Bug 117978 - su doesn't work as a user with enforcing=1
su doesn't work as a user with enforcing=1
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: SELinux
Depends On:
Blocks: FC2Blocker
  Show dependency treegraph
 
Reported: 2004-03-10 13:59 EST by Bill Nottingham
Modified: 2014-03-16 22:43 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-06 22:09:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bill Nottingham 2004-03-10 13:59:39 EST
Gets 'incorrect password'.

Error is:

pam_krb5: authentication fails for 'root' (root@REDHAT.COM):
Authentication failure (Cannot resolve network address for KDC in
requested realm)

Why would enforcing mode cause it to look up root in kerberos?


Expected results:


Additional info:
Comment 1 Tim Waugh 2004-03-11 10:11:36 EST
What versions of anything?  Clean install?
Comment 2 Bill Nottingham 2004-03-11 10:16:28 EST
Clean install of yesterday, upgraded to 1.8-5. coreutils-5.2.0-8.
Still happens.
Comment 3 Tim Waugh 2004-03-11 10:20:04 EST
Seems to be a krb5 thing.  Doesn't happen without it configured.
Comment 4 Bill Nottingham 2004-03-11 10:20:34 EST
[notting@apone: ~]$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
 
account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
 
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
 
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so
Comment 5 Daniel Walsh 2004-03-11 14:28:15 EST
Any avc messages?
Comment 6 Bill Nottingham 2004-03-11 15:47:01 EST
Only the gconv-modules ones.
Comment 7 Bill Nottingham 2004-03-11 15:48:39 EST
Aha. In permissive mode:

{read} exe=/bin/su name=krb5.conf scontext=:user_u:user_r:user_su_t
tcontext=system_u:object_r:krb5_conf_t
Comment 8 Daniel Walsh 2004-03-25 13:20:17 EST
Fixed in policy-1.9-15

Note You need to log in before you can comment on or make changes to this bug.