1 |
On Sat, Mar 10, 2012 at 07:07:54PM +0100, Krzysztof Nowicki wrote: |
2 |
> Recently I've upgraded the policy to the latest testing version. I've also had to upgrade policycoreutils (+deps) to the versions from the overlay, since they're required by the policies. Everything seems to be working fine for now, but I noticed a problem with su. Every time I try to use it an error is displayed: |
3 |
> |
4 |
> su: Authentication service cannot retrieve authentication info |
5 |
> |
6 |
> This message is displayed regardless of the user executing su (even for root/sysadm_r). |
7 |
[...] |
8 |
|
9 |
Hi Krzysztof, |
10 |
|
11 |
This should be tackled with selinux-base-policy-2.20120215-r3 (and |
12 |
selinux-base-2.20120215-r3) and later. Can you check if that is indeed met? |
13 |
|
14 |
Iirc, the su domains needed getattr rights on the security_t domain: |
15 |
|
16 |
~# sesearch -s staff_su_t -t security_t -c filesystem -p getattr -A; |
17 |
Found 1 semantic av rules: |
18 |
allow staff_su_t security_t : filesystem getattr ; |
19 |
|
20 |
Wkr, |
21 |
Sven Vermeulen |