Bug 117978 - su doesn't work as a user with enforcing=1
Summary: su doesn't work as a user with enforcing=1
Alias: None
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Keywords: SELinux
Depends On:
Blocks: FC2Blocker
TreeView+ depends on / blocked
Reported: 2004-03-10 18:59 UTC by Bill Nottingham
Modified: 2014-03-17 02:43 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-07 02:09:17 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Bill Nottingham 2004-03-10 18:59:39 UTC
Gets 'incorrect password'.

Error is:

pam_krb5: authentication fails for 'root' (root@REDHAT.COM):
Authentication failure (Cannot resolve network address for KDC in
requested realm)

Why would enforcing mode cause it to look up root in kerberos?

Expected results:

Additional info:

Comment 1 Tim Waugh 2004-03-11 15:11:36 UTC
What versions of anything?  Clean install?

Comment 2 Bill Nottingham 2004-03-11 15:16:28 UTC
Clean install of yesterday, upgraded to 1.8-5. coreutils-5.2.0-8.
Still happens.

Comment 3 Tim Waugh 2004-03-11 15:20:04 UTC
Seems to be a krb5 thing.  Doesn't happen without it configured.

Comment 4 Bill Nottingham 2004-03-11 15:20:34 UTC
[notting@apone: ~]$ cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so

Comment 5 Daniel Walsh 2004-03-11 19:28:15 UTC
Any avc messages?

Comment 6 Bill Nottingham 2004-03-11 20:47:01 UTC
Only the gconv-modules ones.

Comment 7 Bill Nottingham 2004-03-11 20:48:39 UTC
Aha. In permissive mode:

{read} exe=/bin/su name=krb5.conf scontext=:user_u:user_r:user_su_t

Comment 8 Daniel Walsh 2004-03-25 18:20:17 UTC
Fixed in policy-1.9-15

Note You need to log in before you can comment on or make changes to this bug.