1 |
One of the more important things that is currently broken on my system |
2 |
when I switch on enforcing mode for SELinux is the su command. Mostly |
3 |
likely I've overlooked something so am asking here first before filing a |
4 |
bug on it. I did a search or two on google, but didn't find anything |
5 |
that looked really useful (or current). Here are some details. I'll |
6 |
start with the output from the terminal window: |
7 |
|
8 |
siren /home/stan $su |
9 |
Password: |
10 |
Would you like to enter a security context? [N] |
11 |
su: Authentication failure |
12 |
|
13 |
Here are the lines from my syslog: |
14 |
|
15 |
Nov 25 19:23:58 siren su[3016]: Successful su for root by stan |
16 |
Nov 25 19:23:58 siren su[3016]: + /dev/pts/1 stan:root |
17 |
Nov 25 19:23:58 siren kernel: type=1400 audit(1322274238.237:826): avc: |
18 |
denied { search } for pid=3016 comm="su" name="root" dev=sda1 |
19 |
ino=4290561 scontext=stan:staff_r:staff_su_t |
20 |
tcontext=root:object_r:user_home_dir_t tclass=dir |
21 |
Nov 25 19:23:58 siren kernel: type=1400 audit(1322274238.240:827): avc: |
22 |
denied { compute_user } for pid=3016 comm="su" |
23 |
scontext=stan:staff_r:staff_su_t tcontext=system_u:object_r:security_t |
24 |
tclass=security |
25 |
Nov 25 19:24:00 siren su[3016]: pam_selinux(su:session): Unable to get |
26 |
valid context for root |
27 |
Nov 25 19:24:00 siren pam_ssh[3016]: can't write to /root/.ssh/agent-siren |
28 |
Nov 25 19:24:00 siren kernel: type=1400 audit(1322274240.440:828): avc: |
29 |
denied { search } for pid=3016 comm="su" name="root" dev=sda1 |
30 |
ino=4290561 scontext=stan:staff_r:staff_su_t |
31 |
tcontext=root:object_r:user_home_dir_t tclass=dir |
32 |
Nov 25 19:24:00 siren kernel: type=1400 audit(1322274240.440:829): avc: |
33 |
denied { search } for pid=3016 comm="su" name="root" dev=sda1 |
34 |
ino=4290561 scontext=stan:staff_r:staff_su_t |
35 |
tcontext=root:object_r:user_home_dir_t tclass=dir |
36 |
Nov 25 19:24:00 siren su[3016]: pam_unix(su:session): session opened for |
37 |
user root by (uid=500) |
38 |
Nov 25 19:24:00 siren su[3016]: pam_open_session: Authentication failure |
39 |
|
40 |
Here is the /etc/pam.d/su file: |
41 |
|
42 |
#%PAM-1.0 |
43 |
|
44 |
auth sufficient pam_rootok.so |
45 |
|
46 |
# If you want to restrict users begin allowed to su even more, |
47 |
# create /etc/security/suauth.allow (or to that matter) that is only |
48 |
# writable by root, and add users that are allowed to su to that |
49 |
# file, one per line. |
50 |
#auth required pam_listfile.so item=ruser sense=allow |
51 |
onerr=fail file=/etc/security/suauth.allow |
52 |
|
53 |
# Uncomment this to allow users in the wheel group to su without |
54 |
# entering a passwd. |
55 |
#auth sufficient pam_wheel.so use_uid trust |
56 |
|
57 |
# Alternatively to above, you can implement a list of users that do |
58 |
# not need to supply a passwd with a list. |
59 |
#auth sufficient pam_listfile.so item=ruser sense=allow |
60 |
onerr=fail file=/etc/security/suauth.nopass |
61 |
|
62 |
# Comment this to allow any user, even those not in the 'wheel' |
63 |
# group to su |
64 |
auth required pam_wheel.so use_uid |
65 |
auth required pam_tally2.so deny=5 unlock_time=300 magic_root |
66 |
auth include system-auth |
67 |
|
68 |
account required pam_tally2.so |
69 |
account include system-auth |
70 |
|
71 |
password include system-auth |
72 |
|
73 |
session required pam_selinux.so close |
74 |
session optional pam_xauth.so |
75 |
session required pam_selinux.so multiple open verbose |
76 |
session include system-auth |
77 |
|
78 |
And, here is the system-auth file: |
79 |
|
80 |
auth sufficient pam_ldap.so use_first_pass |
81 |
ignore_authinfo_unavail |
82 |
auth required pam_unix.so try_first_pass likeauth |
83 |
|
84 |
account sufficient pam_ldap.so |
85 |
account required pam_unix.so |
86 |
|
87 |
password required pam_cracklib.so (****** specific |
88 |
requrements masked ******) |
89 |
password sufficient pam_ldap.so use_authtok |
90 |
password required pam_unix.so use_authtok sha512 shadow |
91 |
|
92 |
session required pam_limits.so |
93 |
#session required pam_env.so |
94 |
session optional pam_ssh.so |
95 |
session sufficient pam_ldap.so |
96 |
session required pam_unix.so |
97 |
|
98 |
I tried adding the following rule to a local policy, but all that did |
99 |
was make the avc denial for compute_user go away in the logs, everything |
100 |
else was still the same including the message about unable to get valid |
101 |
context for root: |
102 |
|
103 |
selinux_compute_user_contexts(staff_su_t) |
104 |
|
105 |
I also tried commenting out the pam_selinux.so close in the session, but |
106 |
that didn't help. |
107 |
|
108 |
-- |
109 |
Stan & HD Tashi Grad 10/08 Edgewood, NM SWR |
110 |
PR - Cindy and Jenny - Sammamish, WA NWR |
111 |
http://www.cci.org |