Red Hat Bugzilla – Bug 178714
/etc/pam.d/su: 'multiple', 2nd (context) prompt
Last modified: 2007-11-30 17:07:22 EST
With a recent update of coreutils, su's behavior has changed, in that after
prompting for password, also prompts for (selinux?) context. I'm seeing
Your default context is root:system_r:unconfined_t.
Do you want to choose a different one? [n]
kde's kdesu barfs/hangs on this second prompt.
A fix was pointed out to me on the selinux mailing list by dwalsh:
"Remove multiple from the pam file."
editing /etc/pam.d/su, changing
session required /lib/security/$ISA/pam_selinux.so open multiple
session required /lib/security/$ISA/pam_selinux.so open
Did the trick.
# rpm -q -f /etc/pam.d/su
Adding Steve Grubb to cc - Steve, do you think this might be due to the
coreutils-pam.patch changes you suggested?
Tim, the pam patch tweeks made sure that pam failures were handled correctly. It
shouldn't have anything to do with this. The problem is the su pam config file
has "multiple" as a param which tells pam_selinux that it should ask which role
the user wants. This is definitely not what the average user wants.
I checked cvs for FC-3 & FC-4 and this seems to be the case. RHEL-4 does not
have the multiple option by comparison. I'd delete the "multiple" option out of
su.pamd for both FC-3 and FC-4.
> I checked cvs for FC-3 & FC-4 and this seems to be the case. RHEL-4 does not
> have the multiple option by comparison. I'd delete the "multiple" option out of
> su.pamd for both FC-3 and FC-4.
I'm seeing "multiple" on RHEL-4 with coreutils-5.2.1-31.2
Rex, the "multiple" keyword was already present in the package that shipped with
Red Hat Enterprise Linux 4, coreutils-5.2.1-31. That has not changed in the update.
Steve: given this, what other change from 5.2.1-31 to 5.2.1-31.2 could cause
this? Surely it has to be one of the coreutils-pam.patch changes.
Tim, it might be pam_selinux that changed during this time. Adding Dan to see if
he has any ideas.
Regardless, can't we agree that 'multiple' should be removed?
Rex, multiple is already removed in cvs and this change will be released in U3.
I think Tim just wants to know exactly what changed that caused this problem.
Yes, multiple should be removed and actually the entire pam_selinux.so can be
removed. The changes to /etc/pam.d/su are more for strict policy and were added
back in FC2 timeframe when we were shipping with strict. pam_selinux.so in the
su module has no effect in the targeted policy, since the user goes from
unconfined_t to unconfined_t.
The problem was caused by an upgrade to policy in U2 that caused su to think
there were multiple types that the user could reach and the pam module gives the
user the choice.
This choice makes no sense in a targeted policy environment. If a init script
is running su to change user, it is recommended that they use runuser which will
eliminate any of the pam functions.
This issue is on Red Hat Engineering's list of planned work items
for the upcoming Red Hat Enterprise Linux 4.4 release. Engineering
resources have been assigned and barring unforeseen circumstances, Red
Hat intends to include this item in the 4.4 release.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.