Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 116347
Summary: | Can not su from root to ordinary user account | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | vvs <vvs009> |
Component: | kernel | Assignee: | Arjan van de Ven <arjanv> |
Status: | CLOSED RAWHIDE | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-03-05 14:32:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 114961 |
Description
vvs
2004-02-20 13:17:13 UTC
What is the protection on the /dev/tty1? The pam_selinux module is changing the terminal security context and then closing and reopening the terminal. For some reason when it reopens the terminal it gets an error. Did you relabel the file system with SELinux? Currently the installer does not fully support labeling all files, so you end up in a sort of sudo SELinux envioronment, you can relabel the file system to get it in a full SELinux environment. Several things can be done to solve this problem. You can edit the /etc/pam.d/su file and add nottys to the pam_selinux.so line and this will stop trying to relabel the terminals, or you could remove this line and it will go back to the default behaviour and not attempt to transition you do a different context. Dan What kind of "protection"? Do you mean SELinux label or policy? I have policy-1.6-1 installed and I did relabel the file system using setfiles utility and file_contexts from policy-sources. Adding nottys to pam_selinux.so works, thank you for this solution. Of course, this is a mere workaround and not fixed the bug itself. BTW, it seems that nobody testing FC2 logged in as root. There are dozens of denied operations in that setup. And some things simply don't work even in permissive mode. Rebuilding coreutils from source rpm comes to mind (I suppose a su is to blame here as well). I don't even try to report it, because opening so many similar bug reports doesn't make sense. And I have not enough knowledge of SELinux to fix it myself :-( |