Gentoo Archives: gentoo-hardened

From:	Peter Buettner <pb@××××××××××××.de>
To:	gentoo-hardened@l.g.o
Subject:	[gentoo-hardened] su and newrole do not work from normal user account
Date:	Thu, 09 Sep 2004 15:43:32
Message-Id:	`20040909174322.14ea7829.pb@personalwlan.de`

1	Hello,
2
3	I performed a stage1 install from the hardened gentoo CD. Installation works fine and without problems.
4
5	But with the loaded policy it is not possible to do newrole -r or su - from normal user account.
6
7
8	sysop@access sysop $ newrole -r sysadm_r
9	Authenticating sysop.
10	Password:
11	newrole: incorrect password for sysop
12
13	sysop@access sysop $ su -
14	Password:
15	su: Authentication failure
16	Sorry.
17
18	Is this the normal behavior of the policy or have i done something wrong?
19
20	How can i change this behavior if all is right?
21
22	I have tried a different default_contexts file, but the behavior did not change.
23
24	I am used to disable root access in sshd so that i have to login as normal user and su to root for administration.
25
26	Some settings:
27
28	access policy # uname -a
29	Linux access 2.6.5-hardened-r5 #3 SMP Thu Jun 24 14:33:31 CEST 2004 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
30
31	users:
32
33	# seuser
34	# This file created automatically by seuser on Thu Jul 29 14:52:17 2004
35
36	#
37	# user file
38
39	user system_u roles { system_r } ;
40	user user_u roles { user_r } ;
41	user root roles { sysadm_r staff_r } ;
42	user sysop roles { sysadm_r staff_r } ;
43	user sudevel roles { staff_r user_r } ;
44	user test roles { user_r staff_r } ;
45	user operator roles { user_r staff_r };
46
47	default_contexts:
48
49	system_r:sulogin_t sysadm_r:sysadm_t
50	system_r:local_login_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
51	system_r:remote_login_t user_r:user_t staff_r:staff_t
52	system_r:sshd_t user_r:user_t staff_r:staff_t
53	system_r:crond_t user_r:user_crond_t staff_r:staff_crond_t sysadm_r:sysadm_crond_t system_r:system_crond_t mai$
54	system_r:xdm_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
55	staff_r:staff_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
56	sysadm_r:sysadm_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
57	user_r:user_su_t staff_r:staff_t user_r:user_t sysadm_r:sysadm_t
58	sysadm_r:sudo_t sysadm_r:sysadm_t
59	staff_r:sudo_t sysadm_r:sysadm_t staff_r:staff_t
60	user_r:sudo_t sysadm_r:sysadm_t user_r:user_t
61
62
63	sestatus -v:
64
65	access security # sestatus -v
66	SELinux status: enabled
67	SELinuxfs mount: /selinux
68	Current mode: permissive
69	Policy version: 17
70
71	Policy booleans:
72	user_ping inactive
73
74	Process contexts:
75	Current context: root:sysadm_r:sysadm_t
76	Init context: system_u:system_r:init_t
77	/sbin/agetty system_u:system_r:getty_t
78	/usr/sbin/sshd system_u:system_r:sshd_t
79
80	File contexts:
81	Controlling term: root:object_r:sysadm_devpts_t
82	/etc/passwd system_u:object_r:etc_t
83	/etc/shadow system_u:object_r:shadow_t
84	/bin/bash system_u:object_r:shell_exec_t
85	/bin/login system_u:object_r:login_exec_t
86	/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
87	/sbin/agetty system_u:object_r:getty_exec_t
88	/sbin/init system_u:object_r:init_exec_t
89	/usr/sbin/sshd system_u:object_r:sshd_exec_t
90	/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t
91	/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
92
93
94	Thank you for any help.
95
96
97
98	Mit freundlichen Grüßen
99
100	Peter Büttner
101
102
103	-------------------------------------------------
104	Personal WLAN GmbH http://www.personalwlan.de
105	Große Elbstraße 145a
106	22767 Hamburg
107
108	Tel.: 040/888855-25
109	Fax : 040/888855-55
110	Mail: pb@××××××××××××.de
111	-------------------------------------------------
112
113
114
115
116
117
118
119
120
121	--
122	gentoo-hardened@g.o mailing list

Replies

Subject	Author
RE: [gentoo-hardened] su and newrole do not work from normal user account	Richard Simpson <richard.simpson@×××××.com>
Re: [gentoo-hardened] su and newrole do not work from normal user account	nixnut <nixnut@×××××××.nl>
Re: [gentoo-hardened] su and newrole do not work from normal user account	Ned Ludd <solar@g.o>

Report Message

Find on MARC Find on Google Groups