable to get valid
context for root:
selinux_compute_user_contexts(staff_su_t)
I also tried commenting out the pam_selinux.so close in the session, but
that didn't help.
--
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
PR - Cindy and Jenny - Sammamish, WA NWR
http://www.cci.org
Help with su
