>-----Original Message----- >From: fedora-list-bounces@xxxxxxxxxx >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Craig White >Sent: Monday, November 21, 2005 7:15 PM >To: For users of Fedora Core releases >Subject: RE: Granting su rights to users? Using PAM and Kerberos... > > >On Mon, 2005-11-21 at 17:47 -0800, Daniel B. Thurman wrote: > >> >> I have used the gui-based authtenication tool with then >> authenication tab and selected everything but the Winbind >> support and now when I try to su root as a normal user, >> I get the message: >> >> # su: cannot set groups: No such file or directory >> >> In the /var/log/message file, it says: >> >> Nov 21 17:05:48 linux su(pam_unix)[5728]: authentication >failure; logname= uid=500 euid=500 tty=pts/4 ruser=dant rhost= > user=root >> Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: >authentication succeeds for 'root' (root@xxxxxxxxx) >> Nov 21 17:05:48 linux su(pam_unix)[5728]: ERROR 0:Success >> Nov 21 17:05:48 linux su(pam_unix)[5728]: session opened for >user root by (uid=500) >> Nov 21 17:05:48 linux su[5728]: Warning! Could not relabel >/dev/pts/4 with root:object_r:devpts_t, not >relabeling.Operation not permitted >> Nov 21 17:05:48 linux su(pam_unix)[5735]: session closed for >user root >> Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error >removing ccache file '/tmp/krb5cc_0_RNoyDV' >> Nov 21 17:05:48 linux su(pam_unix)[5728]: session closed for >user root >> Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error >removing ccache file '/tmp/krb5cc_0_RNoyDV' >> >> So, it appears that PAM is somehow preventing normal users >to su as root, kerberos claims >> that the password is valid, and SElinux is saying that it >does not allow su to relabel >> tje /dev/pts/4 tty and finally su is not allowed to delete >the cache file. >> >> Geez... what the heck is going on??? >> >> HELP PLEASE? >---- >I am beginner at selinux - Paul H is very together on it... > >selinux targeted? > ># grep SELINUX /etc/selinux/config ># SELINUX= can take one of these three values: >SELINUX=Enforcing ># SELINUXTYPE= type of policy in use. Possible values are: >SELINUXTYPE=targeted > >if so - then... >yum install selinux-policy-targeted-sources > >then according to... >http://cvs.sourceforge.net/viewcvs.py/*checkout*/selinux/nsa/selinux- >usr/policycoreutils/audit2allow/audit2allow.1 > >$ cd /etc/selinux/$(SELINUXTYPE)/src/policy >$ /usr/bin/audit2allow -i < /var/log/audit/audit.log >> >domains/misc/local.te ># <review domains/misc/local.te and customize as desired> >$ make load > >Craig > > Problem solved! A respondent told be to check the permissions for the /bin/su and it turned out that it was in mode 755 and should have been in mode 4755. This means that my /bin and /sbin is hosed (by me) and I will need to find out how to restore the permissions and ownership of these files in these directories. Gah. I will review the selinux stuff tho and learn how to use it. I have problems with getting httpd and samba to work under selinux as I have currently disabled selinux for these programs so far. Kind regards, Dan -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.5/177 - Release Date: 11/21/2005
