Bug 117978 - su doesn't work as a user with enforcing=1
Summary: su doesn't work as a user with enforcing=1
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords: SELinux
Depends On:
Blocks: FC2Blocker
TreeView+ depends on / blocked
 
Reported: 2004-03-10 18:59 UTC by Bill Nottingham
Modified: 2014-03-17 02:43 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-07 02:09:17 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Bill Nottingham 2004-03-10 18:59:39 UTC
Gets 'incorrect password'.

Error is:

pam_krb5: authentication fails for 'root' (root@REDHAT.COM):
Authentication failure (Cannot resolve network address for KDC in
requested realm)

Why would enforcing mode cause it to look up root in kerberos?


Expected results:


Additional info:

Comment 1 Tim Waugh 2004-03-11 15:11:36 UTC
What versions of anything?  Clean install?

Comment 2 Bill Nottingham 2004-03-11 15:16:28 UTC
Clean install of yesterday, upgraded to 1.8-5. coreutils-5.2.0-8.
Still happens.

Comment 3 Tim Waugh 2004-03-11 15:20:04 UTC
Seems to be a krb5 thing.  Doesn't happen without it configured.

Comment 4 Bill Nottingham 2004-03-11 15:20:34 UTC
[notting@apone: ~]$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
 
account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
 
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
 
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so


Comment 5 Daniel Walsh 2004-03-11 19:28:15 UTC
Any avc messages?

Comment 6 Bill Nottingham 2004-03-11 20:47:01 UTC
Only the gconv-modules ones.


Comment 7 Bill Nottingham 2004-03-11 20:48:39 UTC
Aha. In permissive mode:

{read} exe=/bin/su name=krb5.conf scontext=:user_u:user_r:user_su_t
tcontext=system_u:object_r:krb5_conf_t


Comment 8 Daniel Walsh 2004-03-25 18:20:17 UTC
Fixed in policy-1.9-15


Note You need to log in before you can comment on or make changes to this bug.