On Mon, 2005-11-21 at 17:47 -0800, Daniel B. Thurman wrote: > > I have used the gui-based authtenication tool with then > authenication tab and selected everything but the Winbind > support and now when I try to su root as a normal user, > I get the message: > > # su: cannot set groups: No such file or directory > > In the /var/log/message file, it says: > > Nov 21 17:05:48 linux su(pam_unix)[5728]: authentication failure; logname= uid=500 euid=500 tty=pts/4 ruser=dant rhost= user=root > Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: authentication succeeds for 'root' (root@xxxxxxxxx) > Nov 21 17:05:48 linux su(pam_unix)[5728]: ERROR 0:Success > Nov 21 17:05:48 linux su(pam_unix)[5728]: session opened for user root by (uid=500) > Nov 21 17:05:48 linux su[5728]: Warning! Could not relabel /dev/pts/4 with root:object_r:devpts_t, not relabeling.Operation not permitted > Nov 21 17:05:48 linux su(pam_unix)[5735]: session closed for user root > Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error removing ccache file '/tmp/krb5cc_0_RNoyDV' > Nov 21 17:05:48 linux su(pam_unix)[5728]: session closed for user root > Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error removing ccache file '/tmp/krb5cc_0_RNoyDV' > > So, it appears that PAM is somehow preventing normal users to su as root, kerberos claims > that the password is valid, and SElinux is saying that it does not allow su to relabel > tje /dev/pts/4 tty and finally su is not allowed to delete the cache file. > > Geez... what the heck is going on??? > > HELP PLEASE? ---- I am beginner at selinux - Paul H is very together on it... selinux targeted? # grep SELINUX /etc/selinux/config # SELINUX= can take one of these three values: SELINUX=Enforcing # SELINUXTYPE= type of policy in use. Possible values are: SELINUXTYPE=targeted if so - then... yum install selinux-policy-targeted-sources then according to... http://cvs.sourceforge.net/viewcvs.py/*checkout*/selinux/nsa/selinux- usr/policycoreutils/audit2allow/audit2allow.1 $ cd /etc/selinux/$(SELINUXTYPE)/src/policy $ /usr/bin/audit2allow -i < /var/log/audit/audit.log >> domains/misc/local.te # <review domains/misc/local.te and customize as desired> $ make load Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
