| 1 |
Did you use newrole to change roles to sysadm_r before trying su? |
| 2 |
|
| 3 |
-Tad |
| 4 |
|
| 5 |
> -----Original Message----- |
| 6 |
> From: Bill McCarty [mailto:bmccarty@××××××.net] |
| 7 |
> Sent: Monday, January 12, 2004 10:12 PM |
| 8 |
> To: gentoo-hardened@l.g.o |
| 9 |
> Subject: [gentoo-hardened] su command |
| 10 |
> |
| 11 |
> Hi all, |
| 12 |
> |
| 13 |
> I recently set up SELinux under Gentoo and find that SELinux is |
| 14 |
> prohibiting |
| 15 |
> ordinary users from running su. Is this intentional? Since I generally |
| 16 |
> prohibit root logins via SSH, access to su is important to me; I cannot |
| 17 |
> otherwise administer the system remotely. |
| 18 |
> |
| 19 |
> I'm using pam-0.77, which is the version that I understand to be |
| 20 |
> SELinux-compliant. The users have context user_u:user_r:user_t and the su |
| 21 |
> executable has context system_u:object_r:su_exec_t. Where else might I |
| 22 |
> look |
| 23 |
> for a possible error in my configuration? |
| 24 |
> |
| 25 |
> The possibility that makes me most anxious is that I may have too recent a |
| 26 |
> version of some ebuild that should be security-aware. I find setting |
| 27 |
> ACCEPT_KEYWORDS="~x86" a bit scary <g>. Is there a list of known good |
| 28 |
> ebuild versions, or should I check the Changelog of each ebuild? |
| 29 |
> |
| 30 |
> Thanks for any suggestions! |
| 31 |
> |
| 32 |
> Cheers, |
| 33 |
> |
| 34 |
> --------------------------------------------------- |
| 35 |
> Bill McCarty |
| 36 |
> |
| 37 |
> |
| 38 |
> -- |
| 39 |
> gentoo-hardened@g.o mailing list |
| 40 |
|
| 41 |
|
| 42 |
-- |
| 43 |
gentoo-hardened@g.o mailing list |
Archives