From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RU91P-00030J-E5 for garchives@archives.gentoo.org; Sat, 26 Nov 2011 03:33:47 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 515E921C05F; Sat, 26 Nov 2011 03:33:32 +0000 (UTC) Received: from sblan.net (siren.sblan.net [67.41.4.245]) by pigeon.gentoo.org (Postfix) with ESMTP id C49A121C02F for ; Sat, 26 Nov 2011 03:33:04 +0000 (UTC) Received: from [IPv6:2001:470:d:476::1] (siren.sblan.net [IPv6:2001:470:d:476::1]) (authenticated bits=0) by sblan.net (8.14.5/8.14.5) with ESMTP id pAQ3X3pE006438 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 25 Nov 2011 20:33:03 -0700 Message-ID: <4ED05DE4.4050202@sblan.net> Date: Fri, 25 Nov 2011 20:32:52 -0700 From: Stan Sander User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111123 Thunderbird/8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened Subject: [gentoo-hardened] Help with su X-Enigmail-Version: 1.3.3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigC704186702938B6E6D7383DD" X-Spam-Score: -1 () ALL_TRUSTED,SHORTCIRCUIT X-Scanned-By: MIMEDefang 2.72 on IPv6:2001:470:d:476::1 X-Archives-Salt: 8b814219-9bd6-4a74-8ee0-2fdb03823267 X-Archives-Hash: a2c981af8394adeef0127bece286f992 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigC704186702938B6E6D7383DD Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable One of the more important things that is currently broken on my system when I switch on enforcing mode for SELinux is the su command. Mostly likely I've overlooked something so am asking here first before filing a bug on it. I did a search or two on google, but didn't find anything that looked really useful (or current). Here are some details. I'll start with the output from the terminal window: siren /home/stan $su Password: Would you like to enter a security context? [N]=20 su: Authentication failure Here are the lines from my syslog: Nov 25 19:23:58 siren su[3016]: Successful su for root by stan Nov 25 19:23:58 siren su[3016]: + /dev/pts/1 stan:root Nov 25 19:23:58 siren kernel: type=3D1400 audit(1322274238.237:826): avc:= =20 denied { search } for pid=3D3016 comm=3D"su" name=3D"root" dev=3Dsda1 ino=3D4290561 scontext=3Dstan:staff_r:staff_su_t tcontext=3Droot:object_r:user_home_dir_t tclass=3Ddir Nov 25 19:23:58 siren kernel: type=3D1400 audit(1322274238.240:827): avc:= =20 denied { compute_user } for pid=3D3016 comm=3D"su" scontext=3Dstan:staff_r:staff_su_t tcontext=3Dsystem_u:object_r:security_= t tclass=3Dsecurity Nov 25 19:24:00 siren su[3016]: pam_selinux(su:session): Unable to get valid context for root Nov 25 19:24:00 siren pam_ssh[3016]: can't write to /root/.ssh/agent-sire= n Nov 25 19:24:00 siren kernel: type=3D1400 audit(1322274240.440:828): avc:= =20 denied { search } for pid=3D3016 comm=3D"su" name=3D"root" dev=3Dsda1 ino=3D4290561 scontext=3Dstan:staff_r:staff_su_t tcontext=3Droot:object_r:user_home_dir_t tclass=3Ddir Nov 25 19:24:00 siren kernel: type=3D1400 audit(1322274240.440:829): avc:= =20 denied { search } for pid=3D3016 comm=3D"su" name=3D"root" dev=3Dsda1 ino=3D4290561 scontext=3Dstan:staff_r:staff_su_t tcontext=3Droot:object_r:user_home_dir_t tclass=3Ddir Nov 25 19:24:00 siren su[3016]: pam_unix(su:session): session opened for user root by (uid=3D500) Nov 25 19:24:00 siren su[3016]: pam_open_session: Authentication failure Here is the /etc/pam.d/su file: #%PAM-1.0 auth sufficient pam_rootok.so # If you want to restrict users begin allowed to su even more, # create /etc/security/suauth.allow (or to that matter) that is only # writable by root, and add users that are allowed to su to that # file, one per line. #auth required pam_listfile.so item=3Druser sense=3Dallow onerr=3Dfail file=3D/etc/security/suauth.allow # Uncomment this to allow users in the wheel group to su without # entering a passwd. #auth sufficient pam_wheel.so use_uid trust # Alternatively to above, you can implement a list of users that do # not need to supply a passwd with a list. #auth sufficient pam_listfile.so item=3Druser sense=3Dallow onerr=3Dfail file=3D/etc/security/suauth.nopass # Comment this to allow any user, even those not in the 'wheel' # group to su auth required pam_wheel.so use_uid auth required pam_tally2.so deny=3D5 unlock_time=3D300 magic_ro= ot auth include system-auth account required pam_tally2.so account include system-auth password include system-auth session required pam_selinux.so close session optional pam_xauth.so session required pam_selinux.so multiple open verbose session include system-auth And, here is the system-auth file: auth sufficient pam_ldap.so use_first_pass ignore_authinfo_unavail auth required pam_unix.so try_first_pass likeauth=20 =20 account sufficient pam_ldap.so account required pam_unix.so =20 password required pam_cracklib.so (****** specific requrements masked ******) password sufficient pam_ldap.so use_authtok password required pam_unix.so use_authtok sha512 shadow =20 session required pam_limits.so #session required pam_env.so session optional pam_ssh.so session sufficient pam_ldap.so session required pam_unix.so I tried adding the following rule to a local policy, but all that did was make the avc denial for compute_user go away in the logs, everything else was still the same including the message about unable to get valid context for root: selinux_compute_user_contexts(staff_su_t) I also tried commenting out the pam_selinux.so close in the session, but that didn't help. --=20 Stan & HD Tashi Grad 10/08 Edgewood, NM SWR PR - Cindy and Jenny - Sammamish, WA NWR http://www.cci.org --------------enigC704186702938B6E6D7383DD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7QXe8ACgkQpStiiGsODQqqVACfazYj4piEQNdam7KzSRj/dr4R vxcAn2+XnOJEDFkt0q8ArXw+ZntlHD+r =A2+w -----END PGP SIGNATURE----- --------------enigC704186702938B6E6D7383DD--