Bug 117525

Summary: can't su at all ...
Product: [Fedora] Fedora Reporter: Bill Nottingham <notting>
Component: coreutilsAssignee: Tim Waugh <twaugh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, kajtzu, mitr, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-05-18 09:05:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bill Nottingham 2004-03-04 22:30:22 UTC
... because user_t can't read /bin/su.

rawhide-20040304, enforcing=1.

Policy has been reloaded a few times.

Comment 1 Tim Waugh 2004-03-05 12:24:06 UTC
Policy needs:

allow user_t su_exec_t:file { execute getattr };

Now what?

Comment 2 Tim Waugh 2004-03-05 13:20:14 UTC
Hmm, not that simple.  So far I've needed to add:

allow user_t su_exec_t:file { execute execute_no_trans getattr read };
allow user_t user_t:capability { setuid };

Does that sound right?

Comment 3 Daniel Walsh 2004-03-05 13:46:47 UTC
You need to change you user account to a staff  account. Then relabel
your home directories.

Normal user accounts are not allowed to ececute the su command.

Dan

Comment 4 Tim Waugh 2004-03-05 14:08:41 UTC
Okay -- can you point me in the right direction for doing that?  What
command is it?  Thanks.

Comment 5 Miloslav Trmac 2004-03-05 14:13:56 UTC
That looks like something that should be mentioned in release notes
(bug 114398).

Comment 6 Bill Nottingham 2004-03-05 15:56:24 UTC
That's not really consistent with the minimal policy, though. Whether
that's a bug or not, I'm not sure.

Comment 7 Tim Waugh 2004-05-18 09:05:58 UTC
User accounts can run su now.  Closing.