While trying to authenticate using "su", the authentication fails with the
following error:
~$ su -
su: Authentication service cannot retrieve authentication info
In the audit log, we notice the following denial (after disabling dontaudits):
type=AVC msg=audit(1376567915.011:8005): avc: denied { getattr } for
pid=10640 comm="su" name="/" dev="selinuxfs" ino=1
scontext=staff_u:staff_r:staff_su_t tcontext=system_u:object_r:security_t
tclass=filesystem
Allowing selinux_get_fs_mount() against $1_su_t is enough for su to succeed
again.
This is probably specific to Gentoo so using an ifdef(`distro_gentoo',`...')
block.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/su.if | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 03ec5ca..db7940c 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -91,6 +91,10 @@ template(`su_restricted_domain_template', `
miscfiles_read_localization($1_su_t)
+ ifdef(`distro_gentoo',`
+ selinux_get_fs_mount($1_su_t)
+ ')
+
ifdef(`distro_redhat',`
# RHEL5 and possibly newer releases incl. Fedora
auth_domtrans_upd_passwd($1_su_t)
@@ -233,6 +237,10 @@ template(`su_role_template',`
userdom_use_user_terminals($1_su_t)
userdom_search_user_home_dirs($1_su_t)
+ ifdef(`distro_gentoo',`
+ selinux_get_fs_mount($1_su_t)
+ ')
+
ifdef(`distro_redhat',`
# RHEL5 and possibly newer releases incl. Fedora
auth_domtrans_upd_passwd($1_su_t)
--
1.8.1.5
On 08/15/2013 08:19 AM, Sven Vermeulen wrote:
> While trying to authenticate using "su", the authentication fails with the
> following error:
>
> ~$ su -
> su: Authentication service cannot retrieve authentication info
>
> In the audit log, we notice the following denial (after disabling dontaudits):
>
> type=AVC msg=audit(1376567915.011:8005): avc: denied { getattr } for
> pid=10640 comm="su" name="/" dev="selinuxfs" ino=1
> scontext=staff_u:staff_r:staff_su_t tcontext=system_u:object_r:security_t
> tclass=filesystem
>
> Allowing selinux_get_fs_mount() against $1_su_t is enough for su to succeed
> again.
>
> This is probably specific to Gentoo so using an ifdef(`distro_gentoo',`...')
> block.
My suspicion is that this is from pam_unix.so, so is probably not specific to Gentoo. If so, we should probably use seutil_libselinux_linked(). This also made me think that we should consider making an authlogin interface, something like auth_use_pam_unix() so we can gather all these accesses that are due to the pam config, rather than having them scattered among the domains that use PAM.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/admin/su.if | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
> index 03ec5ca..db7940c 100644
> --- a/policy/modules/admin/su.if
> +++ b/policy/modules/admin/su.if
> @@ -91,6 +91,10 @@ template(`su_restricted_domain_template', `
>
> miscfiles_read_localization($1_su_t)
>
> + ifdef(`distro_gentoo',`
> + selinux_get_fs_mount($1_su_t)
> + ')
> +
> ifdef(`distro_redhat',`
> # RHEL5 and possibly newer releases incl. Fedora
> auth_domtrans_upd_passwd($1_su_t)
> @@ -233,6 +237,10 @@ template(`su_role_template',`
> userdom_use_user_terminals($1_su_t)
> userdom_search_user_home_dirs($1_su_t)
>
> + ifdef(`distro_gentoo',`
> + selinux_get_fs_mount($1_su_t)
> + ')
> +
> ifdef(`distro_redhat',`
> # RHEL5 and possibly newer releases incl. Fedora
> auth_domtrans_upd_passwd($1_su_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com