[gentoo-hardened] Help with su - gentoo-hardened

From:	Stan Sander <stsander@×××××.net>
To:	gentoo-hardened <gentoo-hardened@l.g.o>
Subject:	[gentoo-hardened] Help with su
Date:	Sat, 26 Nov 2011 03:33:47
Message-Id:	`4ED05DE4.4050202@sblan.net`

1

One of the more important things that is currently broken on my system

2

when I switch on enforcing mode for SELinux is the su command.  Mostly

3

likely I've overlooked something so am asking here first before filing a

4

bug on it.  I did a search or two on google, but didn't find anything

5

that looked really useful (or current).  Here are some details.  I'll

6

start with the output from the terminal window:

7

8

siren /home/stan $su

9

Password:

10

Would you like to enter a security context? [N] 

11

su: Authentication failure

12

13

Here are the lines from my syslog:

14

15

Nov 25 19:23:58 siren su[3016]: Successful su for root by stan

16

Nov 25 19:23:58 siren su[3016]: + /dev/pts/1 stan:root

17

Nov 25 19:23:58 siren kernel: type=1400 audit(1322274238.237:826): avc: 

18

denied  { search } for  pid=3016 comm="su" name="root" dev=sda1

19

ino=4290561 scontext=stan:staff_r:staff_su_t

20

tcontext=root:object_r:user_home_dir_t tclass=dir

21

Nov 25 19:23:58 siren kernel: type=1400 audit(1322274238.240:827): avc: 

22

denied  { compute_user } for  pid=3016 comm="su"

23

scontext=stan:staff_r:staff_su_t tcontext=system_u:object_r:security_t

24

tclass=security

25

Nov 25 19:24:00 siren su[3016]: pam_selinux(su:session): Unable to get

26

valid context for root

27

Nov 25 19:24:00 siren pam_ssh[3016]: can't write to /root/.ssh/agent-siren

28

Nov 25 19:24:00 siren kernel: type=1400 audit(1322274240.440:828): avc: 

29

denied  { search } for  pid=3016 comm="su" name="root" dev=sda1

30

ino=4290561 scontext=stan:staff_r:staff_su_t

31

tcontext=root:object_r:user_home_dir_t tclass=dir

32

Nov 25 19:24:00 siren kernel: type=1400 audit(1322274240.440:829): avc: 

33

denied  { search } for  pid=3016 comm="su" name="root" dev=sda1

34

ino=4290561 scontext=stan:staff_r:staff_su_t

35

tcontext=root:object_r:user_home_dir_t tclass=dir

36

Nov 25 19:24:00 siren su[3016]: pam_unix(su:session): session opened for

37

user root by (uid=500)

38

Nov 25 19:24:00 siren su[3016]: pam_open_session: Authentication failure

39

40

Here is the /etc/pam.d/su file:

41

42

#%PAM-1.0

43

44

auth       sufficient   pam_rootok.so

45

46

# If you want to restrict users begin allowed to su even more,

47

# create /etc/security/suauth.allow (or to that matter) that is only

48

# writable by root, and add users that are allowed to su to that

49

# file, one per line.

50

#auth       required     pam_listfile.so item=ruser sense=allow

51

onerr=fail file=/etc/security/suauth.allow

52

53

# Uncomment this to allow users in the wheel group to su without

54

# entering a passwd.

55

#auth       sufficient   pam_wheel.so use_uid trust

56

57

# Alternatively to above, you can implement a list of users that do

58

# not need to supply a passwd with a list.

59

#auth       sufficient   pam_listfile.so item=ruser sense=allow

60

onerr=fail file=/etc/security/suauth.nopass

61

62

# Comment this to allow any user, even those not in the 'wheel'

63

# group to su

64

auth       required     pam_wheel.so use_uid

65

auth       required     pam_tally2.so deny=5 unlock_time=300 magic_root

66

auth       include              system-auth

67

68

account    required     pam_tally2.so

69

account    include              system-auth

70

71

password   include              system-auth

72

73

session         required        pam_selinux.so close

74

session    optional             pam_xauth.so

75

session         required        pam_selinux.so multiple open verbose

76

session    include              system-auth

77

78

And, here is the system-auth file:

79

80

auth            sufficient      pam_ldap.so use_first_pass

81

ignore_authinfo_unavail

82

auth            required        pam_unix.so try_first_pass likeauth 

83

84

account         sufficient      pam_ldap.so

85

account         required        pam_unix.so

86

87

password        required        pam_cracklib.so (****** specific

88

requrements masked ******)

89

password        sufficient      pam_ldap.so use_authtok

90

password        required        pam_unix.so use_authtok sha512 shadow

91

92

session         required        pam_limits.so

93

#session                required        pam_env.so

94

session         optional        pam_ssh.so

95

session         sufficient      pam_ldap.so

96

session         required        pam_unix.so

97

98

I tried adding the following rule to a local policy, but all that did

99

was make the avc denial for compute_user go away in the logs, everything

100

else was still the same including the message about unable to get valid

101

context for root:

102

103

selinux_compute_user_contexts(staff_su_t)

104

105

I also tried commenting out the pam_selinux.so close in the session, but

106

that didn't help.

