Mailing List Archive: Gentoo: Hardened

Problems with su on 20120215 policy and latest policycoreutils

Index | Next | Previous | View Threaded

krissn at op

Mar 10, 2012, 10:07 AM

Post #1 of 3 (220 views)
Permalink

Problems with su on 20120215 policy and latest policycoreutils

Hi,

Recently I've upgraded the policy to the latest testing version. I've also had to upgrade policycoreutils (+deps) to the versions from the overlay, since they're required by the policies. Everything seems to be working fine for now, but I noticed a problem with su. Every time I try to use it an error is displayed:

su: Authentication service cannot retrieve authentication info

This message is displayed regardless of the user executing su (even for root/sysadm_r).

I did some initial digging and it seems that when su is used, the unix_chkpwd helper is never executed. The helper itself works, because I can see some avc messages from it when logging over ssh. I tried to enable some debugging on pam but with no results.

Has anyone encountered these problems?

Best regards
Chris

swift at gentoo

Mar 10, 2012, 11:42 AM

Post #2 of 3 (210 views)
Permalink

Re: Problems with su on 20120215 policy and latest policycoreutils [In reply to]

On Sat, Mar 10, 2012 at 07:07:54PM +0100, Krzysztof Nowicki wrote:
> Recently I've upgraded the policy to the latest testing version. I've also had to upgrade policycoreutils (+deps) to the versions from the overlay, since they're required by the policies. Everything seems to be working fine for now, but I noticed a problem with su. Every time I try to use it an error is displayed:
>
> su: Authentication service cannot retrieve authentication info
>
> This message is displayed regardless of the user executing su (even for root/sysadm_r).
[...]

Hi Krzysztof,

This should be tackled with selinux-base-policy-2.20120215-r3 (and
selinux-base-2.20120215-r3) and later. Can you check if that is indeed met?

Iirc, the su domains needed getattr rights on the security_t domain:

~# sesearch -s staff_su_t -t security_t -c filesystem -p getattr -A;
Found 1 semantic av rules:
allow staff_su_t security_t : filesystem getattr ;

Wkr,
Sven Vermeulen

krissn at op

Mar 11, 2012, 11:59 AM

Post #3 of 3 (200 views)
Permalink

RE: Re: Problems with su on 20120215 policy and latest policycoreutils [In reply to]

W dniu 2012-03-10 20:42:07 użytkownik Sven Vermeulen <swift [at] gentoo> napisał:
> On Sat, Mar 10, 2012 at 07:07:54PM +0100, Krzysztof Nowicki wrote:
> > Recently I've upgraded the policy to the latest testing version. I've also had to upgrade policycoreutils (+deps) to the versions from the overlay, since they're required by the policies. Everything seems to be working fine for now, but I noticed a problem with su. Every time I try to use it an error is displayed:
> >
> > su: Authentication service cannot retrieve authentication info
> >
> > This message is displayed regardless of the user executing su (even for root/sysadm_r).
> [...]
>
> Hi Krzysztof,
>
> This should be tackled with selinux-base-policy-2.20120215-r3 (and
> selinux-base-2.20120215-r3) and later. Can you check if that is indeed met?
>
> Iirc, the su domains needed getattr rights on the security_t domain:
>
> ~# sesearch -s staff_su_t -t security_t -c filesystem -p getattr -A;
> Found 1 semantic av rules:
> allow staff_su_t security_t : filesystem getattr ;
>
> Wkr,
> Sven Vermeulen
>
>

Hi Sven,

Thanks, that helped a lot. I had -r1 previously and since I forgot to update the overlay I didn't see the latest revisions.

Best regards
Chris

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads