From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RUkiZ-0006wC-Db for garchives@archives.gentoo.org; Sun, 27 Nov 2011 19:48:51 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 81BAE21C054; Sun, 27 Nov 2011 19:48:42 +0000 (UTC) Received: from sblan.net (siren.sblan.net [67.41.4.245]) by pigeon.gentoo.org (Postfix) with ESMTP id A164721C043 for ; Sun, 27 Nov 2011 19:48:24 +0000 (UTC) Received: from [IPv6:2001:470:d:476::1] (siren.sblan.net [IPv6:2001:470:d:476::1]) (authenticated bits=0) by sblan.net (8.14.5/8.14.5) with ESMTP id pARJmM3I024468 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sun, 27 Nov 2011 12:48:22 -0700 Message-ID: <4ED293FE.7010308@sblan.net> Date: Sun, 27 Nov 2011 12:48:14 -0700 From: Stan Sander User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0) Gecko/20111123 Thunderbird/8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Re: Help with su (RESOLVED) References: <4ED05DE4.4050202@sblan.net> <4ED1C3D1.3060600@sblan.net> <20111127173850.GB18017@gentoo.org> In-Reply-To: <20111127173850.GB18017@gentoo.org> X-Enigmail-Version: 1.3.3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigD47360D0252E9FFAFF562B79" X-Spam-Score: -1 () ALL_TRUSTED,SHORTCIRCUIT X-Scanned-By: MIMEDefang 2.72 on IPv6:2001:470:d:476::1 X-Archives-Salt: 6563aadc-5e15-414b-96d0-621365456c80 X-Archives-Hash: d06b64dac1132db6c7e882976bf09f73 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD47360D0252E9FFAFF562B79 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable On 11/27/2011 10:38 AM, Sven Vermeulen wrote: > > Hi Stan, > > This isn't really the way it is meant to resolve. From your denials, I > gather that you were still running in staff_r role. You need to transit= ion > to sysadm_r role first and then try to perform your administrative task= s. > > Wkr, > Sven Vermeulen Sven, Thanks for the tip. I was running in staff_r when I got the denials. I thought I read somewhere that staff was allowed to su, so never thought the difference of when I entered the newrole to be that significant.=20 Anyway, I'll call newrole first but it still appears as though I need to keep the calls to pam_selinux out of the su file as it fails when they are in. Also pam_xauth doesn't appear as though it's able to play with selinux, at least not inside the su file.=20 --=20 Stan & HD Tashi Grad 10/08 Edgewood, NM SWR PR - Cindy and Jenny - Sammamish, WA NWR http://www.cci.org --------------enigD47360D0252E9FFAFF562B79 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7SlAYACgkQpStiiGsODQo0+ACfdsjyll1zozCYjP/y8tUjoc+l la4AoI20yVz5cnvS+6mwPv2cxf5d4Trr =0ut7 -----END PGP SIGNATURE----- --------------enigD47360D0252E9FFAFF562B79--