Bug 117525 - can't su at all ...
Summary: can't su at all ...
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: coreutils
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-03-04 22:30 UTC by Bill Nottingham
Modified: 2014-03-17 02:43 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2004-05-18 09:05:58 UTC


Attachments (Terms of Use)

Description Bill Nottingham 2004-03-04 22:30:22 UTC
... because user_t can't read /bin/su.

rawhide-20040304, enforcing=1.

Policy has been reloaded a few times.

Comment 1 Tim Waugh 2004-03-05 12:24:06 UTC
Policy needs:

allow user_t su_exec_t:file { execute getattr };

Now what?

Comment 2 Tim Waugh 2004-03-05 13:20:14 UTC
Hmm, not that simple.  So far I've needed to add:

allow user_t su_exec_t:file { execute execute_no_trans getattr read };
allow user_t user_t:capability { setuid };

Does that sound right?

Comment 3 Daniel Walsh 2004-03-05 13:46:47 UTC
You need to change you user account to a staff  account. Then relabel
your home directories.

Normal user accounts are not allowed to ececute the su command.

Dan

Comment 4 Tim Waugh 2004-03-05 14:08:41 UTC
Okay -- can you point me in the right direction for doing that?  What
command is it?  Thanks.

Comment 5 Miloslav Trmac 2004-03-05 14:13:56 UTC
That looks like something that should be mentioned in release notes
(bug 114398).

Comment 6 Bill Nottingham 2004-03-05 15:56:24 UTC
That's not really consistent with the minimal policy, though. Whether
that's a bug or not, I'm not sure.

Comment 7 Tim Waugh 2004-05-18 09:05:58 UTC
User accounts can run su now.  Closing.


Note You need to log in before you can comment on or make changes to this bug.