Bug 117525

Summary: can't su at all ...
Product: [Fedora] Fedora Reporter: Bill Nottingham <notting>
Component: coreutilsAssignee: Tim Waugh <twaugh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, kajtzu, mitr, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-05-18 05:05:58 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Bill Nottingham 2004-03-04 17:30:22 EST
... because user_t can't read /bin/su.

rawhide-20040304, enforcing=1.

Policy has been reloaded a few times.
Comment 1 Tim Waugh 2004-03-05 07:24:06 EST
Policy needs:

allow user_t su_exec_t:file { execute getattr };

Now what?
Comment 2 Tim Waugh 2004-03-05 08:20:14 EST
Hmm, not that simple.  So far I've needed to add:

allow user_t su_exec_t:file { execute execute_no_trans getattr read };
allow user_t user_t:capability { setuid };

Does that sound right?
Comment 3 Daniel Walsh 2004-03-05 08:46:47 EST
You need to change you user account to a staff  account. Then relabel
your home directories.

Normal user accounts are not allowed to ececute the su command.

Comment 4 Tim Waugh 2004-03-05 09:08:41 EST
Okay -- can you point me in the right direction for doing that?  What
command is it?  Thanks.
Comment 5 Miloslav Trmac 2004-03-05 09:13:56 EST
That looks like something that should be mentioned in release notes
(bug 114398).
Comment 6 Bill Nottingham 2004-03-05 10:56:24 EST
That's not really consistent with the minimal policy, though. Whether
that's a bug or not, I'm not sure.
Comment 7 Tim Waugh 2004-05-18 05:05:58 EDT
User accounts can run su now.  Closing.