107

108

--

109

Stan & HD Tashi Grad 10/08  Edgewood, NM  SWR

110

PR - Cindy and Jenny - Sammamish, WA  NWR

111

http://www.cci.org

Gentoo Archives: gentoo-hardened

Attachments

Replies

1	One of the more important things that is currently broken on my system
2	when I switch on enforcing mode for SELinux is the su command. Mostly
3	likely I've overlooked something so am asking here first before filing a
4	bug on it. I did a search or two on google, but didn't find anything
5	that looked really useful (or current). Here are some details. I'll
6	start with the output from the terminal window:
7
8	siren /home/stan $su
9	Password:
10	Would you like to enter a security context? [N]
11	su: Authentication failure
12
13	Here are the lines from my syslog:
14
15	Nov 25 19:23:58 siren su[3016]: Successful su for root by stan
16	Nov 25 19:23:58 siren su[3016]: + /dev/pts/1 stan:root
17	Nov 25 19:23:58 siren kernel: type=1400 audit(1322274238.237:826): avc:
18	denied { search } for pid=3016 comm="su" name="root" dev=sda1
19	ino=4290561 scontext=stan:staff_r:staff_su_t
20	tcontext=root:object_r:user_home_dir_t tclass=dir
21	Nov 25 19:23:58 siren kernel: type=1400 audit(1322274238.240:827): avc:
22	denied { compute_user } for pid=3016 comm="su"
23	scontext=stan:staff_r:staff_su_t tcontext=system_u:object_r:security_t
24	tclass=security
25	Nov 25 19:24:00 siren su[3016]: pam_selinux(su:session): Unable to get
26	valid context for root
27	Nov 25 19:24:00 siren pam_ssh[3016]: can't write to /root/.ssh/agent-siren
28	Nov 25 19:24:00 siren kernel: type=1400 audit(1322274240.440:828): avc:
29	denied { search } for pid=3016 comm="su" name="root" dev=sda1
30	ino=4290561 scontext=stan:staff_r:staff_su_t
31	tcontext=root:object_r:user_home_dir_t tclass=dir
32	Nov 25 19:24:00 siren kernel: type=1400 audit(1322274240.440:829): avc:
33	denied { search } for pid=3016 comm="su" name="root" dev=sda1
34	ino=4290561 scontext=stan:staff_r:staff_su_t
35	tcontext=root:object_r:user_home_dir_t tclass=dir
36	Nov 25 19:24:00 siren su[3016]: pam_unix(su:session): session opened for
37	user root by (uid=500)
38	Nov 25 19:24:00 siren su[3016]: pam_open_session: Authentication failure
39
40	Here is the /etc/pam.d/su file:
41
42	#%PAM-1.0
43
44	auth sufficient pam_rootok.so
45
46	# If you want to restrict users begin allowed to su even more,
47	# create /etc/security/suauth.allow (or to that matter) that is only
48	# writable by root, and add users that are allowed to su to that
49	# file, one per line.
50	#auth required pam_listfile.so item=ruser sense=allow
51	onerr=fail file=/etc/security/suauth.allow
52
53	# Uncomment this to allow users in the wheel group to su without
54	# entering a passwd.
55	#auth sufficient pam_wheel.so use_uid trust
56
57	# Alternatively to above, you can implement a list of users that do
58	# not need to supply a passwd with a list.
59	#auth sufficient pam_listfile.so item=ruser sense=allow
60	onerr=fail file=/etc/security/suauth.nopass
61
62	# Comment this to allow any user, even those not in the 'wheel'
63	# group to su
64	auth required pam_wheel.so use_uid
65	auth required pam_tally2.so deny=5 unlock_time=300 magic_root
66	auth include system-auth
67
68	account required pam_tally2.so
69	account include system-auth
70
71	password include system-auth
72
73	session required pam_selinux.so close
74	session optional pam_xauth.so
75	session required pam_selinux.so multiple open verbose
76	session include system-auth
77
78	And, here is the system-auth file:
79
80	auth sufficient pam_ldap.so use_first_pass
81	ignore_authinfo_unavail
82	auth required pam_unix.so try_first_pass likeauth
83
84	account sufficient pam_ldap.so
85	account required pam_unix.so
86
87	password required pam_cracklib.so (****** specific
88	requrements masked ******)
89	password sufficient pam_ldap.so use_authtok
90	password required pam_unix.so use_authtok sha512 shadow
91
92	session required pam_limits.so
93	#session required pam_env.so
94	session optional pam_ssh.so
95	session sufficient pam_ldap.so
96	session required pam_unix.so
97
98	I tried adding the following rule to a local policy, but all that did
99	was make the avc denial for compute_user go away in the logs, everything
100	else was still the same including the message about unable to get valid
101	context for root:
102
103	selinux_compute_user_contexts(staff_su_t)
104
105	I also tried commenting out the pam_selinux.so close in the session, but
106	that didn't help.
107
108	--
109	Stan & HD Tashi Grad 10/08 Edgewood, NM SWR
110	PR - Cindy and Jenny - Sammamish, WA NWR
111	http://www.cci.org