RE: Granting su rights to users? Using PAM and Kerberos...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2005-11-21 at 17:47 -0800, Daniel B. Thurman wrote:

> 
> I have used the gui-based authtenication tool with then
> authenication tab and selected everything but the Winbind
> support and now when I try to su root as a normal user,
> I get the message:
> 
> # su: cannot set groups: No such file or directory
> 
> In the /var/log/message file, it says:
> 
> Nov 21 17:05:48 linux su(pam_unix)[5728]: authentication failure; logname= uid=500 euid=500 tty=pts/4 ruser=dant rhost=  user=root
> Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: authentication succeeds for 'root' (root@xxxxxxxxx)
> Nov 21 17:05:48 linux su(pam_unix)[5728]:  ERROR 0:Success
> Nov 21 17:05:48 linux su(pam_unix)[5728]: session opened for user root by (uid=500)
> Nov 21 17:05:48 linux su[5728]: Warning!  Could not relabel /dev/pts/4 with root:object_r:devpts_t, not relabeling.Operation not permitted
> Nov 21 17:05:48 linux su(pam_unix)[5735]: session closed for user root
> Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error removing ccache file '/tmp/krb5cc_0_RNoyDV'
> Nov 21 17:05:48 linux su(pam_unix)[5728]: session closed for user root
> Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error removing ccache file '/tmp/krb5cc_0_RNoyDV'
> 
> So, it appears that PAM is somehow preventing normal users to su as root, kerberos claims
> that the password is valid, and SElinux is saying that it does not allow su to relabel
> tje /dev/pts/4 tty and finally su is not allowed to delete the cache file.
> 
> Geez... what the heck is going on???
> 
> HELP PLEASE?
----
I am beginner at selinux - Paul H is very together on it...

selinux targeted?

# grep SELINUX /etc/selinux/config
# SELINUX= can take one of these three values:
SELINUX=Enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
SELINUXTYPE=targeted

if so - then...
yum install selinux-policy-targeted-sources

then according to...
http://cvs.sourceforge.net/viewcvs.py/*checkout*/selinux/nsa/selinux-
usr/policycoreutils/audit2allow/audit2allow.1

$ cd /etc/selinux/$(SELINUXTYPE)/src/policy
$ /usr/bin/audit2allow -i < /var/log/audit/audit.log >> domains/misc/local.te
# <review domains/misc/local.te and customize as desired>
$ make load

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux