Granting su rights to users? Using PAM and Kerberos...
Craig White
craigwhite at azapple.com
Tue Nov 22 03:14:36 UTC 2005
On Mon, 2005-11-21 at 17:47 -0800, Daniel B. Thurman wrote:
>
> I have used the gui-based authtenication tool with then
> authenication tab and selected everything but the Winbind
> support and now when I try to su root as a normal user,
> I get the message:
>
> # su: cannot set groups: No such file or directory
>
> In the /var/log/message file, it says:
>
> Nov 21 17:05:48 linux su(pam_unix)[5728]: authentication failure; logname= uid=500 euid=500 tty=pts/4 ruser=dant rhost= user=root
> Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: authentication succeeds for 'root' (root at CDKKT.COM)
> Nov 21 17:05:48 linux su(pam_unix)[5728]: ERROR 0:Success
> Nov 21 17:05:48 linux su(pam_unix)[5728]: session opened for user root by (uid=500)
> Nov 21 17:05:48 linux su[5728]: Warning! Could not relabel /dev/pts/4 with root:object_r:devpts_t, not relabeling.Operation not permitted
> Nov 21 17:05:48 linux su(pam_unix)[5735]: session closed for user root
> Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error removing ccache file '/tmp/krb5cc_0_RNoyDV'
> Nov 21 17:05:48 linux su(pam_unix)[5728]: session closed for user root
> Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error removing ccache file '/tmp/krb5cc_0_RNoyDV'
>
> So, it appears that PAM is somehow preventing normal users to su as root, kerberos claims
> that the password is valid, and SElinux is saying that it does not allow su to relabel
> tje /dev/pts/4 tty and finally su is not allowed to delete the cache file.
>
> Geez... what the heck is going on???
>
> HELP PLEASE?
----
I am beginner at selinux - Paul H is very together on it...
selinux targeted?
# grep SELINUX /etc/selinux/config
# SELINUX= can take one of these three values:
SELINUX=Enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
SELINUXTYPE=targeted
if so - then...
yum install selinux-policy-targeted-sources
then according to...
http://cvs.sourceforge.net/viewcvs.py/*checkout*/selinux/nsa/selinux-
usr/policycoreutils/audit2allow/audit2allow.1
$ cd /etc/selinux/$(SELINUXTYPE)/src/policy
$ /usr/bin/audit2allow -i < /var/log/audit/audit.log >> domains/misc/local.te
# <review domains/misc/local.te and customize as desired>
$ make load
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the fedora-list
mailing list